----- "Benjamin Kite" <benjamin.k...@greenpeace.org> wrote:
> On Mon, Oct 4, 2010 at 4:47 PM, Mohamed Lrhazi <lrh...@gmail.com> > wrote: > > I was wondering how easy/hard is it for a hacker to control my > hosts > > by impersonating puppetmaster, say by poisoning DNS to point > > puppet.dom.ain to their own server? > > Are there reasosns why that would not work? > > The SSL layer and its key exchange mechanism should handle that. If your machines are just setup to talk to 'puppet' this generally is fine unless your machines are also mobile. If your laptop shows up on a hostile network and you get DHCP from it your hostname might change, puppet will make a new certificate sign request and send it to 'puppet'. If the hostile network have an auto signing master you might run into troubles there. On more traditional static hosts it should be fine as long as he cant convince your puppetd to make new cert requests - usually only through changing hostnames so be weary if you use some shared hosting provider and have DHCP not under your control. -- R.I.Pienaar -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
