-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is correct.
A simple way around this is to set up a single use ssh key that only runs the puppetd -t command (or whatever equivalent you like). I personally prefer to run puppetd out of cron so that it doesn't take up any resources unless it needs to run. Trevor On 12/23/2010 07:52 PM, Patrick wrote: > > On Dec 23, 2010, at 10:48 AM, Douglas Garstang wrote: > >> On Wed, Dec 22, 2010 at 8:33 PM, Nigel Kersten <ni...@puppetlabs.com >> <mailto:ni...@puppetlabs.com>> wrote: >> >> On Wed, Dec 22, 2010 at 4:24 PM, Douglas Garstang >> <doug.garst...@gmail.com <mailto:doug.garst...@gmail.com>> wrote: >> > On Wed, Dec 22, 2010 at 2:30 PM, Nigel Kersten >> <ni...@puppetlabs.com <mailto:ni...@puppetlabs.com>> wrote: >> >> >> >> On Wed, Dec 22, 2010 at 11:30 AM, Douglas Garstang >> >> <doug.garst...@gmail.com <mailto:doug.garst...@gmail.com>> wrote: >> >> > We're currently going through a PCI audit process, and an >> internal scan >> >> > by >> >> > an auditor of our network came up with the following advisory >> on port >> >> > 8139 >> >> > on all of our puppet servers. >> >> > Resolution: Disable weak and medium ciphers in the http.conf >> or ssl.conf >> >> > configuration files: >> >> > SSLCipherSuite >> ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM >> >> > Obviously, it's a canned response assuming that a web server is >> >> > listening on >> >> > that port. Is there any way to disable the 'weak and medium >> ciphers' on >> >> > the >> >> > default webrick server? >> >> >> >> We actually had a feature request in about this recently that >> >> shouldn't be too hard to find if you do a search. More people >> caring >> >> about this will lead us to prioritize it more, however... >> >> >> >> You really should move away from Webrick for production for several >> >> reasons, including this one. It's not suggested for production use. >> >> >> >> If you move to Mongrel or Passenger with Apache, our two most >> common >> >> deployment methods, you can fully specify the strong ciphers. >> >> >> >> >> > >> > Nigel, >> > Well, I can go back and give Passenger another shot, but I >> didn't pursue it >> > originally because I wasn't able to get the perfect combination >> of ruby, >> > rack etc etc to make it work. It involves a lot of magic voodoo. >> Passenger >> > is also installed from ruby gems which, as an ops person, makes >> my skin >> > crawl. >> > Also... I'm not sure if I understand this issue correctly, but >> the client >> > itself runs the WEBrick server, correct? What is this for? Is >> this to allow >> > puppetrun to be run from the server? If that's the case, I would >> also have >> > to move every client to Passenger or Mongrel was well. I'm not >> sure about >> > Mongrel, but that means a rather complicated update on the >> clients, given >> > passengers voodoo install magic. >> >> That's actually a good point. >> >> Are you running the puppet agent in daemon mode or scheduled out >> of cron? >> >> >> I'm running the puppet agent as a daemon. >> >> But... I'm still not quite following what has to happen on the >> clients. Are we saying that I have to replace the webrick server on >> the clients with Passenger? That's a pretty heavy handed approach. >> This means that all the clients have to be running Apache..... > > My understanding is that the client doesn't even use Webrick unless you > use "listen=true". > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. - -- Trevor Vaughan Vice President, Onyx Point, Inc. email: tvaug...@onyxpoint.com phone: 410-541-ONYX (6699) pgp: 0x6C701E94 - -- This account not approved for unencrypted sensitive information -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJNE/ZDAAoJECNCGV1OLcypJmMIAKzQQSHNX5H01nx7fSYGxvpw lQUw49+mdKYP/EhzKLf2fgD+POrOZGsw9QvBPkwcdoHQJPX4ywx2iWMZ1tvgIQCw 928udnSg+KxdHQs8JfwfvIExc82W3LvnNciD9/Nt/7qExzT0cHlWMh42vYG0sOpp bFyblwKHo8fiExwTjpaer6fQmh99GsR6COHTrTHi6+7leFUcpjLG9KXAX3Lyan3A PiQ9vQUvg/JxYODK9kMVDG420z2pn2LAl+Y8ZUaYScEnqKdWSHp7M54nOu5VZpRV XeUTKw3bSwQVcLFDPdAX5RIURqNYimmHFjVVsOeOwPu+4KzVx79wK102vb+BfBo= =gMq2 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
<<attachment: tvaughan.vcf>>
