:) This is most definitely a hack. The issue is that once you start using Puppet to push out secure-data that HostA might need, but HostB should never be able to get — you run into this problem. If HostB is broken into and its 'node type' is changed (whether by hostname, or editing a custom puppet fact), it can suddenly get data for HostA.
I am actually thinking that the 'Subject Alternative Name' may be the best place for this kind of data — but I'm wondering whether theres any place in Puppet where I an implement a hack that allows puppet to parse through these fields and determine if they're valid. IE, perhaps in auth.conf? Or maybe theres a way to use a 'prerun' command in puppet.conf that I can feed the clients certificate to? Any thoughts there? —Matt On Apr 26, 2011, at 2:54 AM, Jeff McCune wrote: > On Tue, Apr 26, 2011 at 4:10 AM, Matt Wise <w...@wiredgeek.net> wrote: >> I'm working out some security issues here and wanted to throw something out >> there... I'll be digging in tonight to see whether something like this is >> possible, so I'd appreciate feedback quickly if anyone happens to know if >> this is possible. Imagine a scenario where our individual hosts actually >> tell the puppet server which 'config' they want. This is our environment, >> and its not changeable. (The short explanation — its done this way because >> we provision nodes in several clouds where hostnames are not known until >> after a host has booted). For now, our nodes actually check in and say "I >> want XYZ class". >> >> I'd like to have our nodes able to do this ONCE ... only when they generate >> their CSR. After that, I'd like their 'base_class' to be embedded in the CSR >> (And subsequently the CERT), so that a client cannot later change its mind >> about what kind of host it is. Essentially I'm thinking the process would be >> something like this: >> >> Client: >> -) fill in 'base_class' somewhere (puppet.conf?) >> -) run puppet... host generates private key, and csr, and submits it to the >> puppet ca master >> >> Server: >> -) process signs CSR and provides Cert back to host (this is automated in >> our case, but not with autosign.conf) >> >> Client: >> -) begin actual puppet run.. request real configuration >> >> Server: >> -) read 'base_class' from certificate, and fill in $base_class with that >> data .. >> >> >> Thoughts? Any ideas on a good way to work this out? > > > This feels like quite a hack, but I agree with you there's no really > good way for Puppet to do this today. The agent can set the > environment (puppet environment) it wants, but that doesn't really > give you what you want. > > I would normally accomplish this using a custom fact, but you > mentioned this is security related so I see the desire to get the base > class embedded into the certificate data. Practically speaking, the > certificate cannot be forged once signed. > > You can easily change the certificate name in the request using: > > puppet agent --certname=my_base_class > > But! You're going to run into duplicate certificate names, which will > be a pain to manage. Better instead, you could prefix each > certificate name with the FQDN, or some other unique identifier and a > character not valid for DNS hostnames: > > puppet agent --certname="$(facter fqdn)::my_base_class" > > You can then match against this in your puppet manifests or your > External Node Classifier by splitting out the string to the right of > the double colons. > > Hope this helps, > -- > Jeff McCune > Professional Services, Puppet Labs > @0xEFF > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
