On Apr 8, 11:51 pm, Mukul Malhotra <smilemukul2...@gmail.com> wrote: > hi, > > But how can i redirect the parameter from hostname to serialnumber so that > puppet will pick the serialnumber by default instead of hostname for the > updates on the nodes.
You have a serious misunderstanding. Puppet uses cryptographic certificates to identify nodes to the master and the master to nodes. It does by default use the node's hostname as the certname, but once the master (or another CA that the master trusts) signs the certificate, changing the node's hostname hostname is not sufficient to allow it to impersonate another node. To node A impersonate node B that is already known to Puppet, an attacker would need also to steal a copy of B's certificate. Anyone who can do that already has sufficient access to node B that he gains nothing by making some other node impersonate it, and anyway he doesn't need Puppet's help to steal data from node B or to present a fake node B to others. Even if Puppet didn't rely on certificates, using serial number instead of hostname as you propose would gain nothing in security. An adversary with sufficient privilege to change nodes' hostnames could as easily modify Facter to present facts of his choosing, including a forged serialnumber. Allowing untrusted users unrestricted access to your systems presents a very serious security problem. I would advise you to consider whether your requirements can be changed, or at least met in some less risky way. Alternatively, it might be wise to look into an alternative means to secure those parts of your systems that even privileged users must not touch. SELinux can do this for you, but you would want to design your SELinux policy very carefully. It is conceivable that your requirements are inconsistent with adequately securing your systems even via SELinux. Bottom line: Puppet already does better on the security issue than you would achieve with your proposed reconfiguration / modification. If the security already provided by Puppet is insufficient, then you need to look deeper to secure your systems. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
