Hi folk,
I am working on a puppet master server which will be hosted at a
publicly visible IP (due to multi-site issues), and which will someday
contain reasonably sensitive data and so which I must secure.
I've been pretty careful with developing a custom autosign strategy,
linking in with our existing infrastructure, so that the only
certificates signed are those of servers we trust, (through use of
including custom credentials in the CSR which include short-lived,
integrity-verified, machine-tied signing requests, etc). All this is
working fine and dandy as far as I can tell.
My concern is files served at custom mount point (or the default ones),
via fileserver.conf. I would like to make various of these custom mounts
visible to all of my agents, and I assume that if I make them
universally visible ("Allow *", etc in fileserver.conf), then a client
would still need a valid client certificate to access this data, and so
the data would remain private to those who have managed to obtain a
signed client certificate.
I'm basically wondering if that assumption is correct?
It seems very likely, but not having seen this in black-and-white makes
me nervous, it being a security issue, and have found some worrying
confused people on stackoverflow. But is my reasoning correct?
I'm sorry if this has been asked before. I have had a goot look through
the docs and the FAQs, but I can't help thinking I'm missing something.
Dan.
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/5581664D.60508%40ebi.ac.uk.
For more options, visit https://groups.google.com/d/optout.
