On 01/22/2013 10:04 PM, jcbollinger wrote:
You are also right that a compromised client can, in principle, falsify
the fact values presented to the master in an attempt to make it divulge
secret information. Whether the master might actually divulge anything
is a function of the manifests with
On 22.1.2013 23:04, jcbollinger wrote:
> You are correct that that only the identity of the client node is
> authenticated by Puppet, and even that only insomuch as the client can
> be relied upon to protect its SSL certificate. The $hostname fact
> cannot be relied upon to convey that information
On 1/23/2013 12:22 PM, Jist Anidiot wrote:
On Tuesday, January 22, 2013 4:04:22 PM UTC-5, jcbollinger wrote:
You are correct that that only the identity of the client node is
authenticated by Puppet, and even that only insomuch as the client
can be relied upon to protect its SSL ce
On Tuesday, January 22, 2013 4:04:22 PM UTC-5, jcbollinger wrote:
>
>
>
> You are correct that that only the identity of the client node is
> authenticated by Puppet, and even that only insomuch as the client can be
> relied upon to protect its SSL certificate. The $hostname fact cannot be
> re
On Tuesday, January 22, 2013 7:08:09 AM UTC-6, Boyan Tabakov wrote:
>
> Hello,
>
> Let's consider the scenario when a client node in a puppet environment
> gets compromised.
>
> In case some of the puppet modules make decisions based on agent facts,
> these modules are potentially exposed to
