On Sun, 1 May 2016 09:53:29 -0400 "Lutchy Horace (Mailing List)" <[email protected]> wrote:
> > I don't mind registering clients with the admin user. However, I do > have a concern. Do consumers need the admin password to update from > repository? Assuming that admin password is no where stored on the > consumer machines? And lastly, assuming the consume machine has been > compromise, is the Pulp server at risk from pulp-consumer? Reviewing https://pulp.readthedocs.io/en/latest/user-guide/consumer-client/register.html. It appears that a certificate is stored on the consumer machine: /Once a consumer is registered, a certificate is written into its PKI: `/etc/pki/pulp/consumer/consumer-cert.pem` This certificate will automatically suffice for authentication against the server’s API for all future operations until the consumer is unregistered./ This is a bit troublesome as I am unfamiliar of the security implications of pulp-consumer. I looked over 'pulp-consumer' command options and it appears that is not much it can do. Although I wonder if a malicious user on a compromise machine can use the the client certificate to conduct malicious activities via REST API? Regards -- Lutchy Horace Owner/Operator/Administrator [http://www.lhprojects.net] Owner/Operator/Administrator [http://www.bombshellz.net] Owner/Operator/Administrator [http://www.animehouse.club] About Me [http://about.me/lhprojects] USA _______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list
