Issue #1891 has been updated by harisekhon.
An attacker would need access to the official installation media/script etc to get the passphrase. On the wire, the passphrase should be encrypted of course, preferably against the CA's public cert, which could be placed inside the installation process so as not to me man-in-the-middled since nobody would be able to intercept and supply any other public cert (the installing machine would have it embedded during installation before it contacts the puppet CA). ---------------------------------------- Feature #1891: Auto-sign certificates if sent the correct passphrase with the certificate request http://projects.reductivelabs.com/issues/1891 Author: harisekhon Status: Accepted Priority: Normal Assigned to: community Category: SSL Target version: unplanned Complexity: Unknown Affected version: 0.24.6 Keywords: Setting an auto-sign passphrase on the puppet CA would allow a completely automated build of a new system that has the passphrase embedded in the installation script. The request should be able to take the passphrase on the command line via a switch. This offers the best of all worlds, security in not auto-signing just anything, but still having ease of use, speed and automation of deployments of new systems since you'd no longer need to go to the puppetmaster's CA and manually type in to accept pending certificates. ---------------------------------------- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en -~----------~----~----~----~------~----~------~--~---
