Issue #2890 has been updated by Luke Kanies.
Peter Meier wrote: > > yes it would, but wouldn't it then be possible that a malicious client could > knock off all the existing clients with a bunch of CSR? Or am I just wrong in > thinking that a client with the old cert (which was never thought to be > removed) can't connect anymore? The server doesn't need a copy of the client's certificate for the client to authenticate - this is one of the big differences between SSH-style auth and SSL auth. For any malicious client to have any access at all, someone would have to decide to actually sign the CSR from the malicious client. This is definitely more open and destructive than I would prefer to be, but it's not at all a security hole and it's a *huge* usability issue. ---------------------------------------- Bug #2890: Puppetd: signed certificate retrieval "Retrieved certificate does not match private key" http://projects.reductivelabs.com/issues/2890 Author: Silviu Paragina Status: Accepted Priority: Low Assigned to: Markus Roberts Category: SSL Target version: 0.25.2 Affected version: 0.25.1 Keywords: Branch: Install a new client let's call it client1 Steps: 1. run puppetd --test on client 2. run puppetca --sign client1 on server 3. run rm -rf /var/lib/puppet/ssl on the client (equivalent with reinstalling the os on the client) 4. run puppetd --test on the client Now you will get as expected the "Retrieved certificate does not match private key" error. But the certificate the server gave is stored in /var/lib/puppet/ssl/certs and puppetd will try to use it on future runs To prove that do this 2 final steps 5. run puppetca --clean client1 6. puppetd --test if you analyze this run you will notice that the client does not even contact the server, it just loads the local certificates and bails out because the private/public key pair doesn't match. Workaround: delete /var/lib/puppet/ssl/cers/client1.pem from the client (or the equivalent file) I think the client shouldn't store the certificate received from the server unless it matches. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
