Issue #2890 has been updated by Peter Meier.
Luke Kanies wrote: > The server doesn't need a copy of the client's certificate for the client to > authenticate - this is one of the big differences between SSH-style auth and > SSL auth. right, this was the part where I was unsure. Thanks for the clarification. > For any malicious client to have any access at all, someone would have to > decide to actually sign the CSR from the malicious client. obvious. > This is definitely more open and destructive than I would prefer to be, but > it's not at all a security hole and it's a *huge* usability issue. Definitely. Maybe we could add an option which would enable people to disable this behavior? It should be enabled by default, but for somebody who might have a well established CA-Setup and knows how everything works would like to have a stricter and less destructive setup. Do I see a "Hardening Puppet" chapter here? ;) Anyway I think it's fine to open by default, but I would appreciate it if it would be possible to keep somehow the old behavior as well. ---------------------------------------- Bug #2890: Puppetd: signed certificate retrieval "Retrieved certificate does not match private key" http://projects.reductivelabs.com/issues/2890 Author: Silviu Paragina Status: Accepted Priority: Low Assigned to: Markus Roberts Category: SSL Target version: 0.25.2 Affected version: 0.25.1 Keywords: Branch: Install a new client let's call it client1 Steps: 1. run puppetd --test on client 2. run puppetca --sign client1 on server 3. run rm -rf /var/lib/puppet/ssl on the client (equivalent with reinstalling the os on the client) 4. run puppetd --test on the client Now you will get as expected the "Retrieved certificate does not match private key" error. But the certificate the server gave is stored in /var/lib/puppet/ssl/certs and puppetd will try to use it on future runs To prove that do this 2 final steps 5. run puppetca --clean client1 6. puppetd --test if you analyze this run you will notice that the client does not even contact the server, it just loads the local certificates and bails out because the private/public key pair doesn't match. Workaround: delete /var/lib/puppet/ssl/cers/client1.pem from the client (or the equivalent file) I think the client shouldn't store the certificate received from the server unless it matches. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
