Issue #3360 has been updated by Claus Divossen.
Markus Roberts wrote: > Another point, the certificate that are being overwritten are effectively a > cache copy; they are not authoritative in any case. This is true, of course. But my security concerns are not caused be the fact that the files get overwritten, but by the fact the new CSRs are signed for nodes that already have signed cert. > If anyone can provide an argument that this is a security risk absent > autosign, feel free to re-escalate. Any attacker can issue a CSR. If the admin running puppetca manually is absolutly aware of this, than it's OK. But he really needs to know which new nodes are expected to come. When many nodes are appearing in short time frame, it's very easy to oversee a node that already showed up before, because you had to keep all this names in mind. I would feel a lot safer if there was at least a warning in the "puppetca --list" output that identifies CSRs for nodes that already has a singed cert. Considering autosigning, there should be an option to disable autosigning for known hosts. And the FAQ entry has to be fixed, because the statemant "The certificate itself is stored, so two nodes could not connect with the same CN (eg alice.mydomain.com)" is simply not correct anymore. -- Claus ---------------------------------------- Bug #3360: puppetca silently overwrites existing certificates http://projects.reductivelabs.com/issues/3360 Author: Claus Divossen Status: Needs design decision Priority: Normal Assigned to: Luke Kanies Category: SSL Target version: 0.25.5 Affected version: 0.25.4 Keywords: puppetca autosigning signed certificate Branch: The puppetca accepts CSRs for CNs/nodenames that already have a signed certificate, and signing the new certificates will overwrite the old certs without warning or further validation. This seems to be introduced with the work on Bug #2890. The puppetca does not care about already exisiting signed certificates anymore. This is especially dangerous in combination with autosigning: When autosigning is active, any client can pretend to be another node as long as the desired node name matches the autosigning pattern(s). In consequence, autosigning completely disables the authorization process for matching node names. If there are node specific secrets distributed with puppet, an attacker can simply pretend to be another node with the "puppetd --fqdn" option and he will get the other node's secrets without any questions asked. The default behaviour should be to reject new CSRs for a node that already has a signed cert, especially with autosigning. When puppetca is run manually, a warning might be sufficient. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
