Issue #3360 has been updated by Jeff McCune. Tracker changed from Feature to Bug Subject changed from Make acceptence of redundant CSRs w. autosign conditional on a switch to puppetca silently overwrites existing certificates Status changed from Accepted to Needs design decision Assigned to changed from Markus Roberts to Luke Kanies Priority changed from Normal to High
Markus Roberts wrote: > I am lowering this to normal, since the root of the objection is based in the > known problems with autosign (which you should _not_ be using in an > environment where security is a concern, anymore than you should just sign > any contract that is handed to you or swallow every pill you see). I don't believe this is valid. Consider a system administrator with autosign = true who upgrades from 0.24.X to 0.25.4. The administrator is aware of the risks surrounding autosign and is ALSO aware of how the CA operates. That is, if a CSR comes in with a CN that matches another CN which has already been signed, then the CSR is dropped on the floor and the previously signed certificate is returned. It's the CSR being dropped on the floor that's the expected behavior. The objection is not based on the known problems with autosign but rather the change in behavior of the CA regarding the CSR. > Another point, the certificate that are being overwritten are effectively a > cache copy; they are not authoritative in any case. This wasn't previously true and expected behavior has changed. They used to be authoritative in the sense they prevented any new certificates from being issued with that CN. > If anyone can provide an argument that this is a security risk absent > autosign, feel free to re-escalate. I'm re-escalating this. Enabling auto-sign doesn't forfeit an administrators reasonable expectations of how the CA behaves. I know there are people out there who have expectations about CSR's not being resigned who aren't aware of this change of behavior. Placing the onus on autosign doesn't change the fact that an administrator who has made design decisions expecting the CA behaves as it has in the past has an inherently less secure system after upgrading. I totally get the usability minefield surrounding CSR's for new and existing puppet users. I've always been a little surprised the CA returned a certificate at all when the CSR was dropped on the floor. Would an acceptable compromise be to have the server refuse to sign the CSR, but ALSO not hand back the "wrong" certificate? The client would then be able to print a helpful error message like "Server refused to sign our request, it conflicts with an already signed certificate. Please clean the previous certificate on the server or pick another name which doesn't conflict." Or something to that effect... ---------------------------------------- Bug #3360: puppetca silently overwrites existing certificates http://projects.reductivelabs.com/issues/3360 Author: Claus Divossen Status: Needs design decision Priority: High Assigned to: Luke Kanies Category: SSL Target version: 0.25.5 Affected version: 0.25.4 Keywords: puppetca autosigning signed certificate Branch: The puppetca accepts CSRs for CNs/nodenames that already have a signed certificate, and signing the new certificates will overwrite the old certs without warning or further validation. This seems to be introduced with the work on Bug #2890. The puppetca does not care about already exisiting signed certificates anymore. This is especially dangerous in combination with autosigning: When autosigning is active, any client can pretend to be another node as long as the desired node name matches the autosigning pattern(s). In consequence, autosigning completely disables the authorization process for matching node names. If there are node specific secrets distributed with puppet, an attacker can simply pretend to be another node with the "puppetd --fqdn" option and he will get the other node's secrets without any questions asked. The default behaviour should be to reject new CSRs for a node that already has a signed cert, especially with autosigning. When puppetca is run manually, a warning might be sufficient. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
