Issue #3360 has been updated by Nigel Kersten.
Plan of action:
* Provide ca_permit_duplicates boolean configuration parameter.
* ca_permit_duplicates defaults to off.
* If ca_permit_duplicates is off:
* When a duplicate CSR for a given certname is received, reject it and
alert agent appropriately. **Do not return the old certificate.**
* If ca_permit_duplicates is on:
* When a duplicate CSR for a given certname is received, allow it, and warn
that this is a duplicate CSR. Return the new certificate
----------------------------------------
Bug #3360: Add a flag to make puppet ca behavior on receipt of duplicate
request configurable
https://projects.puppetlabs.com/issues/3360
Author: Claus Divossen
Status: Accepted
Priority: Normal
Assignee:
Category: SSL
Target version: Statler
Affected Puppet version: 0.25.4
Keywords: puppetca autosigning signed certificate
Branch:
The puppetca accepts CSRs for CNs/nodenames that already have a signed
certificate, and signing the new certificates will overwrite the old certs
without warning or further validation. This seems to be introduced with the
work on Bug #2890.
The puppetca does not care about already exisiting signed certificates anymore.
This is especially dangerous in combination with autosigning: When autosigning
is active, any client can pretend to be another node as long as the desired
node name matches the autosigning pattern(s). In consequence, autosigning
completely disables the authorization process for matching node names.
If there are node specific secrets distributed with puppet, an attacker can
simply pretend to be another node with the "puppetd --fqdn" option and he will
get the other node's secrets without any questions asked.
The default behaviour should be to reject new CSRs for a node that already has
a signed cert, especially with autosigning. When puppetca is run manually, a
warning might be sufficient.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
