Issue #7244 has been updated by Matt Wise.
If you use 'certname' as the authenticator, then either people have to intentionally override certname with their custom data (semi-OK), or people have to know the hostname in-advance of the host coming up ... in that case, the normal autosign code would work just fine. By allowing a separate token, the 'certname' can stay a valid hostname, but this separate token can be used to authenticate the host. In some environments it might be as simple as a password. In others (ours), it would actually check in to a database and see if that token is valid. If its valid, it can authenticate and get a cert. If its not, the host can never get its cert signed and it remains an untrusted host. We generate a 'token' in our case right before we create a new instance and we pass that token to the instance on bootup, giving us a small window where that host can properly authenticate into our system. I'm proposing that this be done in a pretty generic way though,. so that people can adapt it to their own environments. ---------------------------------------- Feature #7244: Autosign should allow for an external approver https://projects.puppetlabs.com/issues/7244 Author: Matt Wise Status: Needs More Information Priority: Normal Assignee: Nigel Kersten Category: Target version: 2.7.x Affected Puppet version: Keywords: Branch: Puppet should allow for the autosign code to point to an external script, instead of the autosign.conf file itself for approval in signing a end-clients cert. This method should allow the client to supply a unique bit of "auth" data that is passed to the exec script on the master, and validated. If return 0, sign the code. If not, do not sign. In this way, I can pass an arbitrary "token" (say its 12345) through the puppet agent to the puppet ca master. The puppet ca master can then run "myauthscript.sh -arg 12345". if that script returns 0, puppet c an then sign the certificate. If not, puppet fails to sign the certificate. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
