Issue #7244 has been updated by Daniel Pittman. Category set to SSL
OK. After some private discussions I am happy to say that I think this is a great idea. Specifically, I think it is a great idea to allow the capability to have an external block of code invoked to approve or reject the signing of a CSR as part of the regular handling autosigning in Puppet. This allows third party and first party developers a whole pile of wonderful about getting their security needs met. I also understand why there are cases that the unique `certname` attribute is inappropriate, although *many* cases can be solved by running a script locally to the created image either through the Puppet `prerun` hook, or through part of the bootstrapping process, that communicates an out-of-band message to the server. (This can, obviously, supply any authentication details desired, retrieve secured information back from the OOB server, and configure the Puppet client appropriately to ensure the signed cert works. It can even install that cert, if desired, after the OOB process signs and retrieves it.) However, I still object to the idea that the external approval script gets any input other than the CSR and, perhaps, the "live" attributes of the request such as the IP address from which it came. (I see them as risky, however, since a move to, eg, a message based request for the certificate would make them impossible to determine, or NAT may mask the actual origin, or a bounce attack could allow someone to reach from the "trusted" IP to the server. :) If we resolve #7243 then the CSR can have additional data supplied to support this, making the "special case" of a token argument called out here unnecessary; even without that, generating a CSR outside the Puppet agent and submitting it would be possible today with existing tools, allowing this feature to be useful (but more painful) if we support CSR approval scripts. Matt, would that meet your needs? Could you cope with extracting the token from the CSR "by hand" and then having the remaining logic identical? ---------------------------------------- Feature #7244: Autosign should allow for an external approver https://projects.puppetlabs.com/issues/7244 Author: Matt Wise Status: Needs More Information Priority: Normal Assignee: Nigel Kersten Category: SSL Target version: 2.7.x Affected Puppet version: Keywords: Branch: Puppet should allow for the autosign code to point to an external script, instead of the autosign.conf file itself for approval in signing a end-clients cert. This method should allow the client to supply a unique bit of "auth" data that is passed to the exec script on the master, and validated. If return 0, sign the code. If not, do not sign. In this way, I can pass an arbitrary "token" (say its 12345) through the puppet agent to the puppet ca master. The puppet ca master can then run "myauthscript.sh -arg 12345". if that script returns 0, puppet c an then sign the certificate. If not, puppet fails to sign the certificate. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
