Issue #7244 has been updated by Patrick Hemmer.
Daniel Pittman wrote: > However, I still object to the idea that the external approval script gets > any input other than the CSR and, perhaps, the "live" attributes of the > request such as the IP address from which it came. (I see them as risky, > however, since a move to, eg, a message based request for the certificate > would make them impossible to determine, or NAT may mask the actual origin, > or a bounce attack could allow someone to reach from the "trusted" IP to the > server. :) I think providing the "live" attributes as you call them is critical information. This information doesn't have to be used, but it should be made available as it's one of the few bits of information that can't be forged. Really the only bit of information I can think of would be the IP, and while NAT or some other proxy might mask the origin IP, that's the architect's problem, not puppet's (we allow autosigning of certs based on matching of the cert name, and that's certainly far more insecure than matching on an IP). <br /> The goal I wish to achieve by using this is to autosign certs from EC2 hosts. The idea I have in mind is that cert signing requests will come in containing the EC2 machine's instance ID. A script would then look up that instance ID and verify that the IP the cert sign request came from matches the IP for that instance. If it does match, the cert is signed. Providing additional info inside the CSR or API call would not be possible if using something like the Amazon ELB auto scaler, as all nodes will contain the same data. There wouldn't be any way to give the node a one-time-use passphrase or something to put in the request. ---------------------------------------- Feature #7244: Autosign should allow for an external approver https://projects.puppetlabs.com/issues/7244#change-71629 Author: Matt Wise Status: Accepted Priority: Normal Assignee: Category: SSL Target version: 3.x Affected Puppet version: Keywords: autosign csr ssl Branch: Puppet should allow for the autosign code to point to an external script, instead of the autosign.conf file itself for approval in signing a end-clients cert. This method should allow the client to supply a unique bit of "auth" data that is passed to the exec script on the master, and validated. If return 0, sign the code. If not, do not sign. In this way, I can pass an arbitrary "token" (say its 12345) through the puppet agent to the puppet ca master. The puppet ca master can then run "myauthscript.sh -arg 12345". if that script returns 0, puppet c an then sign the certificate. If not, puppet fails to sign the certificate. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
