Issue #19192 has been reported by Nick Fagerlund. ---------------------------------------- Bug #19192: Puppet agent should verify puppet master's cert for all endpoints except /certificate/ca https://projects.puppetlabs.com/issues/19192
Author: Nick Fagerlund Status: Needs Decision Priority: Normal Assignee: Category: Target version: Affected Puppet version: Keywords: Branch: Puppet has a trust bootstrapping problem, but hey, who doesn't. You can get around it by distributing the CA out of band, like as part of your provisioning process. (If you DON'T do that, there's a slim chance of an attacker MITMing the `/certificate/ca` request from a new node, then retaining control over that node for as long as they can manage to MITM every subsequent Puppet request from it.) Thing is though, once an agent DOES have the CA cert, it should be checking the master's papers for EVERY request, not just the peer-verified ones (like catalog, node, file, etc.). As it stands: * CA master's cert is never checked for the `/certificate/ca` request. Fine, that's unavoidable. * CA master's cert is never checked for other unverified requests, including `/certificate/<name>`, `/certificate_request/<name>`, and `/certificate_revocation_list/ca`. (tested w/ Puppet 3.1.0-pre.) The risk from this is low, as long as the trust-bootstrapping problem has been dealt with, so I'm not filing this as a security bug (per conversation w/ eric0). The worst-case scenarios are: * `/certificate/<name>` gets MITMed -- master refuses to trust the node, which has to be fixed manually. * CRL gets MITMed with garbage -- actually, I haven't tried this, but maybe the node will barf and refuse to talk to the puppet master. Manual fix. So no real biggie. Still, though: conceptually speaking, the only hole in this process should be in the CA cert distribution; the rest of it may as well be waterproof. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
