Issue #1154 has been updated by Jason Ling.
Perhaps instead of signing the entire manifest, this could be simplified and the admin would sign a timestamp instead - clients will then pull manifests only if master provides a signed timestamp within the last x hours? ---------------------------------------- Feature #1154: Allow signed manifests to eliminate single point of compromise https://projects.puppetlabs.com/issues/1154#change-89899 * Author: Jeff Goldschrafe * Status: Accepted * Priority: Normal * Assignee: * Category: newfeature * Target version: * Affected Puppet version: 0.24.4 * Keywords: * Branch: ---------------------------------------- Puppet, like all configuration management systems, suffers from the possibility of being a single point of compromise, allowing arbitrary instructions to be run on all hosts accessing the Puppetmaster if a malicious manifest is crafted. Since the goal of Puppet more or less necessitates Puppet running as root on client systems, the amount of damage capable of being inflicted on client nodes is virtually limitless, and some optional extra precautions should be provided in order to limit the damage capable of being caused by a single rooted Puppetmaster. Signed manifests appear to be the easiest and most intuitive way to accomplish this. Like GPG-signed packages, they ensure that Puppet manifests have come from an authenticated source. By verifying the signature on manifests coming from the server, clients may verify that packages have been approved by the organization owning the Puppet server. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
