Issue #20729 has been updated by Pedro Côrte-Real.
I don't know much about how the catalog works so can't be helpful there. I have looked into using supply_drop[1] and that seems to have the "bundle the catalog" thing worked out. I think it just packages up the whole source, sends it to the client and then runs puppet apply locally. This works fine and solves the security issue since it uses ssh for the deploy. I just have the private key on my machine and the clients have the public key. Since I already need that to be able to login to the machines it doesn't increase the attack surface at all. The bigger change with supply_drop though is that you now have to push the changes to each server individually instead of pushing them once to the puppet master and then having them pulled asynchronously. I found this undesirable in two situations: 1. If something goes out of order (say a service crashed) you won't get an automatic puppet run putting that back into running state 2. More importantly when the puppet client is not online all the time you can't just push a change to the puppetmaster and have it be applied whenever the client comes online. I use this to configure things that aren't servers, like family laptops. The solution for this could very well be to replace puppetmaster with something simple: 1. On your central machine generate a tarball with the full catalog and sign it with a private key 2. Serve this tarball with the signature over normal https 3. Each client periodically downloads the latest version of the tarball, checks it against the public key and executes it Basically it's the same distribution setup as with the current puppetmaster but the master is just a dumb download location that doesn't have to be trusted. You do need to do access control on the master, so there the rest of the current puppetmaster key infrastructure may make sense. If you're worried about having to download the full tarball on all hosts you could instead implement the same setup with individual signing of files and then have the client request each file individually. This could be useful if you have a lot of large files on the catalog, not all of them for all hosts. [1] https://github.com/pitluga/supply_drop ---------------------------------------- Feature #20729: Have a way to sign the catalog offline so the puppetmaster server doesn't have to be trusted https://projects.puppetlabs.com/issues/20729#change-91683 * Author: Pedro Côrte-Real * Status: Accepted * Priority: Normal * Assignee: * Category: * Target version: * Affected Puppet version: * Keywords: * Branch: ---------------------------------------- As I was reviewing the security of my servers I realized that gaining root on the puppetmaster means gaining root everywhere as you can push whatever configuration you want to another server. It would be great if all the puppet resources served by the puppetmaster were signed by a private key that the puppetmaster doesn't hold so that the clients could check that key and not have to trust the puppetmaster. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
