Issue #7014 has been updated by Nick Fagerlund.
Yeah, we found it
Was:
when /^\w[-.@\w]*$/ # ? Just like
a host name but allow '@'s and ending '.'s
[:opaque,:exact,nil,[value]]
Should be:
when /^\w[-\.@\w]*$/ # ? Just
like a host name but allow '@'s and ending '.'s
[:opaque,:exact,nil,munge_name(value)]
We aren't entirely sure why this works, but reasoned that it should resemble
what the case statement was doing for real hostnames.
Once these names weren't getting blocked by auth.conf, we learned that they are
also independently disallowed by node definitions; we don't know how node
termini and the ENC interface handle them.
----------------------------------------
Bug #7014: certnames with @ symbols don't pass through auth.conf
https://projects.puppetlabs.com/issues/7014#change-96690
* Author: Matt Robinson
* Status: Accepted
* Priority: Normal
* Assignee:
* Category: security
* Target version:
* Affected Puppet version:
* Keywords:
* Branch:
----------------------------------------
In lib/puppet/network/authstore.rb line 242ish a case statement deals with
certnames with @ symbols in way that makes it so that they'll never match
auth.conf rules for hosts. The easy workaround is, of course, not to use
certnames with at symbols.
We really ought to stop conflating host, name and certname in this area of code
also, because it makes it REALLY hard to read.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/groups/opt_out.
