If you're going to pursue this, be sure to use Kerberos for encryption as well.
A lot of sensitive data can get passed around by Puppet. It's a good idea, but I feel that it's going to be quite a daunting task given that you'll need to bind through Apache/Nginx -> Passenger and then figure out how to translate that into a certname portion for Puppet to use. That said, it would be pretty awesome. Trevor On Tue, Jun 4, 2013 at 8:14 PM, <[email protected]> wrote: > This summer I am working in an environment where we have a > well-established Linux + Kerberos + Active Directory infrastructure. We > would prefer to re-use that infrastructure rather than maintain a separate > private key infrastructure for puppet. So, I am investigating enabling > Kerberos authentication for node <-> master authentication. So far it looks > like the work breaks up into several pieces: > > 1 MASTER > 1.a Configure Apache2 for Kerberos HTTP authentication > 1.b Retrieve the principle from the web request. > 1.c Enhance Puppet::Network::AuthStore::Declaration to support Active > Directory host principles (e.g. [email protected]). > > 2 AGENT > 2.a Acquire/build a Kerberos / GSSAPI capable HTTP client library > 2.b Integrate it into the puppet agent lifecycle > > I'm new to puppet and related technologies so would appreciate any high > level guidance/suggestions/etc. that the community might have to offer. > mjz > > --- > Further details and questions (in no particular order) > > * POC master progress - So far I have a very small set of non-production > quality edits to the puppet master code that allows GET > production/node/[email protected] to work as expected when using "curl > --negotiate -u:" as a client. See: > https://github.com/mzeren-vmw/puppet/commit/draft_kerberos_baby_steps. > I am just starting to create proper patches for pull requests. > > * POC agent progress - I have not yet found a GSSAPI capable http client > library, but I have found and successfully tested > https://github.com/cbeer/net-ssh-kerberos which depends on git:// > github.com/zenchild/gssapi.git (MIT) which in turn depends on ffi > (LGPLv3). When I get to the client side work I may leverage gssapi to > extend Net::HTTP? > > * How would Kerberos integrate with MCollective? - I don't really > understand the relationship between mcollective and puppet yet. How might > Kerberos auth affect mcollective based features or future enhancements? > > * Is pulling REMOTE_USER from the environment acceptable? Or do we need a > way to get the mod_auth_kerb user into a request header as we do for > X-Client-DN and X-Client-Verify? So far mod_rewrite hasn't been > cooperating here... > > * Apache mod_auth_kerb only? I am focused on using Apache2's > mod_auth_kerb. I don't anticipate getting this to work for webrick, and > haven't yet investigated nginx. Would a single webserver solution be > acceptable? > > * There's a related bug here: > https://projects.puppetlabs.com/issues/3958discussion: > https://groups.google.com/forum/#!msg/puppet-dev/ECIvFzj4dKo/ivOqTQEKVeoJ > > * Are there any plans to support ruby 2.0? Net::HTTP apparently has basic > auth support in 2.0, which might lead to cleaner Kerberos support (but I > really haven't looked at this in detail yet.) > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/puppet-dev?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 [email protected] -- This account not approved for unencrypted proprietary information -- -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-dev?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
