On Tue, Jun 18, 2013 at 5:36 AM, Erik Dalén <[email protected]>wrote:
> Seems like a decent alternative would be to just have a second > webservice/on top of puppet that allows agents to authenticate with their > kerberos token and authorize their SSL certificate request that way. That > should be fairly easy to build with just some fiddling with mod auth kerb, > apache configs and puppet auth.conf. > > Pluggable autosign? We were talking about working on that some internally and there is a pull request open right now that would lay the groundwork. I would say that we are going to be working on it *real soon now*, but you all probably know my track record on making statements about what we will be working on :( > > On 17 June 2013 23:44, <[email protected]> wrote: > >> >> >> On Tuesday, June 11, 2013 6:38:59 PM UTC-7, Trevor Vaughan wrote: >>> >>> If you're already joining a machine to a Kerberos realm, then you're >>> probably either doing it at install time using a first layer authorization >>> subsystem (razor type install), or you're hopping on after the fact to >>> register the system, or you're using Puppet to do it. >>> >>> Right. The step where a privileged operation adds a machine to the >> domain is something that already has to happen. By using Kerberos >> authentication of agents to the puppet master we eliminate a second >> privileged operation to register the machine to puppet, and also avoid >> deploying PKI for agents. We still need PKI for puppet masters -- but that >> infrastructure is already in place. >> >> I hope that makes sense. I think these are important justification points >> for the armature. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at http://groups.google.com/group/puppet-dev. >> >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > > > > -- > Erik Dalén > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/puppet-dev. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- Andrew Parker [email protected] Freenode: zaphod42 Twitter: @aparker42 Software Developer *Join us at PuppetConf 2013, August 22-23 in San Francisco - * http://bit.ly/pupconf13* **Register now and take advantage of the Early Bird discount - save 25%!* -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-dev. For more options, visit https://groups.google.com/groups/opt_out.
