On Tuesday, June 18, 2013 8:51:20 AM UTC-7, Andy Parker wrote: > On Tue, Jun 18, 2013 at 5:36 AM, Erik Dalén > <[email protected]<javascript:> > > wrote: > >> Seems like a decent alternative would be to just have a second >> webservice/on top of puppet that allows agents to authenticate with their >> kerberos token and authorize their SSL certificate request that way. That >> should be fairly easy to build with just some fiddling with mod auth kerb, >> apache configs and puppet auth.conf. >> >> > Pluggable autosign? We were talking about working on that some internally > and there is a pull request open right now that would lay the groundwork. > > While pluggable auto-sign as discussed here: https://github.com/puppetlabs/puppet/pull/1522 sounds very useful, our objective is to separate "authentication secret management" from "configuration management". We would like to avoid having the puppet master have any CA role. We could do that by deploying an external CA, but Kerberos support would allow us to skip that additional deployment and maintenance work for agents that already have Kerberos configured correctly.
I hope that justification makes sense, and again, I'll try to capture it in an armature. -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-dev. For more options, visit https://groups.google.com/groups/opt_out.
