On 18 June 2013 17:51, Andy Parker <[email protected]> wrote:
> On Tue, Jun 18, 2013 at 5:36 AM, Erik Dalén
> <[email protected]>wrote:
>
>> Seems like a decent alternative would be to just have a second
>> webservice/on top of puppet that allows agents to authenticate with their
>> kerberos token and authorize their SSL certificate request that way. That
>> should be fairly easy to build with just some fiddling with mod auth kerb,
>> apache configs and puppet auth.conf.
>>
>>
> Pluggable autosign? We were talking about working on that some internally
> and there is a pull request open right now that would lay the groundwork.
>
> I would say that we are going to be working on it *real soon now*, but you
> all probably know my track record on making statements about what we will
> be working on :(
>
Hmm, had a look at that pull request. Why not use a indirector for
autosign? And then just implement a exec terminus similar to the exec node
terminus instead of a autosign_command option?
It would be really useful in my opinion to just expose the autosigning over
the REST API anyway. So the autosign.conf can be managed using that
(something that foreman_proxy provides otherwise).
But my suggestion here wasn't really managing autosign.conf using kerberos
or so. It was that you use mod_authnz_krb in apache on the
/.*/certificate_status/{certname} endpoint and just allow everyone in the
puppet auth.conf. But only allow kerberos tokens matching their host name
in the apache config. That way hosts can manage their own certificate
status using a krb authenticated HTTP request. So request a cert in the
regular way and then use their already existing krb token to authenticate
the CSR.
>
>
>>
>> On 17 June 2013 23:44, <[email protected]> wrote:
>>
>>>
>>>
>>> On Tuesday, June 11, 2013 6:38:59 PM UTC-7, Trevor Vaughan wrote:
>>>>
>>>> If you're already joining a machine to a Kerberos realm, then you're
>>>> probably either doing it at install time using a first layer authorization
>>>> subsystem (razor type install), or you're hopping on after the fact to
>>>> register the system, or you're using Puppet to do it.
>>>>
>>>> Right. The step where a privileged operation adds a machine to the
>>> domain is something that already has to happen. By using Kerberos
>>> authentication of agents to the puppet master we eliminate a second
>>> privileged operation to register the machine to puppet, and also avoid
>>> deploying PKI for agents. We still need PKI for puppet masters -- but that
>>> infrastructure is already in place.
>>>
>>> I hope that makes sense. I think these are important justification
>>> points for the armature.
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Puppet Developers" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> To post to this group, send email to [email protected].
>>> Visit this group at http://groups.google.com/group/puppet-dev.
>>>
>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>
>>>
>>>
>>
>>
>>
>> --
>> Erik Dalén
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Developers" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To post to this group, send email to [email protected].
>> Visit this group at http://groups.google.com/group/puppet-dev.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>>
>>
>
>
>
> --
> Andrew Parker
> [email protected]
> Freenode: zaphod42
> Twitter: @aparker42
> Software Developer
>
> *Join us at PuppetConf 2013, August 22-23 in San Francisco - *
> http://bit.ly/pupconf13*
> **Register now and take advantage of the Early Bird discount - save 25%!*
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> Visit this group at http://groups.google.com/group/puppet-dev.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
--
Erik Dalén
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-dev.
For more options, visit https://groups.google.com/groups/opt_out.
