On Wednesday, June 19, 2013 3:02:26 AM UTC-7, Erik Dalén wrote:
>
> But my suggestion here wasn't really managing autosign.conf using kerberos
> or so. It was that you use mod_authnz_krb in apache on the
> /.*/certificate_status/{certname} endpoint and just allow everyone in the
> puppet auth.conf. But only allow kerberos tokens matching their host name
> in the apache config. That way hosts can manage their own certificate
> status using a krb authenticated HTTP request. So request a cert in the
> regular way and then use their already existing krb token to authenticate
> the CSR.
>
Again, the desire (security requirement) here is that the puppet master not
be responsible for issuing certificates to agents. If we were to use agent
certificates we would likely deploy MS Certificate Services to issue client
certs to the agents. However we would like to avoid that extra
infrastructure if we can get puppet agents to authenticate via Kerberos. In
the prototyping that I've been working on the agent does not have a
certificate.
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-dev.
For more options, visit https://groups.google.com/groups/opt_out.
