On Mon, Jul 1, 2013 at 12:58 PM, Andy Parker <[email protected]> wrote: > I would be very concerned if the security system of puppet were based on > untrusted information from the agent. Unless we have a bug in this system, > which we don't as far as I know, then the security is all based on the CN of > the certificate subject. Now, you can write your manifests to rely on a > fact, which cannot be trusted and that could be a problem. Short of signing > all facts (which I'm not sure how to do in the face of a fact value > changing) facts cannot be trusted. There are some that have been floating > around at Puppet Labs around getting trusted data into the manifests via the > certificate. > > So the short is: we should be using certificate information for security. > This is untrusted data in manifests and so care must still be taken.
The config parameter in question is node_name. Its default is 'cert', which uses the DN from the certificate as you say. The other option is 'fact'. I seem to recall the default being 'fact' in much older versions, but that recollection may be incorrect. At any rate, if you're worried, set this parameter explicitly, and of course disable autosigning. We also include a check in the manifests that $fqdn = $clientcert, so that a host with a valid, trusted cert cannot falsify its $fqdn and thereby fool conditionals based on $fqdn. Dustin -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-dev. For more options, visit https://groups.google.com/groups/opt_out.
