One thing to add to this - if you have set autosign.conf to autosign anything then it is possible for a remote client to get a certificate remotely then retrieve files... Of course this will take a few requests, but its possible...
Greg On Aug 10, 7:47 am, James Turnbull <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Simon Strange wrote: > > Hi, > > > This might be a silly question but if I have a fileserver configured like > > this: > > > [files] > > path = /etc/puppet/files > > allow * > > > Does that mean: > > > 1. Anybody in the world (who can reach my puppet master) can view/pull > > files? > > > 2. Only the clients who've been signed via the "puppetca --sign" > > process can view/pull files? > > There are two layers of granularity: > > 1. Only clients authenticated via certificate can connect. > 2. Only clients which are authenticated AND specifically allowed > access to the file server mount can retrieve files. > > Regards > > James Turnbull > > - -- > Author of: > * Pro Linux Systems Administration > (http://tinyurl.com/linuxadmin) > * Pulling Strings with Puppet > (http://tinyurl.com/pupbook) > * Pro Nagios 2.0 > (http://tinyurl.com/pronagios) > * Hardening Linux > (http://tinyurl.com/hardeninglinux) > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (Darwin) > Comment: Using GnuPG with Mozilla -http://enigmail.mozdev.org/ > > iD8DBQFKf0PZ9hTGvAxC30ARAi5FAJwPRcFUeMH2H0UGyo4oEbhc2r+uuQCfSF3i > i9zzEBw8TIMZSjGatCjsuTI= > =63lk > -----END PGP SIGNATURE----- --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
