I have no issue with the PSK technique BUT, I do have a couple questions/concerns:
1) Please keep the old syntax in place so that users don't have to run about modifying scripts everywhere. Internal command aliases should work fine. 2) You say that we shouldn't be trusting the network (fine), but now we're to distribute a PSK via an unsigned format (tar) over what medium? If you don't have some sort of authenticator/identifier for your clients, anyone on the network could make the connection and snag the PSK, though it may be encrypted with HTTPS or somesuch. This is (unfortunately) just a hard problem if you can't trust your network to some degree. Perhaps, you could bind it to the MAC address somehow? Then you only need to worry about MAC spoofing and firewalls, etc.... Another option would be TPM registration, but I don't know that you want to get into all that. What about Kerberos support? That would allow for another realm of authentication possibilities. Trevor On Mon, May 14, 2012 at 11:49 AM, Daniel Sauble <djsau...@puppetlabs.com> wrote: > > > On Saturday, May 12, 2012 6:14:06 AM UTC-7, Timothy Sutton wrote: >> >> Just concerning this PSK aspect of Sites, would this also be a similar >> alternative to using a shared cert (or set of certs) in tandem with the >> node_name_value or node_name_fact, as was recently suggested by Gary in this >> thread? >> >> > Yes, absolutely. However, since you're not reusing the same private key for > all nodes in your deployment, Sites is a more secure approach to the > problem. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/gCtD3UXn13QJ. > > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 tvaug...@onyxpoint.com -- This account not approved for unencrypted proprietary information -- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
