On Sunday, August 25, 2013 7:17:21 AM UTC-5, Martin Langhoff wrote: > > On Sat, Aug 24, 2013 at 5:18 PM, Jakov Sosic <[email protected] <javascript:>> > wrote: > > Only if you use autosign option. After the certificate is signed, agents > > report certname and not hostname. > > Well-behaved clients report certname. A malicious client could use one > cert, but report a different name. AIUI the puppet master checks the > certificate to allow connection, but uses the client-reported name to > pick the configuration served. > > Puppet identifies client nodes by the certname on the SSL certificates they present. This is what is passed to an ENC (if configured) and what is matched against defined node blocks, so it controls what configuration is served.
The client can provide a $::hostname fact that is different from the certname it presents, but that is perfectly valid and expected under some circumstances. It is possible that a client doing so is thereby able to exploit weaknesses in (user-provided) manifest files required anyway for its catalog, thereby extracting information to which it is not intended to have access, but that is possible to some degree or another with any fact. It does not constitute a flaw in Puppet itself, but rather in the manifests in question. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
