Hi Running puppet on port 443 might be a good move if you expect your laptops to be using cafe hotel airport style wifi
sslh might be a suitable tool to proxy for puppet I've not tried it though. Regards Neil On 18 Jun 2014 14:30, "jcbollinger" <[email protected]> wrote: > > > On Tuesday, June 17, 2014 12:19:08 PM UTC-5, jmp242 wrote: >> >> I probably don't really understand much about how puppet connects to the >> clients, but is there a big security risk about opening it up to the >> internet so laptops can get their configuration... If it's "safe enough" >> for any value of safe, what ports does it use? >> >> Thanks, >> > > > In normal operation, Puppet (the master) *doesn't* connect to clients -- > the clients connect to it (on port 8140), thereby establishing a two-way > communication channel. > > Client-side firewalls need to allow outgoing traffic to that port, and > accept incoming traffic belonging to an established connection to that > port. Those permissions can be narrowed to specific destination networks > or machines, if needed. For its part, the master needs to accept > connections on port 8140 from all client machines; that can be narrowed to > traffic originating on specific networks, if you wish. > > Each end of the conversation between agent and master authenticates to the > other via SSL certificate. Spencer understated the security there: on the > web, most SSL connections are authenticated only on one end, so Puppet's > communications are even better secured. > > With that said, if you want laptops in the field to be able to retrieve > their configuration, then you have the alternative of requiring them to > establish a VPN connection to your internal network in order to do so > (especially if users will want / need to use VPN anyway), or of just > letting them go without syncing until they return home. The Puppet service > itself is pretty well secured, but allowing connections from anywhere on > the internet increases your exposure to network-level attacks. > > > John > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/e0d19ab8-de5e-4205-b774-b37b1b595643%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/e0d19ab8-de5e-4205-b774-b37b1b595643%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAAohVBfNtx6igp__7Koivb18r_onQ0A0BUZeMpVyeTct1%2B-s8w%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
