FWIW, two thoughts on this: 1) Tunnel over SSH or VPN. 2) Is it feasible to *not* use a puppetmaster for this, and rather have something on the laptops (cronjob? small daemon?) that pulls down your config repository and runs masterless puppet locally?
-Jason On Wed, Jun 18, 2014 at 10:40 AM, Neil - Puppet List < [email protected]> wrote: > Hi > > Running puppet on port 443 might be a good move if you expect your laptops > to be using cafe hotel airport style wifi > > sslh might be a suitable tool to proxy for puppet I've not tried it though. > > Regards > > Neil > On 18 Jun 2014 14:30, "jcbollinger" <[email protected]> wrote: > >> >> >> On Tuesday, June 17, 2014 12:19:08 PM UTC-5, jmp242 wrote: >>> >>> I probably don't really understand much about how puppet connects to the >>> clients, but is there a big security risk about opening it up to the >>> internet so laptops can get their configuration... If it's "safe enough" >>> for any value of safe, what ports does it use? >>> >>> Thanks, >>> >> >> >> In normal operation, Puppet (the master) *doesn't* connect to clients >> -- the clients connect to it (on port 8140), thereby establishing a two-way >> communication channel. >> >> Client-side firewalls need to allow outgoing traffic to that port, and >> accept incoming traffic belonging to an established connection to that >> port. Those permissions can be narrowed to specific destination networks >> or machines, if needed. For its part, the master needs to accept >> connections on port 8140 from all client machines; that can be narrowed to >> traffic originating on specific networks, if you wish. >> >> Each end of the conversation between agent and master authenticates to >> the other via SSL certificate. Spencer understated the security there: on >> the web, most SSL connections are authenticated only on one end, so >> Puppet's communications are even better secured. >> >> With that said, if you want laptops in the field to be able to retrieve >> their configuration, then you have the alternative of requiring them to >> establish a VPN connection to your internal network in order to do so >> (especially if users will want / need to use VPN anyway), or of just >> letting them go without syncing until they return home. The Puppet service >> itself is pretty well secured, but allowing connections from anywhere on >> the internet increases your exposure to network-level attacks. >> >> >> John >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/e0d19ab8-de5e-4205-b774-b37b1b595643%40googlegroups.com >> <https://groups.google.com/d/msgid/puppet-users/e0d19ab8-de5e-4205-b774-b37b1b595643%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/CAAohVBfNtx6igp__7Koivb18r_onQ0A0BUZeMpVyeTct1%2B-s8w%40mail.gmail.com > <https://groups.google.com/d/msgid/puppet-users/CAAohVBfNtx6igp__7Koivb18r_onQ0A0BUZeMpVyeTct1%2B-s8w%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAFt4V4%3DQfYtyA1pMu6AKtW7jf9D9r9yANsKT1-uE05tHBqw4jQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
