On Fri, Jun 06, 2014 at 06:38:10AM -0400, James wrote:
I've just announced the first sane implementation for secret handling
in puppet. Since everyone does this wrong, I thought I'd do it right,
by pioneering a new technique. You can read about it here:
On Fri, 2014-06-06 at 06:38 -0400, James wrote:
Hi FreeIPA,
*intro*
As some of you might know, I'm currently working on deploying
multi-master replicas with puppet. Since it looks like there will be
security implications, I wanted to start off by trying to build some
confidence. I want
On Fri, Jun 06, 2014 at 08:51:39AM -0400, Simo Sorce wrote:
Clearly puppet has root level access to the system so you do not (should
not ?) care much about preventing access to these systems, the aim is to
not inadvertently divulge secrets through manifests and nothing else.
And puppet logs.
On Fri, 2014-06-06 at 15:10 +0200, Jan Pazdziora wrote:
On Fri, Jun 06, 2014 at 08:51:39AM -0400, Simo Sorce wrote:
Clearly puppet has root level access to the system so you do not (should
not ?) care much about preventing access to these systems, the aim is to
not inadvertently divulge
On Fri, 2014-06-06 at 14:06 -0400, James wrote:
On Fri, 2014-06-06 at 08:51 -0400, Simo Sorce wrote:
Yes, the dm_password was chosen because it is needed to actually
initialize and install the replica, so instead of asking it twice we
just ask for it once and use it *also* to encrypt the