Re: Puppet Bootstrapping
|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
On Wed, 2006-08-30 at 13:16 -0600, Jeffrey Law wrote: > On Wed, 2006-08-30 at 14:18 +0100, Mark McLoughlin wrote: > > What happens on networks where clients aren't necessarily assigned > > hostnames? > Then we're hosed. But I'm very comfortable setting a policy that for > stateless you need hostnames in DNS. I'm not ... because I don't have that here, and I'm sure I wouldn't be unusual in that. > Stuff other than puppet already depends on this. Like ... ? My point was, though, that this dependency on consist DNS is unnecessary for what you're trying to achieve. The SubjectName in the temporary cert is really useful. > But I don't see *any* way to deal with MITM attacks in a system > where the private keys have to be moved between the server and > a client. The client should authenticate the server. e.g. in your scheme, the puppet CA cert would be on the OS image and the client uses that to authenticate the server. Cheers, Mark.