Re: Puppet Bootstrapping

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On Wed, 2006-08-30 at 13:16 -0600, Jeffrey Law wrote:
> On Wed, 2006-08-30 at 14:18 +0100, Mark McLoughlin wrote:

> > 	What happens on networks where clients aren't necessarily assigned
> > hostnames?
> Then we're hosed.   But I'm very comfortable setting a policy that for
> stateless you need hostnames in DNS.

	I'm not ... because I don't have that here, and I'm sure I wouldn't be
unusual in that.

>   Stuff other than puppet already depends on this.

	Like ... ?

	My point was, though, that this dependency on consist DNS is
unnecessary for what you're trying to achieve. The SubjectName in the
temporary cert is really useful.

> But I don't see *any* way to deal with MITM attacks in a system
> where the private keys have to be moved between the server and
> a client.

	The client should authenticate the server.

	e.g. in your scheme, the puppet CA cert would be on the OS image and
the client uses that to authenticate the server.


[Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Photo]     [Yosemite]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Linux Media]     [Device Mapper]     [Linux Resources]

Add to Google Powered by Linux