Google
  Web www.spinics.net

Re: Puppet Bootstrapping

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Wed, 2006-08-30 at 13:16 -0600, Jeffrey Law wrote:
> On Wed, 2006-08-30 at 14:18 +0100, Mark McLoughlin wrote:

> > 	What happens on networks where clients aren't necessarily assigned
> > hostnames?
> Then we're hosed.   But I'm very comfortable setting a policy that for
> stateless you need hostnames in DNS.

	I'm not ... because I don't have that here, and I'm sure I wouldn't be
unusual in that.

>   Stuff other than puppet already depends on this.

	Like ... ?

	My point was, though, that this dependency on consist DNS is
unnecessary for what you're trying to achieve. The SubjectName in the
temporary cert is really useful.

> But I don't see *any* way to deal with MITM attacks in a system
> where the private keys have to be moved between the server and
> a client.

	The client should authenticate the server.

	e.g. in your scheme, the puppet CA cert would be on the OS image and
the client uses that to authenticate the server.

Cheers,
Mark.


[Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Photo]     [Yosemite]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Linux Media]     [Device Mapper]     [Linux Resources]

Add to Google Powered by Linux