Re: Puppet Bootstrapping
|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
On Thu, 2006-08-31 at 10:32 -0600, Jeffrey Law wrote: > By distributing the puppet CA cert in the OS image we get the > end-to-end secured channel. Right, or if you were doing something similar with SSH, the OS image would contain the server's host key fingerprint in known_hosts. > The weak link at this point becomes dhcp/tftp. Mr. bad guy > would need to attack that point so that he could serve a > different OS image with a different CA cert. If successful > mr. bad guy could then run a successful MITM and give the > client/victim bogus ssh keys. I'm not immediately aware of > anyone that's looked at hardening dhcp/tftp. Yep, only real solution to that would be that you'd do the initial bootstrapping by booting a CD containing the OS image. Cheers, Mark.