On Wed, 2006-08-30 at 14:18 +0100, Mark McLoughlin wrote:
> A cert certifies that if a client can prove that it has access to the
> associated private key, then you can trust that it is the host named in
> the SubjectName.
>
> What happens on networks where clients aren't necessarily assigned
> hostnames?
Puppet doesn't really require that the hostname in the cert corresponds
to anything in DNS or the like. I've successfully used puppet from
client A with client B's cert, and the server does act as if client B
had connected.
It would be wise in general to have cert subject == DNS name, but it's
not essential. Anything besides the hostname for a client is taken from
'facts' that the client sends to the server, including IP address.
For security purposes, the important point is that the puppet manifest
identifies clients by the hostname and not by some other attribute, like
IP, which is easy to spoof for the client.
David
[Kernel Newbies]
[Share Photos]
[IDE]
[Security]
[Git]
[Netfilter]
[Bugtraq]
[Photo]
[Yosemite]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Linux ATA RAID]
[Samba]
[Linux Media]
[Device Mapper]
[Linux Resources]
