Hi all,
I don't know if it's a bug or a feature, so I just ask.
I have a puppet master run by Passenger.
The configuration is populated from Hiera:
/etc/puppet/hiera.yaml:
---
:backends:
- yaml
:yaml:
:datadir: /etc/puppet/hieradata
:hierarchy:
- "%{::environment}/%{::fqdn}"
The node was already granted (certificate signed) by Puppet Master, and "certname=goodnode" is written in the node configuration.
Auto signing is disabled, I sign manually every new node on the Master (puppet cert sign).
Today I was playing with the node, I changed the hostname. Previously "goodnode", I set it to "badnode", but I let "goodnode" in certname configuration (/etc/puppet/puppet.conf). "badnode" was an existing node in Hiera configuration, it is just an other node managed by the same Master.
After the change, the Puppet agent from "goodnode" then retrieved the "badnode" configuration, without any discussion. What?
Is it an expected behavior? Wasn't the Master supposed to check that the FQDN is correct (checking that the Common Name of the certificate and the FQDN matches) before dumping all the configuration (and secrets) to the node?
In my case, it means that if an attacker gets access to ANY node, it can then become a rogue node and download the configuration of ANY other node, just by changing the hostname, and keeping the certificate!
Is there a way to enforce a check on certificate CN on the master? Is the "%{::fqdn}" Fact safe for use in Hiera configuration?
Thanks in advance for your hints.
EDIT : I changed the fqdn fact by %{::trusted.certname} as the doc suggests, but now the nodes aren't provisioning, the syslog on the master says : "TrustedInformation expected a certificate, but none was given."
It must be giving a certificate, otherwise I would not have been able to sign it in the first place, right?
What am I doing wrong ?
↧