Fedora Infrastructure IRC Meeting Log from 2007-07-26

David Lutterkort dlutter at redhat.com
Sat Jul 28 01:15:53 UTC 2007

On Thu, 2007-07-26 at 16:01 -0500, Jeffrey C. Ollie wrote:
> [15:30] mmcgrath: the problem is opening up access but still keeping some of the passwords/keys secure.
> [15:30] mmcgrath: like the web guys don't need access to the buildserver keys.
> [15:30] mmcgrath: and the build guys don't need the fedoraproject.org ssl key.
> [15:30] mmcgrath: that sort of thing

Not sure if you guys know that or not (or if that applies to what you
guys discussed): puppet lets you define filserver modules that are per
node by putting something like

        path /some/path/%h
        allow allow
in your fileserver.conf [1] for sensitive per-node data.

When a client now requests 'puppet://server/private/ssh_host_dsa_key'
the fileserver looks for /some/path/CLIENT/ssh_host_dsa_key where CLIENT
is the host name taken from the client's SSL cert's subject [2] - in
other words, even though the fileserve in general is open to any client
with an acceptable SSL cert, to get at files in such a private module,
you must break that client's SSL cert, or find some other way to own a
cert with that client's host name as the subject.


[1] http://reductivelabs.com/trac/puppet/wiki/FileServingConfiguration
    look for %h and %H

[2] Make sure that node_name in the puppetmaster's config file is set to
    'cert' - but that's the default anyway. 
    (see http://reductivelabs.com/trac/puppet/wiki/ConfigurationReference)

More information about the Fedora-infrastructure-list mailing list