FWIW, two thoughts on this: 1) Tunnel over SSH or VPN. 2) Is it feasible to *not* use a puppetmaster for this, and rather have something on the laptops (cronjob? small daemon?) that pulls down your config repository and runs masterless puppet locally?
-Jason On Wed, Jun 18, 2014 at 10:40 AM, Neil - Puppet List < maillist-pup...@iamafreeman.com> wrote: > Hi > > Running puppet on port 443 might be a good move if you expect your laptops > to be using cafe hotel airport style wifi > > sslh might be a suitable tool to proxy for puppet I've not tried it though. > > Regards > > Neil > On 18 Jun 2014 14:30, "jcbollinger" <john.bollin...@stjude.org> wrote: > >> >> >> On Tuesday, June 17, 2014 12:19:08 PM UTC-5, jmp242 wrote: >>> >>> I probably don't really understand much about how puppet connects to the >>> clients, but is there a big security risk about opening it up to the >>> internet so laptops can get their configuration... If it's "safe enough" >>> for any value of safe, what ports does it use? >>> >>> Thanks, >>> >> >> >> In normal operation, Puppet (the master) *doesn't* connect to clients >> -- the clients connect to it (on port 8140), thereby establishing a two-way >> communication channel. >> >> Client-side firewalls need to allow outgoing traffic to that port, and >> accept incoming traffic belonging to an established connection to that >> port. Those permissions can be narrowed to specific destination networks >> or machines, if needed. For its part, the master needs to accept >> connections on port 8140 from all client machines; that can be narrowed to >> traffic originating on specific networks, if you wish. >> >> Each end of the conversation between agent and master authenticates to >> the other via SSL certificate. Spencer understated the security there: on >> the web, most SSL connections are authenticated only on one end, so >> Puppet's communications are even better secured. >> >> With that said, if you want laptops in the field to be able to retrieve >> their configuration, then you have the alternative of requiring them to >> establish a VPN connection to your internal network in order to do so >> (especially if users will want / need to use VPN anyway), or of just >> letting them go without syncing until they return home. The Puppet service >> itself is pretty well secured, but allowing connections from anywhere on >> the internet increases your exposure to network-level attacks. >> >> >> John >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-users+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/e0d19ab8-de5e-4205-b774-b37b1b595643%40googlegroups.com >> <https://groups.google.com/d/msgid/puppet-users/e0d19ab8-de5e-4205-b774-b37b1b595643%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/CAAohVBfNtx6igp__7Koivb18r_onQ0A0BUZeMpVyeTct1%2B-s8w%40mail.gmail.com > <https://groups.google.com/d/msgid/puppet-users/CAAohVBfNtx6igp__7Koivb18r_onQ0A0BUZeMpVyeTct1%2B-s8w%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAFt4V4%3DQfYtyA1pMu6AKtW7jf9D9r9yANsKT1-uE05tHBqw4jQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
