Hi! Not long ago we started using MCollective to trigger Puppet runs and execute maintenance shell commands on our servers. Everything looks good so far. But I'm concerned about MC security model.
For the middleware we are using RabbitMQ. We authenticate MCollective servers against RabbitMQ with username/password pair. Also we have Stunnel for middleware SSL termination. We use Puppet CA signed certificates to verify MCollective servers. However I noticed that an attacker can easily change a hostname on a compromised server. And after that the server will get registered with that hostname. When I execute mco find I see it displayed with the hostname that was recently set. And the hostname can be equal to any of the existing servers. That means that if I execute a shell command via mco shell run -I "/existinghostnamemask/" "command" it will be also executed on the compromised server. The server can get sensitive data that it is not supposed to have. I hope I explained everything correctly :) So my question is - is there a way to avoid situations like the one I described? For example if I use SSH to connect to a host, I get its public key, and if the host changes, I receive an error. But probably there is something like this for MCollective? Thanks! Regards, Sergey -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/856E0B90-FE48-43EE-96EA-6378867B4DBA%40gmail.com. For more options, visit https://groups.google.com/d/optout.
