Re: [Puppet Users] MCollective security

Fri, 07 Sep 2018 02:17:15 -0700 


On Fri, 7 Sep 2018, at 10:58, Sergey Arlashin wrote:
> Hi! 
> 
> Not long ago we started using MCollective to trigger Puppet runs and 
> execute maintenance shell commands on our servers. Everything looks good 
> so far. But I'm concerned about MC security model. 
> 
> For the middleware we are using RabbitMQ. We authenticate MCollective 
> servers against RabbitMQ with username/password pair. Also we have 
> Stunnel for middleware SSL termination. We use Puppet CA signed 
> certificates to verify MCollective servers. 
> 
> However I noticed that an attacker can easily change a hostname on a 
> compromised server. And after that the server will get registered with 
> that hostname. When I execute 
> 
> mco find 
> 
> I see it displayed with the hostname that was recently set. And the 
> hostname can be equal to any of the existing servers.
> 
> That means that if I execute a shell command via 
> 
> mco shell run -I "/existinghostnamemask/" "command" 
> 
> it will be also executed on the compromised server. The server can get 
> sensitive data that it is not supposed to have.
> 
> I hope I explained everything correctly :) 
> 
> So my question is - is there a way to avoid situations like the one I 
> described? For example if I use SSH to connect to a host, I get its 
> public key, and if the host changes, I receive an error. But probably 
> there is something like this for MCollective? 

You should use choria.io to deploy mcollective, mcollective as you deployed do 
have ways to restrict access and harden the security model - but its a LOT of 
work to setup.

Choria does all of this for you, nodes use their puppet certificates.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/1536311776.908972.1499976648.3FEAE11E%40webmail.messagingengine.com.
For more options, visit https://groups.google.com/d/optout.






















					Reply via email to