diff --git a/documentation/documentation/security.page b/documentation/documentation/security.page index 389bd8243..e3680686d 100644 --- a/documentation/documentation/security.page +++ b/documentation/documentation/security.page @@ -1,76 +1,98 @@ --- inMenu: true orderInfo: 10 --- # Overview Puppet relies on standards wherever possible. In the case of security, it uses standard SSL certificates for client and server verification. Because of the cost of buying signed certificates for every client and the complexity of managing your own certificate authority (CA), Puppet includes its own CA. This CA has been optimized for use with Puppet but could also be used to generate certificates for other purposes. The primary goal in certificate management within Puppet has been to keep it simple, and wherever possible to not make it even noticeable. # Certificates ## Authentication Certificates are the only method of authentication -- if a client's certificate can be verified using standard SSL verification mechanisms, then it is considered authenticated. ## Client Certificate Generation The Puppet server, ``puppetmasterd``, is normally also the CA. Clients who do not yet have signed certificates will automatically generate a key pair and a certificate request, and then will connect to the server and provide it with the certificate request. If the server has ``autosign`` turned on (which is not necessarily recommended), then the autosign configuration file (which defaults to ``/etc/puppet/autosign.conf``) is checked for whether the client's name matches any contents. For instance, take the following configuration file: hostname.domain.com *.secure.domain.com This configuration would autosign certificate requests for ``hostname.domain.com`` and any hosts coming from ``*.secure.domain.com``. This configuration file is read each time a signature is asked for, so changes to it can be short-lived and will be immediately noticed. # Server-Side Certificate Management In the normal case, certificate auto-signing will be disabled. In these cases, certificates will have to be signed using the ``puppetca`` utility. Prior to the 1.0 release it is expected that there will be email notification of certificate requests waiting to be signed, but for now either the logs must be watched or ``puppetca --list`` can be used list waiting requests. Once a request arrives, ``puppetca --sign `` can be used to sign the request. Adding the ``--all`` flag will sign all outstanding requests. A list of all certificates ever issued by Puppet's CA can be found in the file ``$cadir/inventory.txt``. All certificate files for a given host can be removed (for rebuilding hosts, for instance) with ``puppetca --clean ``. Certificates, once issued, can be revoked with ``puppetca --revoke ``. The server consults the certificate revocation list (CRL) every time a client tries to connect to the server; for revocations to take effect, the server must be restarted after the certificate revocation with ``puppetca``. # Access and Authorization Puppet currently has few network functions, so security has so far been treated by them individually. It is expected that there will be some system-wide security hooks prior to the 1.0 release, but the certificate authentication already provides significant security. Recommendations on approaches are heartily recommended. +# Examples + +To introduce a client machine to the puppet server, first run puppetd on +the client with the `waitforcert` parameter: + + $ puppetd --waitforcert 30 --server puppetserver.domain.net -v + +The client will request a certificate from the certificate authority +facility on the server called `puppetserver.domain.net`. + +Assuming that the machine `puppetserver` is not set to autosign any new +certificate requests (this is the default), you'll need to list the certificate +requests from the command line on the server with an invocation like this: + + $ puppetca --list + +You'll then be able to pick out the request by name (quite possibly, it will be the +only request waiting) and instruct the certificate authority to sign the request: + + $ puppetca --sign puppetclient-37.domain.net + + *$Id$*