Transient secrets
Robert Markula
robert at markula.org
Wed Jul 13 07:38:33 CEST 2022
We distribute secrets via configuration management (in our case, via
Cfengine).
During the first reboot after FAI the Cfengine client registers itself
to the Cfengine server and pulls its credentials from a dedicated part
of the repository. In Cfengine, it is possible to restrict the allowed
ip addresses for self registration as well as for repository access.
Each host is assigned a dedicated host-specific "secure repository"
where all credentials are stored, to which other clients do not have access.
So when a host is about to be installed, the hosts ip address is
manually enabled and immediately disabled after self registration is
complete.
This system is far from bullet proof, with the highest risk being a race
condition during the self-registration phase of the client. All further
repository access is authenticated and encrypted.
With a clever combination of timing and faking the ip address of the
legitimate client, one could take advantage of this race condition. But
even then, this would attract attention, because the legitimate client
couldn't self-register anymore.
Another downside is that this system doesn't scale well. Credentials
have to be placed manually for all hosts and hosts have to be enabled
manually as well. We could write some kind of management interface to
further automate this, but with about 70 hosts that are not reinstalled
on a daily basis, there is simply no necessity for this.
Cheers,
Robert
Am 07.07.22 um 08:12 schrieb Diego Zuccato:
> Hi all.
>
> Is there a preferred way to pass a (different) secret to every host
> being installed?
>
> Something to implement a workflow like:
> - admin asks Salt to (re)install a host
> - salt handles shutdown and switch reconfiguration (OT)
> - salt tells FAIserver to enable install of given host
> - FAI generates the secret and passes it back to Salt (or Salt
> generates the secret and passes it to FAI, as long there's a shared
> secret)
> - the host boots via network and installs as usual, saving/using the
> given secret
> - FAI (or the reinstalled host) tells Salt reinstall is complete and
> Salt "cleans up" (reconfig switches & so on) (OT)
>
> The only "solution" I could find is to save the secret in
> /srv/tftp/fai/pxelinux.cfg/C0A8xxyy in append line, like FAI_FLAGS,
> FAI_CONFIG_SRC and FAI_ACTION, but since append line can be at most
> 255 chars there's not much space... I's good just for very small
> "secrets" (that gets transferred in the clear, hence the need to
> reconfigure the switches).
>
More information about the linux-fai
mailing list