Transient secrets

Robert Markula robert at markula.org
Wed Jul 13 07:38:33 CEST 2022 

We distribute secrets via configuration management (in our case, via 
Cfengine).

During the first reboot after FAI the Cfengine client registers itself 
to the Cfengine server and pulls its credentials from a dedicated part 
of the repository. In Cfengine, it is possible to restrict the allowed 
ip addresses for self registration as well as for repository access. 
Each host is assigned a dedicated host-specific "secure repository" 
where all credentials are stored, to which other clients do not have access.

So when a host is about to be installed, the hosts ip address is 
manually enabled and immediately disabled after self registration is 
complete.

This system is far from bullet proof, with the highest risk being a race 
condition during the self-registration phase of the client. All further 
repository access is authenticated and encrypted.

With a clever combination of timing and faking the ip address of the 
legitimate client, one could take advantage of this race condition. But 
even then, this would attract attention, because the legitimate client 
couldn't self-register anymore.

Another downside is that this system doesn't scale well. Credentials 
have to be placed manually for all hosts and hosts have to be enabled 
manually as well. We could write some kind of management interface to 
further automate this, but with about 70 hosts that are not reinstalled 
on a daily basis, there is simply no necessity for this.

Cheers,


Robert



Am 07.07.22 um 08:12 schrieb Diego Zuccato:
> Hi all.
>
> Is there a preferred way to pass a (different) secret to every host 
> being installed?
>
> Something to implement a workflow like:
> - admin asks Salt to (re)install a host
> - salt handles shutdown and switch reconfiguration (OT)
> - salt tells FAIserver to enable install of given host
> - FAI generates the secret and passes it back to Salt (or Salt 
> generates the secret and passes it to FAI, as long there's a shared 
> secret)
> - the host boots via network and installs as usual, saving/using the 
> given secret
> - FAI (or the reinstalled host) tells Salt reinstall is complete and 
> Salt "cleans up" (reconfig switches & so on) (OT)
>
> The only "solution" I could find is to save the secret in 
> /srv/tftp/fai/pxelinux.cfg/C0A8xxyy in append line, like FAI_FLAGS, 
> FAI_CONFIG_SRC and FAI_ACTION, but since append line can be at most 
> 255 chars there's not much space... I's good just for very small 
> "secrets" (that gets transferred in the clear, hence the need to 
> reconfigure the switches).
>

More information about the linux-fai mailing list