On Fri, 7 Sep 2018, at 10:58, Sergey Arlashin wrote:
> Hi!
>
> Not long ago we started using MCollective to trigger Puppet runs and
> execute maintenance shell commands on our servers. Everything looks good
> so far. But I'm concerned about MC security model.
>
> For the middleware we are using RabbitMQ. We authenticate MCollective
> servers against RabbitMQ with username/password pair. Also we have
> Stunnel for middleware SSL termination. We use Puppet CA signed
> certificates to verify MCollective servers.
>
> However I noticed that an attacker can easily change a hostname on a
> compromised server. And after that the server will get registered with
> that hostname. When I execute
>
> mco find
>
> I see it displayed with the hostname that was recently set. And the
> hostname can be equal to any of the existing servers.
>
> That means that if I execute a shell command via
>
> mco shell run -I "/existinghostnamemask/" "command"
>
> it will be also executed on the compromised server. The server can get
> sensitive data that it is not supposed to have.
>
> I hope I explained everything correctly :)
>
> So my question is - is there a way to avoid situations like the one I
> described? For example if I use SSH to connect to a host, I get its
> public key, and if the host changes, I receive an error. But probably
> there is something like this for MCollective?
You should use choria.io to deploy mcollective, mcollective as you deployed do
have ways to restrict access and harden the security model - but its a LOT of
work to setup.
Choria does all of this for you, nodes use their puppet certificates.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/1536311776.908972.1499976648.3FEAE11E%40webmail.messagingengine.com.
For more options, visit https://groups.google.com/d/optout.
