Feature #1617

autosign.conf should take IP/subnet specifications as well as hostnames

Added by Oliver Hookins over 4 years ago. Updated over 1 year ago.

Status:AcceptedStart date:09/29/2008
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:SSL
Target version:-
Affected Puppet version:0.24.5 Branch:
Keywords:

Description

Not really a duplicate of #1361, as that is adding completely different ACL functionality and only implicitly adding IP support.

I note there is actually a comment in lib/puppet/network/handler/ca.rb saying “# FIXME autosign? should probably accept both hostnames and IP addresses”

I agree!

History

#1 Updated by James Turnbull over 4 years ago

  • Category set to SSL
  • Status changed from Unreviewed to Needs More Information

Actually I think auto-signing might be broken. Every client I requested with nothing in autosign.conf was signed. Are you also seeing this behaviour?

#2 Updated by Oliver Hookins over 4 years ago

If I empty autosign.conf, new clients sit there waiting for the request to be signed, as I’d expect. So maybe it’s just you? ;)

#3 Updated by James Turnbull over 4 years ago

What’s autosign set to in puppet.conf?

Also have you tested IP addresses? Because they seem to work for me.

#4 Updated by Oliver Hookins over 4 years ago

[puppetmasterd]
        autosign = /etc/puppet/autosign.conf

I just tested an IP address but it didn’t work. I can’t see how it can work if the autosign? function only takes and is passed a hostname. Even if an IP address is in the AuthStore, the only thing that would be tested is a hostname. Matching subnets obviously is a whole different matter.

#5 Updated by Luke Kanies over 4 years ago

Duh, you’re right — the autosign.conf supports IP addresses, but the mechanism for checking authorization does not.

It looks like it should be straightforward enough to just add the IP to the autosign? prototype.

#6 Updated by James Turnbull over 4 years ago

  • Status changed from Needs More Information to Accepted
  • Assignee set to Puppet Community
  • Target version set to 4

#7 Updated by James Turnbull about 4 years ago

  • Assignee deleted (Puppet Community)

#8 Updated by James Turnbull almost 2 years ago

  • Target version deleted (4)

Also available in: Atom PDF