Jira (PUP-9466) Readd password protected private key support

3 views
Skip to first unread message

Josh Cooper (JIRA)

unread,
Jan 24, 2019, 8:47:03 PM1/24/19
to puppe...@googlegroups.com
Josh Cooper created an issue
 
Puppet / New Feature PUP-9466
Readd password protected private key support
Issue Type: New Feature New Feature
Assignee: Unassigned
Created: 2019/01/24 5:46 PM
Priority: Normal Normal
Reporter: Josh Cooper

If passfile exists when puppet starts for the first time, then it will encrypt its private key using 3DES-CBC. However, the current implementation is a bit dubious. If puppet tries to load an encrypted private key and the passfile does not exist, then ruby will hang due to openssl prompting for the password. Ruby uses the legacy PEM_write_* methods that only use 1 iteration. Per https://www.openssl.org/docs/man1.0.2/crypto/pem.html "The encryption key is determined using EVP_BytesToKey(), using salt and an iteration count of 1" and https://github.com/ruby/openssl/issues/13. Also puppetserver does not support password protected private keys, so it can't be enabled on server hosts.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Josh Cooper (JIRA)

unread,
May 2, 2019, 12:39:02 PM5/2/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sprint: Coremunity Grooming

Josh Cooper (JIRA)

unread,
May 2, 2019, 12:43:05 PM5/2/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 6.5.0

Josh Cooper (JIRA)

unread,
May 2, 2019, 5:26:02 PM5/2/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sprint: Coremunity Grooming Platform Core KANBAN

Josh Cooper (JIRA)

unread,
May 2, 2019, 5:27:01 PM5/2/19
to puppe...@googlegroups.com
Josh Cooper assigned an issue to Josh Cooper
Change By: Josh Cooper
Assignee: Josh Cooper

Josh Cooper (JIRA)

unread,
May 2, 2019, 5:53:02 PM5/2/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Release Notes Summary: If the private key password file (Puppet[:passfile]) exists and the agent doesn't yet have a private key, it will generate a new one, and use the contents of the passfile to encrypt the private key on disk. The key will be encrypted using AES-128-CBC. If the agent already has an unencrypted private key, then no changes will occur.
Release Notes: Bug Fix

Josh Cooper (JIRA)

unread,
May 2, 2019, 5:54:02 PM5/2/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Issue Type: New Feature Bug

Josh Cooper (JIRA)

unread,
May 2, 2019, 5:54:03 PM5/2/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Release Notes Summary: If the private key password file (Puppet[:passfile]) exists and the agent doesn't yet have a private key, it will generate a new one, and use the contents of the passfile to encrypt the private key on disk. The key will be encrypted using AES-128-CBC. If the agent already has an unencrypted private key, then no changes will occur. Puppetserver does not currently support private key passwords, so this should only be enabled on agent-only nodes.

Josh Cooper (JIRA)

unread,
May 2, 2019, 5:55:02 PM5/2/19
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-9466
 
Re: Readd password protected private key support

Some more context on why GCM doesn't seem to work for password protected private keys: https://github.com/openssl/openssl/issues/7720

Josh Cooper (JIRA)

unread,
May 10, 2019, 3:55:02 PM5/10/19
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-9466

Heston Hoffman (JIRA)

unread,
Jun 11, 2019, 7:10:04 PM6/11/19
to puppe...@googlegroups.com
Heston Hoffman updated an issue
 
Puppet / Bug PUP-9466
Change By: Heston Hoffman
Labels: resolved-issue-added
Reply all
Reply to author
Forward
0 new messages