MCollective security
25 views
Skip to first unread message
Sergey Arlashin
Sep 7, 2018, 4:58:34 AM9/7/18
to puppet...@googlegroups.com
Hi!
Not long ago we started using MCollective to trigger Puppet runs and execute maintenance shell commands on our servers. Everything looks good so far. But I'm concerned about MC security model.
For the middleware we are using RabbitMQ. We authenticate MCollective servers against RabbitMQ with username/password pair. Also we have Stunnel for middleware SSL termination. We use Puppet CA signed certificates to verify MCollective servers.
However I noticed that an attacker can easily change a hostname on a compromised server. And after that the server will get registered with that hostname. When I execute
mco find
I see it displayed with the hostname that was recently set. And the hostname can be equal to any of the existing servers.
That means that if I execute a shell command via
mco shell run -I "/existinghostnamemask/" "command"
it will be also executed on the compromised server. The server can get sensitive data that it is not supposed to have.
I hope I explained everything correctly :)
So my question is - is there a way to avoid situations like the one I described? For example if I use SSH to connect to a host, I get its public key, and if the host changes, I receive an error. But probably there is something like this for MCollective?
Thanks!
Regards,
Sergey
Not long ago we started using MCollective to trigger Puppet runs and execute maintenance shell commands on our servers. Everything looks good so far. But I'm concerned about MC security model.
For the middleware we are using RabbitMQ. We authenticate MCollective servers against RabbitMQ with username/password pair. Also we have Stunnel for middleware SSL termination. We use Puppet CA signed certificates to verify MCollective servers.
However I noticed that an attacker can easily change a hostname on a compromised server. And after that the server will get registered with that hostname. When I execute
mco find
I see it displayed with the hostname that was recently set. And the hostname can be equal to any of the existing servers.
That means that if I execute a shell command via
mco shell run -I "/existinghostnamemask/" "command"
it will be also executed on the compromised server. The server can get sensitive data that it is not supposed to have.
I hope I explained everything correctly :)
So my question is - is there a way to avoid situations like the one I described? For example if I use SSH to connect to a host, I get its public key, and if the host changes, I receive an error. But probably there is something like this for MCollective?
Thanks!
Regards,
Sergey
R.I.Pienaar
Sep 7, 2018, 5:16:23 AM9/7/18
to puppet...@googlegroups.com
Choria does all of this for you, nodes use their puppet certificates.
Reply all
Reply to author
Forward
0 new messages