Open puppet port(s) to the internet

[jmp242]

I probably don't really understand much about how puppet connects to the clients, but is there a big security risk about opening it up to the internet so laptops can get their configuration... If it's "safe enough" for any value of safe, what ports does it use?

Thanks,

[Spencer Krum]

It uses port 8140 and ssl. It is client cert authenticated. So, barring something like heartbleed, you're about as good as logging in to any website that uses ssl.

On Jun 17, 2014 10:19 AM, "jmp242" <jp1...@gmail.com> wrote:

I probably don't really understand much about how puppet connects to the clients, but is there a big security risk about opening it up to the internet so laptops can get their configuration... If it's "safe enough" for any value of safe, what ports does it use?

Thanks,

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/f85a67b5-96f2-4ffe-a655-5df3ea018ec0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[jcbollinger]

On Tuesday, June 17, 2014 12:19:08 PM UTC-5, jmp242 wrote:

I probably don't really understand much about how puppet connects to the clients, but is there a big security risk about opening it up to the internet so laptops can get their configuration... If it's "safe enough" for any value of safe, what ports does it use?

Thanks,

In normal operation, Puppet  (the master) doesn't connect to clients -- the clients connect to it (on port 8140), thereby establishing a two-way communication channel.

Client-side firewalls need to allow outgoing traffic to that port, and accept incoming traffic belonging to an established connection to that port.  Those permissions can be narrowed to specific destination networks or machines, if needed.  For its part, the master needs to accept connections on port 8140 from all client machines; that can be narrowed to traffic originating on specific networks, if you wish.

Each end of the conversation between agent and master authenticates to the other via SSL certificate.  Spencer understated the security there: on the web, most SSL connections are authenticated only on one end, so Puppet's communications are even better secured.

With that said, if you want laptops in the field to be able to retrieve their configuration, then you have the alternative of requiring them to establish a VPN connection to your internal network in order to do so (especially if users will want / need to use VPN anyway), or of just letting them go without syncing until they return home.  The Puppet service itself is pretty well secured, but allowing connections from anywhere on the internet increases your exposure to network-level attacks.


John

[Neil - Puppet List]

Hi

Running puppet on port 443 might be a good move if you expect your laptops to be using cafe hotel airport style wifi

sslh might be a suitable tool to proxy for puppet I've not tried it though.

Regards

Neil

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/e0d19ab8-de5e-4205-b774-b37b1b595643%40googlegroups.com.

[Jason Antman]

FWIW, two thoughts on this:

1) Tunnel over SSH or VPN.

2) Is it feasible to *not* use a puppetmaster for this, and rather have something on the laptops (cronjob? small daemon?) that pulls down your config repository and runs masterless puppet locally?

-Jason

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAAohVBfNtx6igp__7Koivb18r_onQ0A0BUZeMpVyeTct1%2B-s8w%40mail.gmail.com.