Shared Key Security Concerns...

[ed.lane]

In addition to the security concerns expressed here when using preseeded keys:

http://docs.saltstack.com/topics/tutorials/preseed_key.html

...are there additional security concerns we need to be aware of?

The use of identical shared keys for several minions has been proposed to avoid the necessity for deleting old keys after recycling a VM and then re-authenticating with the same saltmaster.

Specifically we want to avoid any salt commands which could potentially go "minion-to-minion".  We are less concerned with a spoofed minion having access to the saltmaster state tree than we are to having a spoofed minion hijacking another minion having an identical key.

Thanks,

-ed

[Thomas S Hatch]

I don't follow your concern, since a minion cannot access another minion except via the master. Also, using the same keys like you have stated is not recommended

Thomas S. Hatch  |  Founder, CTO

5272 South College Drive, Suite 301 | Murray, UT 84123

tha...@saltstack.com | www.saltstack.com

--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Ed Lane]

Thomas,

This is what I thought (and hoped) when this question was originally put to me but I was not able to speak authoritatively.   I have been surprised in the past to find out Salt had some feature all along that I was unaware of.

*Your* response can certainly be considered authoritative. :)

Thanks!

-ed

--
You received this message because you are subscribed to a topic in the Google Groups "Salt-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/salt-users/8hF8yD9hFNI/unsubscribe?hl=en-US.
To unsubscribe from this group and all its topics, send an email to salt-users+...@googlegroups.com.