Can we set password to run salt command?
35 views
Skip to first unread message
pankaj ghadge
Jul 1, 2015, 2:00:39 AM7/1/15
to salt-...@googlegroups.com
Hi,
Just curious to know about this.
Can we provide security to run salt command? because if some he/she get access to salt master, then person will be able to rule all the minions.
If we have this feature then we can add double layer security to salt master.
Do we have this kind of functionality?
Thanks.
Florian Ermisch
Jul 1, 2015, 2:26:55 AM7/1/15
to salt-...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi Pankaj,
if an attacker gets root on your master all master-side authentication can be circumvented anyway by changing the master's code.
For a secure solution you would need the minions to know a separate set of private keys with one of a command from the master would need to be signed.
These keys shouldn't reside on the master so they're either on a smartcard/HSM or on the admin's system (available in a limited fashion via a forwarded SSH-agent).
When the `salt` cmd is run it then asks the smartcard or SSH-agent to sign the cmd before it's forwarded to the minions.
If you don't define a whitelist of allowed unsigned commands (on the minion!) you wouldn't even be able to `test.ping` a minion.
Provably won't be fun to implement if your not into this kinda thing…
Or you disable root-login on your master, make sure nobody gets unlimited sudo and all `salt` commands go through sudo. Or use "external authentication" (which I haven't looked into) but there still all bets would be of if someone gets root on your master.
Regards, Florian
>--
>You received this message because you are subscribed to the Google
>Groups "Salt-users" group.
>To unsubscribe from this group and stop receiving emails from it, send
>an email to salt-users+...@googlegroups.com.
>For more options, visit https://groups.google.com/d/optout.
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1
iQFTBAEBCAA9BQJVk4ghNhxGbG9yaWFuIEVybWlzY2ggPGZsb3JpYW4uZXJtaXNj
aEBhbHVtbmkudHUtYmVybGluLmRlPgAKCRAu8tzCHoBI/ZuNB/sEuQ2uaalnj4V2
b/iNPeOblkR0LLdbtquHwHP5hzNq58oRvHDTzJYSBnjff+CaFyykUWb6/AsX2/uF
e3Y/2vvpQPNO08aL/AbuPtwhOjXPhmGz5/X62svH+2gw1ox7oVP6g99kKidg46Xg
cr5jyrlpeFuZ0sUna487tfYAQqwDGHnhE/KU1XflNr9P7OFGXEHToBtEYGnfgOCE
S+W/Bv687ht1MyEoFqRlw93DiH0MHImbEfnMiHr9m0VOjzXKbHdDsx6wheRp22E4
Vshkli8jWP0OQQwi/GCaVfrXChN2A0yns48gvsGn932SVoMhbLtwYUGBcpcqY2rA
YyNU6UBo
=36l9
-----END PGP SIGNATURE-----
Hash: SHA256
Hi Pankaj,
if an attacker gets root on your master all master-side authentication can be circumvented anyway by changing the master's code.
For a secure solution you would need the minions to know a separate set of private keys with one of a command from the master would need to be signed.
These keys shouldn't reside on the master so they're either on a smartcard/HSM or on the admin's system (available in a limited fashion via a forwarded SSH-agent).
When the `salt` cmd is run it then asks the smartcard or SSH-agent to sign the cmd before it's forwarded to the minions.
If you don't define a whitelist of allowed unsigned commands (on the minion!) you wouldn't even be able to `test.ping` a minion.
Provably won't be fun to implement if your not into this kinda thing…
Or you disable root-login on your master, make sure nobody gets unlimited sudo and all `salt` commands go through sudo. Or use "external authentication" (which I haven't looked into) but there still all bets would be of if someone gets root on your master.
Regards, Florian
>You received this message because you are subscribed to the Google
>Groups "Salt-users" group.
>To unsubscribe from this group and stop receiving emails from it, send
>an email to salt-users+...@googlegroups.com.
>For more options, visit https://groups.google.com/d/optout.
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1
iQFTBAEBCAA9BQJVk4ghNhxGbG9yaWFuIEVybWlzY2ggPGZsb3JpYW4uZXJtaXNj
aEBhbHVtbmkudHUtYmVybGluLmRlPgAKCRAu8tzCHoBI/ZuNB/sEuQ2uaalnj4V2
b/iNPeOblkR0LLdbtquHwHP5hzNq58oRvHDTzJYSBnjff+CaFyykUWb6/AsX2/uF
e3Y/2vvpQPNO08aL/AbuPtwhOjXPhmGz5/X62svH+2gw1ox7oVP6g99kKidg46Xg
cr5jyrlpeFuZ0sUna487tfYAQqwDGHnhE/KU1XflNr9P7OFGXEHToBtEYGnfgOCE
S+W/Bv687ht1MyEoFqRlw93DiH0MHImbEfnMiHr9m0VOjzXKbHdDsx6wheRp22E4
Vshkli8jWP0OQQwi/GCaVfrXChN2A0yns48gvsGn932SVoMhbLtwYUGBcpcqY2rA
YyNU6UBo
=36l9
-----END PGP SIGNATURE-----
pankaj ghadge
Jul 1, 2015, 6:17:56 AM7/1/15
to salt-...@googlegroups.com, florian...@alumni.tu-berlin.de
Thanks for reply.
yes you are right, if hacker get access on master he can disable such kinda of feature by changing master code.
I don't have any idea about smartcard/HSM, so I will not prefer this for now.
For me external authentication would be a great thing to go, but I don't know how sudo will work here, if sudo user access gets compromise directly.
tim.h...@gmail.com
Jul 1, 2015, 7:32:52 AM7/1/15
to salt-...@googlegroups.com
+1 for running salt cmds only via sudo (for auditing). Also it's prudent to only permit ssh to and sudo on the master using 2FA. pam_oath or pam_auth_radius in your pam stack using tokens which support TOTP or HOTP is a good secure solution, easy to set up and inexpensive. We use yubikeys which make the experience not too painful ...
cheers
Tim
Florian Ermisch
Jul 1, 2015, 7:51:28 AM7/1/15
to salt-...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
You don't need sudo if salt can verify the credentials itself via external auth.
Hash: SHA256
But if you use sudo you can use Two Factor Authentication (like Tim wrote) to tighten up access to salt commands and also make compromising the accounts way more difficult.
Regards, Florian
>> >Hi,
>> >
>> >Just curious to know about this.
>> >
>> >Can we provide security to run salt command? because if some he/she
>
>> >get
>> >access to salt master, then person will be able to rule all the
>> >minions.
>> >If we have this feature then we can add double layer security to
>salt
>> >master.
>> >
>> >Do we have this kind of functionality?
>> >
>> >
>> >Thanks.
>> >
>> >--
>> >You received this message because you are subscribed to the Google
>> >Groups "Salt-users" group.
>> >To unsubscribe from this group and stop receiving emails from it,
>send
>> >an email to salt-users+...@googlegroups.com <javascript:>.
>> >
>> >Just curious to know about this.
>> >
>> >Can we provide security to run salt command? because if some he/she
>
>> >get
>> >access to salt master, then person will be able to rule all the
>> >minions.
>> >If we have this feature then we can add double layer security to
>salt
>> >master.
>> >
>> >Do we have this kind of functionality?
>> >
>> >
>> >Thanks.
>> >
>> >--
>> >You received this message because you are subscribed to the Google
>> >Groups "Salt-users" group.
>> >To unsubscribe from this group and stop receiving emails from it,
>send
>> >For more options, visit https://groups.google.com/d/optout.
>> -----BEGIN PGP SIGNATURE-----
>> Version: APG v1.1.1
>>
>> iQFTBAEBCAA9BQJVk4ghNhxGbG9yaWFuIEVybWlzY2ggPGZsb3JpYW4uZXJtaXNj
>> aEBhbHVtbmkudHUtYmVybGluLmRlPgAKCRAu8tzCHoBI/ZuNB/sEuQ2uaalnj4V2
>> b/iNPeOblkR0LLdbtquHwHP5hzNq58oRvHDTzJYSBnjff+CaFyykUWb6/AsX2/uF
>> e3Y/2vvpQPNO08aL/AbuPtwhOjXPhmGz5/X62svH+2gw1ox7oVP6g99kKidg46Xg
>> cr5jyrlpeFuZ0sUna487tfYAQqwDGHnhE/KU1XflNr9P7OFGXEHToBtEYGnfgOCE
>> S+W/Bv687ht1MyEoFqRlw93DiH0MHImbEfnMiHr9m0VOjzXKbHdDsx6wheRp22E4
>> Vshkli8jWP0OQQwi/GCaVfrXChN2A0yns48gvsGn932SVoMhbLtwYUGBcpcqY2rA
>> YyNU6UBo
>> =36l9
>> -----END PGP SIGNATURE-----
>>
>>
>
>--
>You received this message because you are subscribed to the Google
>Groups "Salt-users" group.
>To unsubscribe from this group and stop receiving emails from it, send
>an email to salt-users+...@googlegroups.com.
>For more options, visit https://groups.google.com/d/optout.
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1
iQFTBAEBCAA9BQJVk9QzNhxGbG9yaWFuIEVybWlzY2ggPGZsb3JpYW4uZXJtaXNj
>> -----BEGIN PGP SIGNATURE-----
>> Version: APG v1.1.1
>>
>> iQFTBAEBCAA9BQJVk4ghNhxGbG9yaWFuIEVybWlzY2ggPGZsb3JpYW4uZXJtaXNj
>> aEBhbHVtbmkudHUtYmVybGluLmRlPgAKCRAu8tzCHoBI/ZuNB/sEuQ2uaalnj4V2
>> b/iNPeOblkR0LLdbtquHwHP5hzNq58oRvHDTzJYSBnjff+CaFyykUWb6/AsX2/uF
>> e3Y/2vvpQPNO08aL/AbuPtwhOjXPhmGz5/X62svH+2gw1ox7oVP6g99kKidg46Xg
>> cr5jyrlpeFuZ0sUna487tfYAQqwDGHnhE/KU1XflNr9P7OFGXEHToBtEYGnfgOCE
>> S+W/Bv687ht1MyEoFqRlw93DiH0MHImbEfnMiHr9m0VOjzXKbHdDsx6wheRp22E4
>> Vshkli8jWP0OQQwi/GCaVfrXChN2A0yns48gvsGn932SVoMhbLtwYUGBcpcqY2rA
>> YyNU6UBo
>> =36l9
>> -----END PGP SIGNATURE-----
>>
>>
>
>--
>You received this message because you are subscribed to the Google
>Groups "Salt-users" group.
>To unsubscribe from this group and stop receiving emails from it, send
>an email to salt-users+...@googlegroups.com.
>For more options, visit https://groups.google.com/d/optout.
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1
aEBhbHVtbmkudHUtYmVybGluLmRlPgAKCRAu8tzCHoBI/ef8B/4hUyd6JtSOBbMs
l09ncUpD2Zz+GEJcXxArxyVUbBV/i1dNYKAbkhSn4hrGPmmO+TrJygekYWTSWLSn
CrIo5ZWRQVl6H6zZi0h9sWrpZfPNxZPQ7EvnuhrEKWguAbvoyA9IfrA0ZJyVMJsJ
S3HAMjYmmZH//6Oxm/nmjCrCvItSXTq5JW7mk6vu66L7sgv2zck57cZFVSYUBFZ3
Rz/4sp5emPvQ+WWXC591FDXz/MvC7arVYCjUfdFEvRggQ6NRR7aHUmH5tV4VPpU0
DhTGLyGZkSJbAPsT5gIMFqJOdWeB109ILumauMwAmZPiIIqmKTa7Arfz8ZhD/9uD
diSOS6r8
=jARf
-----END PGP SIGNATURE-----
pankaj ghadge
Jul 1, 2015, 9:16:51 AM7/1/15
to salt-...@googlegroups.com, florian...@alumni.tu-berlin.de
Thanks for your advice and Help :)
Reply all
Reply to author
Forward
0 new messages