Many of us want our infrastructure as code to be portable and usable at will. However management tends to not like secrets (hot data like passwords) walking around.
Thoughts on how to best mitigate? Dueling vcs sources? Encrypted Chef data bags? Locked down CFEngine cfservd/cf-serverd?
Curious. Thanks.
NB: "No secrets in configuration management" is not what I'm after.
Perspective: You have tools that are running with root privileges and
can change any aspect of your system at will. Obsessing over the
method for storing your encryption keys is sort of a minor concern ;)
Having said that, the encryption issue is a "painful" one in general.
Not being self-serving here but I actually went through the exercise:
http://lusislog.blogspot.com/2010/12/chef-and-encrypted-data-bags.html
You can go as deep or shallow as you want but at some point, you've
got to have a key to decrypt the data. There's no easy answer. I'm
pretty happy with PSKs stored in a queryable endpoint. It's more
obfuscation than anything but it's better than storing a flatfile
around on disk.
--
John E. Vincent
http://about.me/lusis
What you're left with is a private key and userPassword that have
never left the host, and are completely unseen by human eyes, and a
public key that is query-able by anyone or any thing that can grok
LDAP.
So if you need to ship/store something on the host, just wrap it with
the public key and only that host's private key can decrypt it.
In the event of a compromise, revoke, redeploy which re-keys (and
re-issues) certs without human intervention.
Of course if your host get's rooted then any password (encrypted or
otherwise) should be treated as compromised; But there are some things
you just need to keep on the host because that's how the applications
pull them in.
We use these same certs for anything from SSL to IPSec (phase 1). and
they can be re-issued on a whim (90-days, 30 days, daily? no problem)
because you can just have the host log back into the LDAP
authenticated PKI infrastructure, and revoke, re-issue.
The same setup works for users for two-factor authentication. LDAP
doesn't care if you're meat or metal, just that your hashes match.
Regarding the OP, if folks are concerned about passwords laying around in a flat file, then I'd wager it's a legacy gut reaction. These folks accustom a service password being created and then baked into the infrastructure, never to be changed in fear of causing some remote system to stop working.
The right mindset, regardless of tools, is to consider rotating passwords every 3 months. Just this will cause a whole cascade of changes to your infrastructure so you can push passwords around or remove passwords. Centralized services removes the need to "move files" like the ldap system James talks about.
I've seen puppet push passwords, for better and worse. The key element is that any breach is only one cron cycle away from being closed. I don't think keeping passwords in SCM is a horrible idea as long as it's adequately guarded and you can quickly respond and change passwords, restart services and continue on.
What does adequately guarded mean, you ask? That depends on your environment. Highly secure environments will have many layers of defense to protect critical systems and domain isolation. For example, one business unit uses their own set of credentials and it isn't shared with other business units. One business unit may have fine grained access control at different layers while anther may just have a single root user/password combo for everything. It just depends on what they're securing and the value to the business.
I would also suggest that you rely on existing security controls (shadow passwords, ssh public keys, 2-way ssl) to transfer trust throughout your system.
-Noah
Noah Campbell
415-513-3545
noahca...@gmail.com
Interesting thoughts.
Its funny; I dealt with a similar issue at work just a couple of hours ago.
Our environment does not involve any tools like chef or puppet. However, we have a git repo containing data you would find in chef.
Also worth mentioning is that we are windows 2008 server (workgroup mode) only. All admin work is done using powershell/winrm and traditional SMB file sharing.
Some automation is performed using a Jenkins CI instance.
This leaves us with passwords in plain text in scripts run by Jenkins.
We are managing some passwords using tools like KeePass but those are no use in scripts.
So today I chosed to go for the master key path using PKCS. I put together a simple PowerShell module which lets you create file based "key rings" which therefore easily can be managed in our git repo. All that is needed to add or retrieve a set of credentials is that you have the certificate in cert:\CurrentUser\My.
The goal is to separate the encrypted passwords and the master key. That means the content in the config repo is just jibberish unless the certificate is available for the current user. Distribution of the master key to config servers and ops is no harder than sending the PFX file or storing it on a USB key..
Retrieving a key from a store (username/password pair) is simple as the builtin get-credential cmdlet, however credentials are identified by hostname+service.
GetCredential "fqdn" "service"
The directory (key store) does not reveal the fqdn nor service name.
This tool is about 100 rows of PS and have no dependencies. If someone has further interest in this I will make it public at github.
- Johan
Senior dev at RemoteX
I agree.
I really like James set up using LDAP but in our case we're on Windows and use independent servers in workgroup mode which means we only have local user accounts involved.
As an alternative to the current solution we've looked into different SSH servers to be able to use the same auth mechanism on both *nix and windows. However the available solutions added to much license cost and did not integrate with Powershell very well.
Stuck with SMB file sharing we cannot use key auth..
- Johan
Luke brings up some awesome points about the benefit of how Puppet's
server-side model does it. The only thing I would bring up is that you
STILL have "sensitive" information on the client. You'll never get
away from that sadly.
At a previous company, they actually implemented a really complex
hierarchical signing process of delegates. The topmost key was limited
to access by 3 people with, I think two more keys in the hierarchy.
With java apps you can do stuff like JNDI to keep sensitive
information outside of application code bases. In the end, though, the
sensitive information HAS to be accessible to the system that needs it
and the trick is really to minimize how much damage one compromised
system can cause. This is almost a no brainer with a CM tool.
I found that a simple split of inside VPN outside VPN made for easy division of secret management policy. Passwords were basically everywhere and folks were basically trusted to do the right thing. If they were not trusted their login was revoked. There was also limits that a particular business unit could could do to other business units.
This setup definitely favored rapid development and release. Not for everyone, but something worth considering.
Sent from my iPhone
There is a complete rewrite of pkild started to make pkild
decentralized (the one on github is the proof-of-concept) and should
be treated as PoC code. It actually started as a bash script that was
fired off by cfengine2 to generate the CA-tree, then converted to perl
(catalyst) to get some basic web functionality going, and then the
Websages crew converted our core network from cfengine2 to puppet, and
now we're trying to standardize our applications in ruby.
So it's messy, and the documentation is crap when it's not completely
absent. But the code works.