securing client to server connection via https / ssl

[ldn...@gmail.com]

firstly thanks to Arjen for most excellent code and everyone here involved.

I have SSL working for the interface, but cannot quite work out how to secure the transport from the client to the server.

I can specify the https URL in the plist, but how do I provide the certificate?

Thanks.

jak

[A.E. van Bochoven]

Do you want to use certificate based authentication? MR does not support that (at the moment). You can use passphrase authentication for the client.

-Arjen

[ldn...@gmail.com]

I'd like to use https so I can encrypt the traffic between the client and the server..  So at the moment all data is sent in the clear, if so the passphrase is visible?

thanks.

[Josh Malone]

I think you are confusing authentication with encryption. The only reason you need to use client certificates is if you want to authenticate the clients to the server. All you need to encrypt the traffic is an SSL server with a valid SSL server certificate.

Once you have that server certificate, you can use the password-based authentication to auth the clients to the server.

-Josh

--
You received this message because you are subscribed to the Google Groups "munkireport" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munkireport...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ldn...@gmail.com]

using a self signed cert for dev purposes....

To unsubscribe from this group and stop receiving emails from it, send an email to munkireport+unsubscribe@googlegroups.com.

[nbalonso]

There are three types of encryption you can enable for your data on transit:

1- Munki client <--> Munki server encryption. This is explained in the Munki wiki

2- MR-php web view (when you visit the website to see the data). This is accomplished in different ways depending on wether you use Apache, nginx... 

3- MR-php client (scripts) <--> MR-php server. This is accomplished by doing the curl with the https. This also needs Apache, nginx or else to be properly configured with ssl/tls

An optional fourth item to limit non-legit MR-php clients from sending data to your MR-php server is accomplished by using a passphrase. Data in transit is sensitive to eavesdropping. Therefore is not an encryption but instead a simple filter.

I think you are looking for #3. Here a simple example of how to accomplish that:

bash-3.2$ curl https://munkireport.nbalonso.com/index.php?/install | sudo sh

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

                                 Dload  Upload   Total   Spent    Left  Speed

100  8987    0  8987    0     0  17517      0 --:--:-- --:--:-- --:--:-- 17518

BaseURL is https://munkireport.nbalonso.com/

Retrieving munkireport scripts

Configuring munkireport

+ Installing ard

+ Installing bluetooth

...

bash-3.2$ defaults read /Library/Preferences/MunkiReport.plist  BaseUrl

https://munkireport.nbalonso.com/

bash-3.2$ sudo /usr/local/munki/managedsoftwareupdate -vvv

Password:

Managed Software Update Tool

Copyright 2010-2014 The Munki Project

http://code.google.com/p/munki

Starting...

    Performing preflight tasks...

    preflight stdout:     Munkireport: # Executing scripts in preflight_abort.d

    Munkireport: # Executing scripts in preflight.d

    Munkireport: Running bluetooth.sh

    Munkireport: Running directoryservice.sh

    Munkireport: Running disk_info

...

_

Noel

[ldn...@gmail.com]

option 3 exactly what i needed.. 

back i go to the terminal..

many thanks..

:)