Jira (PUP-1940) Reveal client IP address to autosign script.

2 views
Skip to first unread message

Robert (JIRA)

unread,
Jul 30, 2015, 4:13:11 AM7/30/15
to puppe...@googlegroups.com
Robert commented on Improvement PUP-1940
 
Re: Reveal client IP address to autosign script.

This should be reopened. The arbitrary csr attributes are not helpful for this use case, as they are set by the client and not enforced in any way.

Basically, what I would love to see is a second argument passed to the script with the IP address according to the server (as in, it's looking at the client ip address that is connecting to it). Otherwise the client could have an IP address of 10.32.4.83 but simply add an attribute of 10.73.2.2 and there would literally be no way for the autosign script to tell.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.5#64020-sha1:78acd6c)
Atlassian logo

Andreas Sieferlinger (JIRA)

unread,
Oct 15, 2015, 10:17:07 AM10/15/15
to puppe...@googlegroups.com

I agree, this would be very useful, as all other information, except for the client IP are set by the client and therefore need to be considered untrusted and harmful.
This message was sent by Atlassian JIRA (v6.4.11#64026-sha1:78f6ec4)
Atlassian logo

Maggie Dreyer (JIRA)

unread,
May 16, 2017, 12:59:03 PM5/16/17
to puppe...@googlegroups.com
Maggie Dreyer updated an issue
 
Puppet / Improvement PUP-1940
Change By: Maggie Dreyer
Labels: help_wanted triaged
This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
Atlassian logo

Doug Rosser (JIRA)

unread,
May 16, 2017, 1:07:05 PM5/16/17
to puppe...@googlegroups.com
Doug Rosser commented on Improvement PUP-1940
 
Re: Reveal client IP address to autosign script.

Host IP addresses are more difficult to to "spoof" but should not be considered secure. Auto-signing will always be a security compromise.

Atom Powers (JIRA)

unread,
May 16, 2017, 1:17:16 PM5/16/17
to puppe...@googlegroups.com
Atom Powers commented on Improvement PUP-1940

Host IP address, as reported by the host, is not trustworthy. But if you use your DNS system and validate both forward and reverse DNS resolution, like CfEngine does (used to?), then you can be pretty sure that the host being built is the one you think it is. Making Host IP available simple enables this functionality.

Moses Mendoza (JIRA)

unread,
May 18, 2017, 1:55:27 PM5/18/17
to puppe...@googlegroups.com
Moses Mendoza updated an issue
 
Change By: Moses Mendoza
Labels: help_wanted  triaged

Jacob Helwig (JIRA)

unread,
Dec 7, 2017, 2:26:04 PM12/7/17
to puppe...@googlegroups.com
Jacob Helwig updated an issue
Change By: Jacob Helwig
Sub-team: Coremunity
This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db)
Atlassian logo

Josh Cooper (JIRA)

unread,
Sep 27, 2018, 12:12:05 AM9/27/18
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Team: Coremunity Server
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Josh Cooper (JIRA)

unread,
Sep 27, 2018, 12:12:06 AM9/27/18
to puppe...@googlegroups.com
Josh Cooper commented on Improvement PUP-1940
 
Re: Reveal client IP address to autosign script.

If the agent connects to the server via an HTTP proxy, then the peer IP address from the server's perspective will be that of the proxy, not the agent. And since the server doesn't know if the agent connected via a proxy or not, it seems dubious to pass the client IP to the autosign script. The request handler would need to check for X-Forwarded-For, etc and that gets complicated. At that point, I think you're better off adding a custom attribute to the CSR identifying the client IP.

Atom Powers (JIRA)

unread,
Sep 27, 2018, 10:58:04 AM9/27/18
to puppe...@googlegroups.com
Atom Powers commented on Improvement PUP-1940

Josh, that sounds like a decision that can be made by each customer as it suits their deployment. "Nobody should use it because somebody might use it improperly" isn't much of an argument.

Josh Cooper (Jira)

unread,
Feb 16, 2021, 2:21:04 PM2/16/21
to puppe...@googlegroups.com
Josh Cooper commented on Improvement PUP-1940

It's unlikely we will implement such a thing due to the security issues mentioned.

But if you have need, you may want to look at puppetserver's autosign code, see https://github.com/puppetlabs/puppetserver/blob/1bc77d6dc22e2c03d42111ef47e1523fe1bcdd97/src/clj/puppetlabs/puppetserver/certificate_authority.clj#L1109. Since all of the autosign functionality now lives in puppetserver, I'm going to move this ticket to the SERVER project.
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Atlassian logo
Reply all
Reply to author
Forward
0 new messages