Custom Policy Executables & Validating Password

asked 2018-11-20 07:07:31 -0600

Hi,

I starting testing/using Puppet to deploy some application environments. We have the need of auto-scaling environments, so it is inviable to use the manual signing procedures, so we need the auto signing feature:

https://puppet.com/docs/puppet/6.0/ss...

And we want to serve both cloud environments and on-premises environments, so we will open the 8140 port to everywhere. But we want some kind of security to prevent anyone to get our catalogs/manifests. To do that, we plan embed a password in agent certificates and use the Custom Policy Executables to validate it:

https://puppet.com/docs/puppet/6.0/ss...

But at documentation, there are not examples. So we googled and found a (old) example:

https://groups.google.com/d/topic/pup...

Follows the entire script:

#!/bin/bash

HOST=$1
CUSTOM_ATTR=$(openssl req -noout -text -in "/var/lib/puppet/ssl/ca/requests/$HOST.pem" | grep "challengePassword" | awk -F ":" '{print$2}')

if [[ "$CUSTOM_ATTR" == "myStrongPassword" ]]
then
  exit 0
else
  exit 1
fi

But is not working. Someone can help me to make this script works? (Or recommend another practice that attend our needs?) Follow the Puppet Master logs:

2018-11-20T12:24:09.852Z WARN  [qtp572457664-67] [c.p.p.ShellUtils] Executed an external process which logged to STDERR: /var/lib/puppet/ssl/ca/requests/puppet-agent-teste.pem: No such file or directory
140411542443856:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/var/lib/puppet/ssl/ca/requests/puppet-agent-teste.pem','r')
140411542443856:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:

2018-11-20T12:24:09.854Z WARN  [qtp572457664-67] [p.p.certificate-authority] Autosign command '/tmp/puppet-custom-policy.sh puppet-agent-teste' generated output to stderr: /var/lib/puppet/ssl/ca/requests/puppet-agent-teste.pem: No such file or directory
140411542443856:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/var/lib/puppet/ssl/ca/requests/puppet-agent-teste.pem','r')
140411542443856:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:

2018-11-20T12:24:09.857Z WARN  [qtp572457664-67] [p.p.certificate-authority] Autosign command '/tmp/puppet-custom-policy.sh' rejected certificate 'puppet-agent-teste' because the exit code was 1, not zero

Maybe the way this script handles the PEM certificate was wrong, but I don't know how to fix it.

Thanks in advance,

Regards,

edit retag flag offensive close merge delete