Question
Why shouldn't i use autosign for all my clients?
Answers
It is very tempting to enable autosign for all nodes, as it cuts down on the manual steps required to bootstrap a new node (or indeed to move it to a new puppet master).
Typically this would be done with a *.example.com or even * in the autosign.conf file.
This however can be very dangerous as it can enable a node to masquerade as another node, and get the configuration intended for that node. The reason for this is that the node chooses the certificate common name (‘CN’ – usually its fqdn, but this is fully configurable), and the puppet master then uses this CN to look up the node definition to serve. The certificate itself is stored, so two nodes could not connect with the same CN (eg alice.example.com), but this is not the problem.
The problem lies in the fact that the puppet master does not make a 1-1 mapping between a node and the first certificate it saw for it, and hence multiple certificates can map to the same node.
for example:

alice.example.com connects, gets node alice { } definition.
bob.example.com connects with CN alice.bob.example.com, and also matches node alice { } definition.

Without autosigning, it would be apparent that bob was trying to get alice’s configuration – as the puppet cert process lists the full fqdn/CN presented. With autosign turned on, bob silently retrieves alice’s configuration.   Your Comment




  • Contributors: *,
More Software Questions..
What is the inputsplit in map reduce software?
What is software configuration management?
What Is Java Api For Xml-based Rpc (jax-rpc)?
How can you implement fine-grained auditing?
What is IBM’s simple explanation for Big Data’s four critical features?
What is static synchronized method in JDBC API? Give an example?
What does the NULLIF function do?
What happens if a start method is not invoked and the run method is directly invoked?
Should we override finalize method
what is the difference between mysql_fetch_array and mysql_fetch_object?
How will XML affect my document links?
Why to use Style Sheets?
What are Filters in MVC?
Can you explain Application layer in OSI model?
How to define new testplan attributes?
What are the minimum system requirements to run Photoshop? Is it possible to run Photoshop over linux?
Which oracle package is used to manage the oracle lock management services?
What is Latch Up? Explain Latch Up with cross section of a CMOS Inverter. How do you avoid Latch Up?
What is marker interface?
What types of partitioning are there for BW?


Search
Can you Answer!!
  • Q Tell me what are belongs to road safety?
  • Q Explain jax-rpc?
  • Q Give an account on parthenogenesis.
  • Q The placenta is formed from ________. 1) the embryo's mesenchymal cells 2) the mother's endometrium only 3) the mother's endometrium and the embryo's chorionic membrane 4) the mother's endometrium and the embryo's umbilical cord
  • Q M men agree to purchase a gift for Rs. D. If three men drop out how much more will each have to contribute towards the purchase of the gift/ A. D/(M-3) B. MD/3 C. M/(D-3) D. 3D/(M2-3M)
  • Q What do you mean by Stack unwinding? It is a process during exception handling when the destructor is called for all local objects between the place where the exception was thrown and where it is caught. 
  • Q What is a Commercial paper?
  • Q Where is the worlds longest elevator and how long is it?
  • Q First success heart transplantation done by–
  • Q In what Shakespeare play does the character Marcellus say, 'Something is rotten in the state of Denmark' ?
  • Q Which iconic rock music frontman sang backing vocals on Carly Simon's 1973 hit You're So Vain?