Important changes in puppetmaster SSL authentication (1.1RC5)

Hi all,

There is a big change in puppetmaster communications arriving with
Foreman 1.1RC5. I mentioned this recently in an e-mail about Rails
vulnerabilities, but the implementation has now been merged. Apologies
for dropping this into a late release candidate, but we thought it
urgent enough to fix for 1.1.

By default, the external nodes (ENC) interface and reports+fact import
interfaces will now only permit hosts with smart proxies registered and
will require client SSL certs to verify. We've gone with defaults all
enabled to provide the most secure config out of the box, which can be
relaxed if necessary - see below.

For most users with Apache, mod_ssl and Passenger (the standard

foreman-installer configuration), plus Foreman proxy on the puppetmaster

  1. Update the ENC script (node.rb) and report processor (foreman.rb)
    using the foreman-installer, or copy its templates and update:

  1. It's highly recommended that you have require_ssl and login set to
    true in settings.yaml.

This relies on mod_ssl verifying the client's SSL cert with the CA
configured for Foreman. If everything's in the same Puppet CA
infrastructure, this should work.

If you don't use SSL, or you have a complex puppetmaster SSL setup

(multiple CAs), you might decide to relax client SSL cert requirements.

  1. Disable the "require_ssl_puppetmasters" setting in the Foreman UI
    (More, Settings, Auth). This will fall back to permitting any
    connections from registered puppetmaster smart proxy hosts.

Lastly, if you want to permit any access to these interfaces - which
will enable remote code execution on your Foreman server(!) - you can
disable "restrict_registered_puppetmasters" in Settings.

Hopefully the tunables will give enough scope for people to stay secure
and still functioning, or for people to use their own PKI to secure
communications (which I'd recommend). If you've got questions or
problems, please do ask the list.

More docs are also being added to the new 1.1 manual here:

··· -- Dominic Cleal Red Hat Engineering