Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-4014

Add PKINIT support to Puppet CA

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Normal
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Networking
    • Labels:
    • Template:

      Description

      Hi,

      I've written up this patch to enable the Puppet CA to deal with Kerberos-PKINIT-enabled certificate requests and allow the clients to request those extensions.

      https://github.com/puppetlabs/puppet/pull/3614

      Since the whole PKINIT certificate extension thing is IMO highly inaccessible to people with non-ASN.1-capable brains (i.e. everyone) I think it would be a killer feature for Puppet to support this with just a few command line options out of the box.

      Those certificates can be used on the client to obtain Kerberos tickets using just the certificate and private key and no password or keytab:

      root@client:~# fqdn=`hostname -f`
      root@client:~# pupssl=/var/lib/puppet/ssl
      root@client:~# kinit -X "X509_user_identity=FILE:$pupssl/certs/${fqdn}.pem,$pupssl/private_keys/${fqdn}.pem" $fqdn
      root@client:~# klist
      Ticket cache: FILE:/tmp/krb5cc_0
      Default principal: client.example.org@EXAMPLE.ORG
       
      Valid starting       Expires              Service principal
      02/15/2015 12:56:21  02/15/2015 22:56:21  krbtgt/EXAMPLE.ORG@EXAMPLE.ORG
              renew until 02/16/2015 12:56:21
      

      This can easily be made into a cron job so the machine always has a TGT floating around for accessing kerberised services!

      I am also using this in an environment where I run Kerberos-enabled services and want to allow them to auto-enroll with the KDC and create their principals and keytabs. Using PKINIT with the Puppet machine certificates and making the machine principal a very limited Kerberos administrator for it's own principal namespace (*/$fqdn@$realm) allows for this very elegantly, securely and without any additional password storage and passing.

      With the KDC extension it is also possible to run a PKINIT-enabled KDC with just the Puppet client certificate and key. Instructions on how to do so can be found here:
      http://web.mit.edu/kerberos/krb5-devel/doc/admin/pkinit.html. A puppet
      module that does so fully automatically is available here:
      https://github.com/michaelweiser/puppet-module-kerberos.

      Usage:

      root@freshlybootstrappedbox # puppet agent -t --request_pkinit_client
      (or option in puppet.conf)
      

      root@puppetmaster:~# puppet cert sign freshlybootstrappedbox.example.org
      Error: CSR 'freshlybootstrappedbox.example.org' contains subject alternative names (PKINIT-Client:freshlybootstrappedbox.example.org@EXAMPLE.ORG), which are disallowed. Use `puppet cert --allow-dns-alt-names sign freshlybootstrappedbox.example.org` to sign this request.
      root@puppetmaster:~# puppet cert sign freshlybootstrappedbox.example.org --allow-dns-alt-names
      Error: CSR 'freshlybootstrappedbox.example.org' contains a PKINIT extension for Kerberos clients (PKINIT-Client:freshlybootstrappedbox.example.org@EXAMPLE.ORG), which is disallowed. Use `puppet cert --allow-pkinit-client sign freshlybootstrappedbox.example.org` to sign this request.
      root@puppetmaster:~# puppet cert sign freshlybootstrappedbox.example.org --allow-dns-alt-names --allow-pkinit-client
      Notice: Signed certificate request for freshlybootstrappedbox.example.org
      Notice: Removing file Puppet::SSL::CertificateRequest freshlybootstrappedbox.example.org at '/var/lib/puppet/ssl/ca/requests/freshlybootstrappedbox.example.org.pem'
      

      (This doubled acceptance procedure is intentional and IMO a nice opportunity for the admin to realise what he's doing.)

      I've developed this with Puppet 3.7.2 on Debian jessie and adjusted slightly for current master HEAD.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                eric.sorenson Eric Sorenson
                Reporter:
                michaelweiser Michael Weiser
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support