Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-9466

Readd password protected private key support

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 6.5.0
    • Component/s: None
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Hide
      If the private key password file (Puppet[:passfile]) exists and the agent doesn't yet have a private key, it will generate a new one, and use the contents of the passfile to encrypt the private key on disk. The key will be encrypted using AES-128-CBC. If the agent already has an unencrypted private key, then no changes will occur. Puppetserver does not currently support private key passwords, so this should only be enabled on agent-only nodes.
      Show
      If the private key password file (Puppet[:passfile]) exists and the agent doesn't yet have a private key, it will generate a new one, and use the contents of the passfile to encrypt the private key on disk. The key will be encrypted using AES-128-CBC. If the agent already has an unencrypted private key, then no changes will occur. Puppetserver does not currently support private key passwords, so this should only be enabled on agent-only nodes.
    • QA Risk Assessment:
      Needs Assessment

      Description

      If passfile exists when puppet starts for the first time, then it will encrypt its private key using 3DES-CBC. However, the current implementation is a bit dubious. If puppet tries to load an encrypted private key and the passfile does not exist, then ruby will hang due to openssl prompting for the password. Ruby uses the legacy PEM_write_* methods that only use 1 iteration. Per https://www.openssl.org/docs/man1.0.2/crypto/pem.html "The encryption key is determined using EVP_BytesToKey(), using salt and an iteration count of 1" and https://github.com/ruby/openssl/issues/13. Also puppetserver does not support password protected private keys, so it can't be enabled on server hosts.

        Attachments

          Activity

            People

            • Assignee:
              josh Josh Cooper
              Reporter:
              josh Josh Cooper
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Zendesk Support