Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-9466

Readd password protected private key support

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 6.5.0
    • Component/s: None
    • Template:
    • Team:
      Coremunity
    • Sprint:
      Platform Core KANBAN
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Hide
      If the private key password file (Puppet[:passfile]) exists and the agent doesn't yet have a private key, it will generate a new one, and use the contents of the passfile to encrypt the private key on disk. The key will be encrypted using AES-128-CBC. If the agent already has an unencrypted private key, then no changes will occur. Puppetserver does not currently support private key passwords, so this should only be enabled on agent-only nodes.
      Show
      If the private key password file (Puppet[:passfile]) exists and the agent doesn't yet have a private key, it will generate a new one, and use the contents of the passfile to encrypt the private key on disk. The key will be encrypted using AES-128-CBC. If the agent already has an unencrypted private key, then no changes will occur. Puppetserver does not currently support private key passwords, so this should only be enabled on agent-only nodes.
    • QA Risk Assessment:
      Needs Assessment

      Description

      If passfile exists when puppet starts for the first time, then it will encrypt its private key using 3DES-CBC. However, the current implementation is a bit dubious. If puppet tries to load an encrypted private key and the passfile does not exist, then ruby will hang due to openssl prompting for the password. Ruby uses the legacy PEM_write_* methods that only use 1 iteration. Per https://www.openssl.org/docs/man1.0.2/crypto/pem.html "The encryption key is determined using EVP_BytesToKey(), using salt and an iteration count of 1" and https://github.com/ruby/openssl/issues/13. Also puppetserver does not support password protected private keys, so it can't be enabled on server hosts.

        Attachments

          Activity

            People

            Assignee:
            josh Josh Cooper
            Reporter:
            josh Josh Cooper
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Zendesk Support