[chef] Re: Re: Client/Server secure model


Chronological Thread 
  • From: oscar schneider < >
  • To:
  • Subject: [chef] Re: Re: Client/Server secure model
  • Date: Sat, 11 Feb 2012 18:24:26 +0100

Hi,

I think a "standard installation", e.g. from Debian packages in the Opscode apt repository, of open source Chef servers is not using https by default, but plain http. Of course you still have signed headers, which makes it difficult to replay/inject data in the authenticated client/server communication, however you still can eavesdrop on certain things, most importantly attributes. This affect those collected by ohai as well as those that were set on the server for a specific node or role.

Thus if you use Chef on a network where eavesdroppers might hang around, you should opt for an SSL proxy, which would additionally encrypt the communication, not only sign it. There is a pretty decent tutorial up on the Chef wiki.

On a further note, I don't think Chef "missed" this obvious feature of SSL encrypted communication but instead offers that nice web app on which you can apply all those standard web techniques that are well investigated, in this case using apache or nginx as a SSL proxy.

Kind regards,

Oscar

On Tue, Feb 7, 2012 at 11:48 AM, Ranjib Dey < "> > wrote:
Chef uses https for client server communication. Every chef client (nodes, users who operate /manage chef) uses their own private key. The registration of clients are done via admin clients or validation client (a special client that can only register non-admin clients). Communication between chef server and client never happens in an insecure manner, while other integration points (like rabitmq to chef server or solr to chef server) are secured via firewalls and tool specific authentication (like vhosts and user credentials for rabbitmq). 
That said, you can also create custom public key /private key pair and hook in them to chef server to authenticate your clients/servers against chef server. 


Chef is developed after puppet, there is very little chance that chef will miss some obvious and important feature that puppet has.

regards
ranjib

On Tue, Feb 7, 2012 at 3:52 PM, < " target="_blank"> > wrote:
Hello,

I'm quite new on Chef, but some guys told me that Chef don't use a secure
channel model between client and server. So they told me to use "Puppet", that
does this natively  (I'm not talking about use a external tunnel or something
like that, but about Chef's internal secure communication
implementation/model).

I think this is not true (what they told me), but I have not solid arguments to
discuss/use with they.

Can you help me?





Archive powered by MHonArc 2.6.16.

§