[chef] RE: Re: Securing Knife

["Kemp, Joseph A. (JKEMP)" < >]

My concern is with the pem file.  Right now it is basically like storing my 
password in the clear in a text file.  I need to either add a password to the 
private key or I need the chef-server to require the user password to be 
provided before it allows access to the chef-server.  Why does the chef 
server allow a user to perform operations against the server without the 
user's password?

-----Original Message-----
From: Mike 
[mailto:
 
 
Sent: Wednesday, November 06, 2013 5:45 PM
To: 

 
Subject: [chef] Re: Securing Knife

Have individual/personal admin-level pem files - don't share a centralized 
one.

  knife client create new_person --admin

Ref: http://docs.opscode.com/chef/knife.html#create


-M


On Wed, Nov 6, 2013 at 5:40 PM, Kemp, Joseph A. (JKEMP) 
<
 >
 wrote:


        I am puzzled how to secure the use of knife in open source chef.  If 
I add a password to the user PEM I am forced to enter the password multiple 
times for each knife command.  So that's not a very user friendly option.  
Someone else suggested storing the pem on an encrypted file 
system/device/etc.  What is the best practice to provide controlled admin 
access to the chef server?  It's a little unnerving that someone with a copy 
of any admin PEM file gains complete control over your infrastructure.  I 
feel like I must be missing something.

         

        Thanks,

        -Joe