[chef] Re: Re: Re: Re: Re: Validation keys at Chef server


Chronological Thread 
  • From: DV < >
  • To: " " < >
  • Subject: [chef] Re: Re: Re: Re: Re: Validation keys at Chef server
  • Date: Mon, 4 Aug 2014 14:53:37 -0700

No, they're private keys actually.. I've even verified like this:

> knife role show local-web --server-url https://chef11-preprod-app-1.XYZ.com/ --user chef-validator --key ./chef-validator.pem
ERROR: You authenticated successfully to http://chef11-preprod-app-1.XYZ.com/ as chef-validator but you are not authorized for this action
Response:  You are not allowed to take this action.

(this is correct response for validator client)

> knife role show local-web --server-url https://chef11-preprod-app-1.XYZ.com/ --user admin --key ./admin.pem
(here I get the role output)

My point is, the admin/webui/validator keys are stored on Chef server until someone moves or deletes them.


On Mon, Aug 4, 2014 at 2:43 PM, AJ Christensen < " target="_blank"> > wrote:
those are public keys

On Tue, Aug 5, 2014 at 9:40 AM, DV < "> > wrote:
> Well,our Chef server was set up using standard Chef rpm and it comes with
> validator and webui keys stored in /etc/chef-server, how about that?
>
>> rpm -qa|grep chef
> chef-server-11.0.11-1.el6.x86_64
>
>> ll /etc/chef-server/
> total 28
> -rw------- 1 root        root        1679 Apr  3 14:22 admin.pem
> -rw-r--r-- 1 root        root          42 Apr  5 18:10 chef-server.rb
> -rw------- 1 chef_server root        7773 Apr  5 18:22
> chef-server-running.json
> -rw------- 1 root        root         765 Apr 11 14:11
> chef-server-secrets.json
> -rw------- 1 root        root        1679 Apr  3 14:22 chef-validator.pem
> -rw-r----- 1 root        chef_server 1679 Apr  3 14:22 chef-webui.pem
>
>
> On Mon, Aug 4, 2014 at 2:11 AM, Steven Danna < "> > wrote:
>>
>> Hi,
>>
>> On Sun, Aug 3, 2014 at 3:33 PM, Arnold Krille < "> >
>> wrote:
>>
>> > I think the main reason Chef-Server can't give you the validation-key
>> > is that it doesn't store the private keys of users, machines or
>> > validators. And if it did, there would be several people filing urgent
>> > security reports against it...
>>
>> This is correct.  The server does not store the private key and thus
>> there is no way to redownload the private key for an existing client
>> from the Chef server without resetting the keys.
>>
>> Cheers,
>>
>> Steven
>
>
>
>
> --
> Best regards, Dmitriy V.



--
Best regards, Dmitriy V.



Archive powered by MHonArc 2.6.16.

§