chef - [chef] Re: Re: Re: Re: Re: Re: Validation keys at Chef server

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Re: Re: Re: Re: Re: Validation keys at Chef server

From: AJ Christensen < >
To: " " < >
Subject: [chef] Re: Re: Re: Re: Re: Re: Validation keys at Chef server
Date: Tue, 5 Aug 2014 09:57:58 +1200

My mistake sorry misread :-)

--aj

On Tue, Aug 5, 2014 at 9:53 AM, DV
< >
wrote:
> No, they're private keys actually.. I've even verified like this:
>
>> knife role show local-web --server-url
>> https://chef11-preprod-app-1.XYZ.com/ --user chef-validator --key
>> ./chef-validator.pem
> ERROR: You authenticated successfully to
> http://chef11-preprod-app-1.XYZ.com/ as chef-validator but you are not
> authorized for this action
> Response:  You are not allowed to take this action.
>
> (this is correct response for validator client)
>
>> knife role show local-web --server-url
>> https://chef11-preprod-app-1.XYZ.com/ --user admin --key ./admin.pem
> (here I get the role output)
>
> My point is, the admin/webui/validator keys are stored on Chef server until
> someone moves or deletes them.
>
>
> On Mon, Aug 4, 2014 at 2:43 PM, AJ Christensen
> < >
>  wrote:
>>
>> those are public keys
>>
>> On Tue, Aug 5, 2014 at 9:40 AM, DV
>> < >
>>  wrote:
>> > Well,our Chef server was set up using standard Chef rpm and it comes
>> > with
>> > validator and webui keys stored in /etc/chef-server, how about that?
>> >
>> >> rpm -qa|grep chef
>> > chef-server-11.0.11-1.el6.x86_64
>> >
>> >> ll /etc/chef-server/
>> > total 28
>> > -rw------- 1 root        root        1679 Apr  3 14:22 admin.pem
>> > -rw-r--r-- 1 root        root          42 Apr  5 18:10 chef-server.rb
>> > -rw------- 1 chef_server root        7773 Apr  5 18:22
>> > chef-server-running.json
>> > -rw------- 1 root        root         765 Apr 11 14:11
>> > chef-server-secrets.json
>> > -rw------- 1 root        root        1679 Apr  3 14:22
>> > chef-validator.pem
>> > -rw-r----- 1 root        chef_server 1679 Apr  3 14:22 chef-webui.pem
>> >
>> >
>> > On Mon, Aug 4, 2014 at 2:11 AM, Steven Danna
>> > < >
>> >  wrote:
>> >>
>> >> Hi,
>> >>
>> >> On Sun, Aug 3, 2014 at 3:33 PM, Arnold Krille
>> >> < >
>> >> wrote:
>> >>
>> >> > I think the main reason Chef-Server can't give you the validation-key
>> >> > is that it doesn't store the private keys of users, machines or
>> >> > validators. And if it did, there would be several people filing
>> >> > urgent
>> >> > security reports against it...
>> >>
>> >> This is correct.  The server does not store the private key and thus
>> >> there is no way to redownload the private key for an existing client
>> >> from the Chef server without resetting the keys.
>> >>
>> >> Cheers,
>> >>
>> >> Steven
>> >
>> >
>> >
>> >
>> > --
>> > Best regards, Dmitriy V.
>
>
>
>
> --
> Best regards, Dmitriy V.

[chef] Validation keys at Chef server, Flores, Luis Fernando (GE Capital, Non-GE), 08/01/2014
- [chef] Re: Validation keys at Chef server, Matt Stratton, 08/01/2014
  - [chef] Re: Re: Validation keys at Chef server, Flores, Luis Fernando (GE Capital, Non-GE), 08/01/2014
- [chef] Re: Validation keys at Chef server, Arnold Krille, 08/03/2014
  - Message not available
    - [chef] Re: Re: Validation keys at Chef server, Steven Danna, 08/04/2014
      - [chef] Re: Re: Re: Validation keys at Chef server, DV, 08/04/2014
        
        [chef] Re: Re: Re: Re: Validation keys at Chef server, AJ Christensen, 08/04/2014
        
        [chef] Re: Re: Re: Re: Re: Validation keys at Chef server, DV, 08/04/2014
        
        [chef] Re: Re: Re: Re: Re: Re: Validation keys at Chef server, AJ Christensen, 08/04/2014
        
        [chef] Re: Re: Re: Re: Validation keys at Chef server, Daniel DeLeo, 08/04/2014