Revision 358ec5a3
Added by Dominic Cleal over 11 years ago
- ID 358ec5a3a1b59c098b5c14fcd7a90ca1a6a5dccd
| lib/foreman/default_settings/loader.rb | ||
|---|---|---|
|
[ set('oauth_active', "Should foreman use OAuth for authorization in API", false),
|
||
|
set('oauth_consumer_key', "OAuth consumer key", 'katello'),
|
||
|
set('oauth_consumer_secret', "OAuth consumer secret", 'shhhh'),
|
||
|
set('oauth_map_users', "Should foreman map users by username in request-header", true)
|
||
|
set('oauth_map_users', "Should foreman map users by username in request-header", true),
|
||
|
set('restrict_registered_puppetmasters', 'Only known Smart Proxies with the Puppet feature can access fact/report importers and ENC output', true),
|
||
|
set('require_ssl_puppetmasters', 'Client SSL certificates are used to identify Smart Proxies accessing fact/report importers and ENC output over HTTPS (:require_ssl should also be enabled)', true),
|
||
|
set('ssl_client_cn_env', 'Environment variable containing the subject CN from a client SSL certificate', 'SSL_CLIENT_S_DN_CN'),
|
||
|
set('ssl_client_verify_env', 'Environment variable containing the verification status of a client SSL certificate', 'SSL_CLIENT_VERIFY')
|
||
|
].compact.each { |s| create s.update(:category => "Auth")}
|
||
|
end
|
||
|
true
|
||
Also available in: Unified diff
fixes #2121, #2069 - restrict importers and ENC to puppetmasters and users
CVE-2013-0171: report and fact importers parse YAML directly from the remote
host without authentication. Untrusted YAML can instantiate objects and be
used to exploit Foreman.
CVE-2013-0174: external nodes (ENC) output is available to any source and
could contain sensitive information, e.g. root password.
The restrict_registered_puppetmasters setting (default: on) now only permits
access to the three routes if the remote host has a smart proxy registered
with the Puppet feature.
The require_ssl_puppetmasters setting (default: on) requires a client SSL
certificate on HTTPS requests. The CN is checked against known smart proxies
as above. :require_ssl in settings.yaml is recommended to disable HTTP.
Ensure ENC (node.rb) and report (foreman.rb) scripts are updated to supply
client SSL certificates.