Revision 358ec5a3
Added by Dominic Cleal over 11 years ago
- ID 358ec5a3a1b59c098b5c14fcd7a90ca1a6a5dccd
test/fixtures/settings.yml | ||
---|---|---|
category: Provisioning
|
||
default: 0
|
||
description: "Time in minutes installation tokens should be valid for, 0 to disable"
|
||
attribute27:
|
||
name: restrict_registered_puppetmasters
|
||
category: Auth
|
||
default: true
|
||
description: "Only known Smart Proxies with the Puppet feature can access fact/report importers and ENC output"
|
||
attribute28:
|
||
name: require_ssl_puppetmasters
|
||
category: Auth
|
||
default: true
|
||
description: "Client SSL certificates are used to identify Smart Proxies accessing fact/report importers and ENC output over HTTPS (:require_ssl should also be enabled)"
|
||
attribute29:
|
||
name: ssl_client_cn_env
|
||
category: Auth
|
||
default: "SSL_CLIENT_S_DN_CN"
|
||
description: "Environment variable containing the subject CN from a client SSL certificate"
|
||
attribute30:
|
||
name: ssl_client_verify_env
|
||
category: Auth
|
||
default: "SSL_CLIENT_VERIFY"
|
||
description: "Environment variable containing the verification status of a client SSL certificate"
|
Also available in: Unified diff
fixes #2121, #2069 - restrict importers and ENC to puppetmasters and users
CVE-2013-0171: report and fact importers parse YAML directly from the remote
host without authentication. Untrusted YAML can instantiate objects and be
used to exploit Foreman.
CVE-2013-0174: external nodes (ENC) output is available to any source and
could contain sensitive information, e.g. root password.
The restrict_registered_puppetmasters setting (default: on) now only permits
access to the three routes if the remote host has a smart proxy registered
with the Puppet feature.
The require_ssl_puppetmasters setting (default: on) requires a client SSL
certificate on HTTPS requests. The CN is checked against known smart proxies
as above. :require_ssl in settings.yaml is recommended to disable HTTP.
Ensure ENC (node.rb) and report (foreman.rb) scripts are updated to supply
client SSL certificates.