Project

General

Profile

Feature #6677

Autosign entry additions should require authentication

Added by Michael Messmore over 6 years ago. Updated almost 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

Using the smart proxy API, I can create an autosign entry by POSTing to http://smartproxy.example.com/puppet/ca/autosign/NAME without any authentication. There should be some type of trust relationship established between the client and the Smart Proxy on the CA (cert, OAuth, user/password, whatever) to prevent unauthorized users from being able to get the CA to sign a key.

This isn't the end of the world, but it does break the trust model in the CA to have untrusted things able to get the CA to sign keys.

I was able to reproduce this on Foreman 1.5.1, and assume it is always that way (hopefully not making an ass out of anyone).


Related issues

Related to Smart Proxy - Bug #7822: CVE-2014-3691 - Smart proxy doesn't perform verification of client SSL certificate on API requestsClosed2014-10-06

History

#1 Updated by Dominic Cleal about 6 years ago

  • Related to Bug #7822: CVE-2014-3691 - Smart proxy doesn't perform verification of client SSL certificate on API requests added

#2 Updated by Dominic Cleal about 6 years ago

We're fixing the requirement for SSL verification in #7822, but you give an HTTP example - are you running with or without SSL? I guess we could put in some authentication for the HTTP-only mode.

#3 Updated by Michael Messmore about 6 years ago

Yeah, sorry that was a typo. I can confirm that the behavior I observed is fixed in 1.5.4, because I was forced to add the cert to the request. Thanks!

#4 Updated by Dominic Cleal almost 6 years ago

  • Status changed from New to Resolved

Ah great, thanks for the report.

Also available in: Atom PDF