Feature #6677
Autosign entry additions should require authentication
Description
Using the smart proxy API, I can create an autosign entry by POSTing to http://smartproxy.example.com/puppet/ca/autosign/NAME without any authentication. There should be some type of trust relationship established between the client and the Smart Proxy on the CA (cert, OAuth, user/password, whatever) to prevent unauthorized users from being able to get the CA to sign a key.
This isn't the end of the world, but it does break the trust model in the CA to have untrusted things able to get the CA to sign keys.
I was able to reproduce this on Foreman 1.5.1, and assume it is always that way (hopefully not making an ass out of anyone).
Related issues
History
#1
Updated by Dominic Cleal over 8 years ago
- Related to Bug #7822: CVE-2014-3691 - Smart proxy doesn't perform verification of client SSL certificate on API requests added
#2
Updated by Dominic Cleal over 8 years ago
We're fixing the requirement for SSL verification in #7822, but you give an HTTP example - are you running with or without SSL? I guess we could put in some authentication for the HTTP-only mode.
#3
Updated by Michael Messmore over 8 years ago
Yeah, sorry that was a typo. I can confirm that the behavior I observed is fixed in 1.5.4, because I was forced to add the cert to the request. Thanks!
#4
Updated by Dominic Cleal over 8 years ago
- Status changed from New to Resolved
Ah great, thanks for the report.