Feature #6677
closed
Autosign entry additions should require authentication
Description
Using the smart proxy API, I can create an autosign entry by POSTing to http://smartproxy.example.com/puppet/ca/autosign/NAME without any authentication. There should be some type of trust relationship established between the client and the Smart Proxy on the CA (cert, OAuth, user/password, whatever) to prevent unauthorized users from being able to get the CA to sign a key.
This isn't the end of the world, but it does break the trust model in the CA to have untrusted things able to get the CA to sign keys.
I was able to reproduce this on Foreman 1.5.1, and assume it is always that way (hopefully not making an ass out of anyone).
Updated by Dominic Cleal about 10 years ago
- Related to Bug #7822: CVE-2014-3691 - Smart proxy doesn't perform verification of client SSL certificate on API requests added
Updated by Dominic Cleal about 10 years ago
We're fixing the requirement for SSL verification in #7822, but you give an HTTP example - are you running with or without SSL? I guess we could put in some authentication for the HTTP-only mode.
Updated by Michael Messmore about 10 years ago
Yeah, sorry that was a typo. I can confirm that the behavior I observed is fixed in 1.5.4, because I was forced to add the cert to the request. Thanks!
Updated by Dominic Cleal about 10 years ago
- Status changed from New to Resolved
Ah great, thanks for the report.