Project

General

Profile

Actions
Copy link

Feature #6677

closed

Autosign entry additions should require authentication

Added by Michael Messmore over 10 years ago. Updated about 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Using the smart proxy API, I can create an autosign entry by POSTing to http://smartproxy.example.com/puppet/ca/autosign/NAME without any authentication. There should be some type of trust relationship established between the client and the Smart Proxy on the CA (cert, OAuth, user/password, whatever) to prevent unauthorized users from being able to get the CA to sign a key.

This isn't the end of the world, but it does break the trust model in the CA to have untrusted things able to get the CA to sign keys.

I was able to reproduce this on Foreman 1.5.1, and assume it is always that way (hopefully not making an ass out of anyone).

Related issues 1 (0 open1 closed)

Related to Smart Proxy - Bug #7822: CVE-2014-3691 - Smart proxy doesn't perform verification of client SSL certificate on API requestsClosedDominic Cleal10/06/2014Actions
Actions
Copy link

Also available in: Atom PDF