ripienaar
commented
3 years ago Tbh I didn’t know/forgot we supported paraphrases at all on the private keys :)
Will need to do some testing to see how it works and what can be done
Closed grandich closed 3 years ago
ripienaar
commented
3 years ago Tbh I didn’t know/forgot we supported paraphrases at all on the private keys :)
Will need to do some testing to see how it works and what can be done
ripienaar
commented
3 years ago OK, so Ruby will prompt for the key passphrase on its own whenever OpenSSL::PKey::RSA.new is called, which we do repeatedly for every sign. And the Puppet application will make many many requests in a row. I guess old mcollective did cache the key.
I can cache the key in memory - though that's not really the best idea since the private key is then held in memory unencrypted for the duration of the client.
These days I am inclined to suggest using the AAA server model where you are concerned with the privacy of the keys, in that model you have no keys and can store a token in an environment variable in the shell - the token is valid for a hour or so. I appreciate thats a big change though and probably not worth it just for this.
What do you think @vjanelle ?
vjanelle
commented
3 years ago Is holding the key unencrypted really a threat vector?
ripienaar
commented
3 years ago OK merged a fix for that.
We are using 'ssh-keygen -p' on ~/.puppetlabs/etc/puppet/ssl/private_keys/\<user>.mcollective.pem to protect private keys in a machine shared by mlutiple operators (mco clients), and it's annoying.
With old ruby mco client the passphrase was asked only once.
Depending on the plugin used, there can be lots of passphrase prompts, i.e. 'puppet' plugin (to force puppet runs) asks for it for every found target.