Open jerem991 opened 4 years ago
@jerem991 Thank you for reporting this issue.
I have a few questions to better understand the issue you are seeing.
When you use verify_master_pubkey_sign: True
on the master you generate a new key pair on the master, did you copy the master_sign.pub
to the minion key directory?
Did you check the minion log upon connection to see that it indeed used the master_sign.pub
key?
You should see this
[DEBUG ] salt.crypt.get_rsa_pub_key: Loading public key
[DEBUG ] salt.crypt.verify_signature: Loading public key
[DEBUG ] salt.crypt.get_rsa_pub_key: Loading public key
[DEBUG ] salt.crypt.verify_signature: Verifying signature
[DEBUG ] Successfully verified signature of master public key with verification public key master_sign.pub
Also after you removed the minion key on the master and copied master.pem -> master_sign.pem
and restarted, did you see this in the minion log?
[DEBUG ] salt.crypt.get_rsa_pub_key: Loading public key
[DEBUG ] Decrypting the current master AES key
[DEBUG ] salt.crypt.get_rsa_key: Loading private key
[DEBUG ] salt.crypt._get_key_with_evict: Loading private key
[DEBUG ] Loaded minion key: /etc/salt/pki/minion/minion.pem
Seems like for me we restart it is not using the master_sign.pub
key.
Wonder if you are seeing the same things in the logs?
I will also check with the core team if they have any thoughts in the issue. @saltstack/team-core
Thanks.
Hi @frogunder,
When you use verify_master_pubkey_sign: True on the master you generate a new key pair on the master, did you copy the master_sign.pub to the minion key directory?
Yes i did it.
Did you check the minion log upon connection to see that it indeed used the master_sign.pub key?
Yes there was a successful connection.
Also after you removed the minion key on the master and copied master.pem -> master_sign.pem and restarted, did you see this in the minion log?
I have the exact same behaviour.
Wonder if you are seeing the same things in the logs?
Same things ! 👍
Thanks !
@saltstack/team-core Can one of you take a look at this issue? Thanks
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.
Thank you for updating this issue. It is no longer marked as stale.
I will get someone assigned from the core team.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.
@dwoz
Thank you for updating this issue. It is no longer marked as stale.
Description of Issue
While testing the verify master public key feature, we were able to replace the master_sign.pem on the master with a wrong private key and successfully initiate a new minion connection on a master. This is a security issue as if an attacker is able to retrieve the master_sign public key, he would be able to create a malicious master and potentially grab grains from minions that can contain sensitive information.
Setup
Minion configuration
Master 1 configuration
Steps to Reproduce Issue
Versions Report
Minion & Master version : 2019.2.2 (Fluorine)