Security – Authentication of saltmaster against salt minions

authenticationman-in-the-middlesaltstackSecurity

I am just getting started with salt and I am wondering how the saltmaster is being authenticated against the clients. I know that when connecting a minion the master has to accept the public key of the minion and therefore no unauthorized minions can connect. But what keeps someone from pretending to be the saltmaster, have all minions connecting to the wrong server and happily executing code and giving full access to an attacker?

Of course the minion connects to a given IP Address or hostname but it should be quite easy to hijack that…

Best Answer

Without extra effort nothing is preventing a (dubiously determined) attacker from initiating a man-in-the-middle attack during the first key exchange and all subsequent connections. This is the same risk inherent in any key exchange over the internet.

You can verify the fingerprints of both the master and the minion.

On master: sudo salt-key -F

On minion: sudo salt-call --local key.finger

But then you would have to trust that there isn't also an (elaborate) (sustained) man in the middle attack between you and the machine in question when you ssh into it. It is turtles all the way down.

The truly paranoid would have to pre-generate the keys offline (master and all minions) and hope along with the rest of us that their CPU's aren't somehow compromised in subtle ways we haven't yet discovered.

You can verify that the minion does refuse connecting to the master if the key doesn't later match up. Shutdown salt-minion, backup /etc/salt/pki/minion/minion_master.pub, alter it, and then start salt-minion in debug mode: sudo salt-minion -l debug

Related Solutions

How to list all connected Salt Stack minions

The official answer:

salt-run manage.up

Also useful are:

salt-run manage.status

salt-run manage.down

Salt minions keep losing connection to master

Connectivity issues are usually caused by the ZMQ library (less than 4.X.X) and/or salt version . Pleas run salt --versions-report on master and salt-call --versions-report in order to see what versions you are using. You should be running:

Salt: 2015.5.3
...
ZMQ: 4.0.5

You should also try to reproduce the issue with a simple vagrant-salt demo. Notice that you will need to change the salt versions in the vagrant file to "2015.5.3"

You haven't specified what OSes or Salt version you are using but there is ongoing issue with the zmq package used by salt that causes slow connections and drops. It is highly recommended to upgrade the zmq package: (this is redhat based sls file)

{% if grains['os'] in ('RedHat', 'CentOS', 'Fedora') %}
  {% if grains['os'] == 'Fedora' %}
    {% set repotype = 'fedora' %}
  {% else %}
    {% set repotype = 'epel' %}
  {% endif %}
saltstack-zeromq4:
  pkgrepo.managed:
    - humanname: Copr repo for zeromq4 owned by saltstack
    - baseurl: http://copr-be.cloud.fedoraproject.org/results/saltstack/zeromq4/{{ repotype }}-$releasever-$basearch/
    - gpgcheck: 0
    - skip_if_unavailable: True
    - enabled: 1
{% endif %}

{% if grains['os'] in ('RedHat', 'CentOS', 'Fedora') %}
update_zmq:
  pkg:
    - latest
    - pkgs:
      - zeromq
      - python-zmq
    - order: last
  cmd:
    - wait
    - name: echo service salt-minion restart | at now + 1 minute
    - watch:
      - pkg: update_zmq
{% endif %}

Another "hack" is to ping the machines every minute or so, just add this to the salt-master minion config:

"salt '*' test.ping > /dev/null":
  cron.present:
    - user: root
    - minute: '*/1'

You can also ping the master from the minion by setting the master_alive_interval option in the minion config file.

Best Answer

Related Solutions

How to list all connected Salt Stack minions

Salt minions keep losing connection to master

Related Topic