Security – the correct way to use Chef-server’s ‘validation key’

chefSecurity

It seems to me that the recommended way of adding clients to a chef server – or my understanding of it – is flawed.

When the chef-client runs, it checks if it has a client key.
If the client key does not exist, it then attempts to "borrow" the validation client's identity to register itself with the server.
In order to do that, the validation client's private key needs to be copied to the host and placed in /etc/chef/validation.pem.

So the "validation key" is basically the superuser credential, allowing anyone who possesses it full access to the chef server? Am I reading this right?

Surely the correct model would be for clients to generate their own keypair, and submit the public key to the chef server. Clients should never need access to this superuser "validation key".

How can I do it in this, more secure, manner?

Best Answer

It's not quite as insecure as that. The validation key can only be used for a couple of operations required to add a node.

For example if I try to delete a node using the Chef validator key:

$ knife node delete -y foo \
    -u chef-validator \
    -k ~/.chef/chef-validator.pem \
    -s http://chef-server:4000

ERROR: You authenticated successfully to http://chef-server:4000 as chef-validator but you are not authorized for this action
Response:  You are not the correct node (auth_user name: chef-validator, params[:id]: foo), or are not an API administrator (admin: false).

Best practice is to delete the validation.pem file after the node has joined the Chef server.

To actually answer the question, you can create client keys using the knife client create command, but it's up to you to distribute these keys to the clients.

Secure key distribution is a hard problem.

Related Solutions

Any way to use puppet or chef without launching daemons

You can run puppet <file>.pp if you just want to apply a single manifest locally. This said, if you've got a small number of servers to manage, a single puppetmasterd isn't going to be a huge inconvenience.

Idiomatic way to invoke chef-solo

By default, chef-solo reads its configuration from /etc/chef/solo.rb. The command-line parameters correspond to config values that can be set in this file. This is done using the mixlib-config library.

  option :config_file, 
    :short => "-c CONFIG",
    :long  => "--config CONFIG",
    :default => "/etc/chef/solo.rb",
    :description => "The configuration file to use"

  option :json_attribs,
    :short => "-j JSON_ATTRIBS",
    :long => "--json-attributes JSON_ATTRIBS",
    :description => "Load attributes from a JSON file or URL",
    :proc => nil

  option :recipe_url,
      :short => "-r RECIPE_URL",
      :long => "--recipe-url RECIPE_URL",
      :description => "Pull down a remote gzipped tarball of recipes and untar it to the cookbook ca
che.",
      :proc => nil

The 'option' is the config file value.

The actual config file, /etc/chef/solo.rb would look like:

file_cache_path "/tmp/chef-solo"
cookbook_path   "/tmp/chef-solo/cookbooks"
role_path       "/tmp/chef-solo/roles"
json_attribs    "/tmp/chef-solo/node.json"
recipe_url      "http://www.example.com/chef-solo.tar.gz"

Also note that the JSON file can be a remote URL, too.

json_attribs    "http://www.example.com/node.json"

You can use Ohai as a library within the config file as well, to detect the platform or other attributes to specify what JSON file to use.

require 'rubygems'
require 'ohai'
o = Ohai::System.new
o.all_plugins
file_cache_path "/tmp/chef-solo"
cookbook_path   "/tmp/chef-solo/cookbooks"
role_path       "/tmp/chef-solo/roles"
json_attribs    "/tmp/chef-solo/#{o[:platform]}.json"
recipe_url      "http://www.example.com/chef-solo.tar.gz"

And then you'd have "platform" specific JSON files, for example. Or you could use o[:hostname], o[:domain] or o[:fqdn] to use JSON files based on the hostname, domain or fqdn. But once you start having the scaffolding of servers to support this kind of dynamic configuration, you might look at running a Chef Server :-).

Best Answer

Related Solutions

Any way to use puppet or chef without launching daemons

Idiomatic way to invoke chef-solo

Related Topic