SlideShare una empresa de Scribd logo

Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (Intermediate)

Puppet
Puppet

The document discusses securely managing secrets with FreeIPA and Puppet. It describes existing solutions like hiera-gpg and hiera-eyaml as not being perfect due to private key management problems and having to trust Puppet too much. The proposed solution generates secrets locally using GPG encryption with a public key and stores them in FreeIPA for access management. The presentation concludes with information on learning more about this technique.

Software
1 de 22
Descargar para leer sin conexión
Securely managing secrets with FreeIPA and Puppet James Shubin, @purpleidea Config Mgmt. Architect Systems Engineering Group, Red Hat Puppet Camp, Boston 2014 1 JAMES SHUBIN
Who am I ? ● Puppet Hacker ● Config Mgmt. Architect @ Red Hat ● Technical Blogger: The Technical Blog of James https://ttboj.wordpress.com/ ● Physiologist (Cardiology Specialization) ● All around hoopy frood... 2 JAMES SHUBIN
3 the status-quo of secret management in puppet is pretty poor... JAMES SHUBIN
Example 1 class { '::foo': password => 'super-secret-thing', bad_idea => true, } 4 JAMES SHUBIN
5 JAMES SHUBIN
Example 2 class { '::foo': hashed => '$1$mF86/UHC$WvcIcX2t6crBz2onW...', bad_idea => true, } 6 JAMES SHUBIN
7 JAMES SHUBIN
Example 3 # secret.yaml --- foo::params::password: 'ohai' foo::params::bad_idea: true 8 JAMES SHUBIN
9 JAMES SHUBIN
there are some solutions which are better than others, but they are still not perfect... 10 JAMES SHUBIN
hiera-gpg ● Cute, but private key management can be a problem... ● Probably a good idea for existing infrastructures, where you have one repo that is widely shared... ● Other issues: http://slashdevslashrandom.wordpress.com/2013/06/0 3/my-griefs-with-hiera-gpg/ ● Code: https://github.com/crayfishx/hiera-gpg 11 JAMES SHUBIN
hiera-eyaml ● Better than hiera-gpg ! ● Still has a private key management problem... ● Comes with nice secret editing tools... ● We still have to trust puppet more than necessary... ● Code: https://github.com/TomPoulton/hiera-eyaml 12 JAMES SHUBIN
blackbox ● Same problems as all the other asymmetric solutions ● Nice documentation ! ● Honest and upfront about the risks... ● Comes with 20% more Limoncelli :) ● Code: https://github.com/StackExchange/blackbox 13 JAMES SHUBIN
14 do I love any of these solutions ? JAMES SHUBIN
NOPE 15 JAMES SHUBIN
My solution... JAMES SHUBIN
Local secret generation ● Good DevOps hackers use/know/love GPG (PGP) ● Tell puppet about your public key ● Locally generate and encrypt secrets with public key ● Optionally mail it out to your admin email address ● Use FreeIPA to build out your security infrastructure 17 JAMES SHUBIN
live demo... JAMES SHUBIN
Red Hat funds good hackers so that we can... ● Work on open source / free software things... ● Speak at events like this... ● Hack on good products and solutions... ● For access to products, solutions, and support, visit: ht tps: / / redhat .com/ 19 JAMES SHUBIN
Learn more ● The Technical Blog of James: https://ttboj.wordpress.com/ ● Puppet-IPA: https://github.com/purpleidea/puppet-ipa ● Technical article about this technique: https://ttboj.wordpress.com/2014/06/06/securely-managing- secrets-for-freeipa-with-puppet/ ● Contact me if you have any other questions: purpleidea @ { irc, twitter, redhat.com } 20 JAMES SHUBIN
Q & A ? JAMES SHUBIN
Thank you & Happy Hacking ! JAMES SHUBIN

Recomendados

Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet
 
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
Tom Limoncelli
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
CTruncer
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
CTruncer
 
Volley Android
Volley AndroidVolley Android
Volley Android
zezzi Castillo
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to Android
Vlatko Kosturjak
 
Ripping web accessible .git files
Ripping web accessible .git filesRipping web accessible .git files
Ripping web accessible .git files
Vlatko Kosturjak
 
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCSWonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Vlatko Kosturjak
 

Recomendados

Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet
 
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
Tom Limoncelli
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
CTruncer
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
CTruncer
 
Volley Android
Volley AndroidVolley Android
Volley Android
zezzi Castillo
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to Android
Vlatko Kosturjak
 
Ripping web accessible .git files
Ripping web accessible .git filesRipping web accessible .git files
Ripping web accessible .git files
Vlatko Kosturjak
 
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCSWonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Vlatko Kosturjak
 
We codeil save kermit
We codeil save kermitWe codeil save kermit
We codeil save kermit
Victor Trakhtenberg
 
Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013
Puppet
 
Lessons learned from Node.js - Callbacks / Promises
Lessons learned from Node.js - Callbacks / PromisesLessons learned from Node.js - Callbacks / Promises
Lessons learned from Node.js - Callbacks / Promises
Jason K Yau
 
Around the PHP Community
Around the PHP CommunityAround the PHP Community
Around the PHP Community
Ben Ramsey
 
8-9-10=Jessie,Stretch,Buster
8-9-10=Jessie,Stretch,Buster8-9-10=Jessie,Stretch,Buster
8-9-10=Jessie,Stretch,Buster
Hideki Yamane
 
Debugging NET Applications With WinDBG
Debugging NET Applications With WinDBGDebugging NET Applications With WinDBG
Debugging NET Applications With WinDBG
Cory Foy
 
Having fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projectsHaving fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projects
Jean-Frederic Clere
 
Website Hacking Oldie
Website Hacking OldieWebsite Hacking Oldie
Website Hacking Oldie
Aung Khant
 
Open source applications softwares
Open source applications softwaresOpen source applications softwares
Open source applications softwares
Tushar B Kute
 
WeCode IL: Save Kermit
WeCode IL: Save KermitWeCode IL: Save Kermit
WeCode IL: Save Kermit
Victor Trakhtenberg
 
Is rust language really safe?
Is rust language really safe? Is rust language really safe?
Is rust language really safe?
Nullbyte Security Conference
 
Profile all the things! - Capital Go 2017
Profile all the things! - Capital Go 2017 Profile all the things! - Capital Go 2017
Profile all the things! - Capital Go 2017
John Potocny
 
Useful Vim Plugins
Useful Vim PluginsUseful Vim Plugins
Useful Vim Plugins
anveo
 
Symfony2 - A Short Introduction
Symfony2 - A Short IntroductionSymfony2 - A Short Introduction
Symfony2 - A Short Introduction
Andy Grunwald
 
Dynomite Eureka Registry With Prana
Dynomite Eureka Registry With PranaDynomite Eureka Registry With Prana
Dynomite Eureka Registry With Prana
Diego Pacheco
 
ProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacementProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacement
Wei-Ning Huang
 
Web socket with php v2
Web socket with php v2Web socket with php v2
Web socket with php v2
Leonardo Rifeli
 
Redis導入
Redis導入Redis導入
Redis導入
Kazuma Furuhashi
 
Webdevcon pierrejoye-php54-and-other
Webdevcon pierrejoye-php54-and-otherWebdevcon pierrejoye-php54-and-other
Webdevcon pierrejoye-php54-and-other
Pierre Joye
 
Building dsl using groovy
Building dsl using groovyBuilding dsl using groovy
Building dsl using groovy
Puneet Behl
 
OSDC 2017 | Mgmt Config: Autonomous systems by James Shubin
OSDC 2017 | Mgmt Config: Autonomous systems by James ShubinOSDC 2017 | Mgmt Config: Autonomous systems by James Shubin
OSDC 2017 | Mgmt Config: Autonomous systems by James Shubin
NETWAYS
 
OSDC 2017 - James Shubin - MGMT config autonomous systems
OSDC 2017 - James Shubin - MGMT config autonomous systemsOSDC 2017 - James Shubin - MGMT config autonomous systems
OSDC 2017 - James Shubin - MGMT config autonomous systems
NETWAYS
 

Más contenido relacionado

La actualidad más candente

Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013
Puppet
 
Website Hacking Oldie
Website Hacking OldieWebsite Hacking Oldie
Website Hacking Oldie
Aung Khant
 
Useful Vim Plugins
Useful Vim PluginsUseful Vim Plugins
Useful Vim Plugins
anveo
 

La actualidad más candente (20)

We codeil save kermit
We codeil save kermitWe codeil save kermit
We codeil save kermit
 
Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013
 
Lessons learned from Node.js - Callbacks / Promises
Lessons learned from Node.js - Callbacks / PromisesLessons learned from Node.js - Callbacks / Promises
Lessons learned from Node.js - Callbacks / Promises
 
Around the PHP Community
Around the PHP CommunityAround the PHP Community
Around the PHP Community
 
8-9-10=Jessie,Stretch,Buster
8-9-10=Jessie,Stretch,Buster8-9-10=Jessie,Stretch,Buster
8-9-10=Jessie,Stretch,Buster
 
Debugging NET Applications With WinDBG
Debugging NET Applications With WinDBGDebugging NET Applications With WinDBG
Debugging NET Applications With WinDBG
 
Having fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projectsHaving fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projects
 
Website Hacking Oldie
Website Hacking OldieWebsite Hacking Oldie
Website Hacking Oldie
 
Open source applications softwares
Open source applications softwaresOpen source applications softwares
Open source applications softwares
 
WeCode IL: Save Kermit
WeCode IL: Save KermitWeCode IL: Save Kermit
WeCode IL: Save Kermit
 
Is rust language really safe?
Is rust language really safe? Is rust language really safe?
Is rust language really safe?
 
Profile all the things! - Capital Go 2017
Profile all the things! - Capital Go 2017 Profile all the things! - Capital Go 2017
Profile all the things! - Capital Go 2017
 
Useful Vim Plugins
Useful Vim PluginsUseful Vim Plugins
Useful Vim Plugins
 
Symfony2 - A Short Introduction
Symfony2 - A Short IntroductionSymfony2 - A Short Introduction
Symfony2 - A Short Introduction
 
Dynomite Eureka Registry With Prana
Dynomite Eureka Registry With PranaDynomite Eureka Registry With Prana
Dynomite Eureka Registry With Prana
 
ProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacementProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacement
 
Web socket with php v2
Web socket with php v2Web socket with php v2
Web socket with php v2
 
Redis導入
Redis導入Redis導入
Redis導入
 
Webdevcon pierrejoye-php54-and-other
Webdevcon pierrejoye-php54-and-otherWebdevcon pierrejoye-php54-and-other
Webdevcon pierrejoye-php54-and-other
 
Building dsl using groovy
Building dsl using groovyBuilding dsl using groovy
Building dsl using groovy
 

Similar a Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (Intermediate)

Monitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike Adolphs
Monitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike AdolphsMonitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike Adolphs
Monitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike Adolphs
NETWAYS
 
Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008
Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008
Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008
Dr Nic Williams
 
How We Won Gamedev By Rolling Our Own Tech (notes included)
How We Won Gamedev By Rolling Our Own Tech (notes included)How We Won Gamedev By Rolling Our Own Tech (notes included)
How We Won Gamedev By Rolling Our Own Tech (notes included)
Mihai Gosa
 
HackPittsburgh Updates For DevHousePgh
HackPittsburgh Updates For DevHousePghHackPittsburgh Updates For DevHousePgh
HackPittsburgh Updates For DevHousePgh
Marty McGuire
 
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reBSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
Chandra Pratap
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
Francois Marier
 

Similar a Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (Intermediate) (20)

OSDC 2017 | Mgmt Config: Autonomous systems by James Shubin
OSDC 2017 | Mgmt Config: Autonomous systems by James ShubinOSDC 2017 | Mgmt Config: Autonomous systems by James Shubin
OSDC 2017 | Mgmt Config: Autonomous systems by James Shubin
 
OSDC 2017 - James Shubin - MGMT config autonomous systems
OSDC 2017 - James Shubin - MGMT config autonomous systemsOSDC 2017 - James Shubin - MGMT config autonomous systems
OSDC 2017 - James Shubin - MGMT config autonomous systems
 
Berlinsides2017
Berlinsides2017Berlinsides2017
Berlinsides2017
 
a Sales Consultants guide to presenting and demos
a Sales Consultants guide to presenting and demosa Sales Consultants guide to presenting and demos
a Sales Consultants guide to presenting and demos
 
Empire Work shop
Empire Work shopEmpire Work shop
Empire Work shop
 
Monitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike Adolphs
Monitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike AdolphsMonitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike Adolphs
Monitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike Adolphs
 
Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008
Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008
Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008
 
How We Won Gamedev By Rolling Our Own Tech (notes included)
How We Won Gamedev By Rolling Our Own Tech (notes included)How We Won Gamedev By Rolling Our Own Tech (notes included)
How We Won Gamedev By Rolling Our Own Tech (notes included)
 
Advanced View of Projects Raspberry Pi List - Raspberry PI Projects (1).pdf
Advanced View of Projects Raspberry Pi List - Raspberry PI Projects (1).pdfAdvanced View of Projects Raspberry Pi List - Raspberry PI Projects (1).pdf
Advanced View of Projects Raspberry Pi List - Raspberry PI Projects (1).pdf
 
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells FargoPuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
 
My talk on Piter Py 2016
My talk on Piter Py 2016My talk on Piter Py 2016
My talk on Piter Py 2016
 
HackPittsburgh Updates For DevHousePgh
HackPittsburgh Updates For DevHousePghHackPittsburgh Updates For DevHousePgh
HackPittsburgh Updates For DevHousePgh
 
One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009
 
HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)
 
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reBSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
 
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...
 
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
 
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorial
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
 
HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)
 

Más de Puppet

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
Puppet
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
Puppet
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
Puppet
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
Puppet
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
Puppet
 

Más de Puppet (20)

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyaml
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
 
Puppet camp vscode
Puppet camp vscodePuppet camp vscode
Puppet camp vscode
 
Modules of the twenties
Modules of the twentiesModules of the twenties
Modules of the twenties
 
Applying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codeApplying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance code
 
KGI compliance as-code approach
KGI compliance as-code approachKGI compliance as-code approach
KGI compliance as-code approach
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
 
Keynote: Puppet camp compliance
Keynote: Puppet camp complianceKeynote: Puppet camp compliance
Keynote: Puppet camp compliance
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
 
Puppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet: The best way to harden Windows
Puppet: The best way to harden Windows
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
 
Accelerating azure adoption with puppet
Accelerating azure adoption with puppetAccelerating azure adoption with puppet
Accelerating azure adoption with puppet
 
Puppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael Pinson
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin Reeuwijk
 
Take control of your dev ops dumping ground
Take control of your dev ops dumping groundTake control of your dev ops dumping ground
Take control of your dev ops dumping ground
 
100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software
 
Puppet User Group
Puppet User GroupPuppet User Group
Puppet User Group
 
Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOps
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
 

Último

Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
mbmh111980
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Gáspár Nagy
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with StrimziStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
steffenkarlsson2
 

Último (20)

Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdfImplementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by Design
 
Workforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfWorkforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdf
 
Agnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in KrakówAgnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in Kraków
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
 
The Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion ProductionThe Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion Production
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
 
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
 
Breaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdfBreaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdf
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
 
A Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data MigrationA Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data Migration
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with StrimziStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
 
how-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfhow-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdf
 
Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024
 
APVP,apvp apvp High quality supplier safe spot transport, 98% purity
APVP,apvp apvp High quality supplier safe spot transport, 98% purityAPVP,apvp apvp High quality supplier safe spot transport, 98% purity
APVP,apvp apvp High quality supplier safe spot transport, 98% purity
 
CompTIA Security+ (Study Notes) for cs.pdf
CompTIA Security+ (Study Notes) for cs.pdfCompTIA Security+ (Study Notes) for cs.pdf
CompTIA Security+ (Study Notes) for cs.pdf
 
5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024
 
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems ApproachKLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 

Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (Intermediate)

  • 1. Securely managing secrets with FreeIPA and Puppet James Shubin, @purpleidea Config Mgmt. Architect Systems Engineering Group, Red Hat Puppet Camp, Boston 2014 1 JAMES SHUBIN
  • 2. Who am I ? ● Puppet Hacker ● Config Mgmt. Architect @ Red Hat ● Technical Blogger: The Technical Blog of James https://ttboj.wordpress.com/ ● Physiologist (Cardiology Specialization) ● All around hoopy frood... 2 JAMES SHUBIN
  • 3. 3 the status-quo of secret management in puppet is pretty poor... JAMES SHUBIN
  • 4. Example 1 class { '::foo': password => 'super-secret-thing', bad_idea => true, } 4 JAMES SHUBIN
  • 6. Example 2 class { '::foo': hashed => '$1$mF86/UHC$WvcIcX2t6crBz2onW...', bad_idea => true, } 6 JAMES SHUBIN
  • 8. Example 3 # secret.yaml --- foo::params::password: 'ohai' foo::params::bad_idea: true 8 JAMES SHUBIN
  • 10. there are some solutions which are better than others, but they are still not perfect... 10 JAMES SHUBIN
  • 11. hiera-gpg ● Cute, but private key management can be a problem... ● Probably a good idea for existing infrastructures, where you have one repo that is widely shared... ● Other issues: http://slashdevslashrandom.wordpress.com/2013/06/0 3/my-griefs-with-hiera-gpg/ ● Code: https://github.com/crayfishx/hiera-gpg 11 JAMES SHUBIN
  • 12. hiera-eyaml ● Better than hiera-gpg ! ● Still has a private key management problem... ● Comes with nice secret editing tools... ● We still have to trust puppet more than necessary... ● Code: https://github.com/TomPoulton/hiera-eyaml 12 JAMES SHUBIN
  • 13. blackbox ● Same problems as all the other asymmetric solutions ● Nice documentation ! ● Honest and upfront about the risks... ● Comes with 20% more Limoncelli :) ● Code: https://github.com/StackExchange/blackbox 13 JAMES SHUBIN
  • 14. 14 do I love any of these solutions ? JAMES SHUBIN
  • 15. NOPE 15 JAMES SHUBIN
  • 17. Local secret generation ● Good DevOps hackers use/know/love GPG (PGP) ● Tell puppet about your public key ● Locally generate and encrypt secrets with public key ● Optionally mail it out to your admin email address ● Use FreeIPA to build out your security infrastructure 17 JAMES SHUBIN
  • 19. Red Hat funds good hackers so that we can... ● Work on open source / free software things... ● Speak at events like this... ● Hack on good products and solutions... ● For access to products, solutions, and support, visit: ht tps: / / redhat .com/ 19 JAMES SHUBIN
  • 20. Learn more ● The Technical Blog of James: https://ttboj.wordpress.com/ ● Puppet-IPA: https://github.com/purpleidea/puppet-ipa ● Technical article about this technique: https://ttboj.wordpress.com/2014/06/06/securely-managing- secrets-for-freeipa-with-puppet/ ● Contact me if you have any other questions: purpleidea @ { irc, twitter, redhat.com } 20 JAMES SHUBIN
  • 21. Q & A ? JAMES SHUBIN
  • 22. Thank you & Happy Hacking ! JAMES SHUBIN