... | ... | @@ -547,47 +547,13 @@ in Puppet source code, for various reasons: it is hard to erase |
|
|
because code is stored in git, but also, ultimately, we want to
|
|
|
publish that source code publicly.
|
|
|
|
|
|
We have two mechanisms on how to do this now: a HKDF to generate
|
|
|
passwords by hashing a common secret, and Trocla, which generates
|
|
|
We use Trocla for this purpose, which generates
|
|
|
random passwords and stores the hash or, if necessary, the clear-text
|
|
|
in a YAML file.. The HKDF function is deprecated and should be
|
|
|
[replaced by Trocla][trocla-migration] eventually.
|
|
|
in a YAML file.
|
|
|
|
|
|
[trocla-migration]: https://bugs.torproject.org/30009
|
|
|
|
|
|
### hkdf
|
|
|
|
|
|
NOTE: this procedure is DEPRECATED and Trocla should be used instead,
|
|
|
see the [trocla migration ticket][trocla-migration] for details.
|
|
|
|
|
|
Old passwords in Puppet are managed through a [Key Derivation
|
|
|
Function][] (KDF), more specifically a [hash-based KDF][] that takes a
|
|
|
secret stored on the Puppet master (in `/etc/puppet/secret`)
|
|
|
concatenates this with a unique token picked by the caller, and
|
|
|
generates a secret unique to that token. An example:
|
|
|
|
|
|
[hash-based KDF]: https://en.wikipedia.org/wiki/HKDF
|
|
|
[Key Derivation Function]: https://en.wikipedia.org/wiki/Key_derivation_function
|
|
|
|
|
|
$secret = hkdf('/etc/puppet/secret', "dip-${::hostname}-base-secret")
|
|
|
|
|
|
This generates a unique passwords for the given token. The password is
|
|
|
then used, in clear text, by the puppet client as appropriate.
|
|
|
|
|
|
The function is an implementation of [RFC5869][], a [SHA256][]-based
|
|
|
HKDF taken from an earlier version of [John Downey's Rubygems
|
|
|
implementation][].
|
|
|
|
|
|
[John Downey's Rubygems implementation]: https://rubygems.org/gems/hkdf
|
|
|
[RFC5869]: https://tools.ietf.org/html/rfc5869
|
|
|
[SHA256]: https://en.wikipedia.org/wiki/SHA-2
|
|
|
|
|
|
### Trocla
|
|
|
|
|
|
[Trocla][] is another password-management solution that takes another
|
|
|
approach. With Trocla, each password is generated on the fly from a
|
|
|
secure entropy source ([Ruby's SecureRandom module][]) and stored
|
|
|
inside a state file (in `/var/lib/trocla/trocla_data.yml`, configured
|
|
|
With Trocla, each password is generated on the fly from a secure
|
|
|
entropy source ([Ruby's SecureRandom module][]) and stored inside a
|
|
|
state file (in `/var/lib/trocla/trocla_data.yml`, configured
|
|
|
`/etc/puppet/troclarc.yaml`) on the Puppet master.
|
|
|
|
|
|
Trocla can return "hashed" versions of the passwords, so that the
|
... | ... | |