SlideShare ist ein Scribd-Unternehmen logo

Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (Intermediate)

Puppet
Puppet

The document discusses securely managing secrets with FreeIPA and Puppet. It describes existing solutions like hiera-gpg and hiera-eyaml as not being perfect due to private key management problems and having to trust Puppet too much. The proposed solution generates secrets locally using GPG encryption with a public key and stores them in FreeIPA for access management. The presentation concludes with information on learning more about this technique.

Software
1 von 22
Downloaden Sie, um offline zu lesen
Securely managing secrets with FreeIPA and Puppet James Shubin, @purpleidea Config Mgmt. Architect Systems Engineering Group, Red Hat Puppet Camp, Boston 2014 1 JAMES SHUBIN
Who am I ? ● Puppet Hacker ● Config Mgmt. Architect @ Red Hat ● Technical Blogger: The Technical Blog of James https://ttboj.wordpress.com/ ● Physiologist (Cardiology Specialization) ● All around hoopy frood... 2 JAMES SHUBIN
3 the status-quo of secret management in puppet is pretty poor... JAMES SHUBIN
Example 1 class { '::foo': password => 'super-secret-thing', bad_idea => true, } 4 JAMES SHUBIN
5 JAMES SHUBIN
Example 2 class { '::foo': hashed => '$1$mF86/UHC$WvcIcX2t6crBz2onW...', bad_idea => true, } 6 JAMES SHUBIN
7 JAMES SHUBIN
Example 3 # secret.yaml --- foo::params::password: 'ohai' foo::params::bad_idea: true 8 JAMES SHUBIN
9 JAMES SHUBIN
there are some solutions which are better than others, but they are still not perfect... 10 JAMES SHUBIN
hiera-gpg ● Cute, but private key management can be a problem... ● Probably a good idea for existing infrastructures, where you have one repo that is widely shared... ● Other issues: http://slashdevslashrandom.wordpress.com/2013/06/0 3/my-griefs-with-hiera-gpg/ ● Code: https://github.com/crayfishx/hiera-gpg 11 JAMES SHUBIN
hiera-eyaml ● Better than hiera-gpg ! ● Still has a private key management problem... ● Comes with nice secret editing tools... ● We still have to trust puppet more than necessary... ● Code: https://github.com/TomPoulton/hiera-eyaml 12 JAMES SHUBIN
blackbox ● Same problems as all the other asymmetric solutions ● Nice documentation ! ● Honest and upfront about the risks... ● Comes with 20% more Limoncelli :) ● Code: https://github.com/StackExchange/blackbox 13 JAMES SHUBIN
14 do I love any of these solutions ? JAMES SHUBIN
NOPE 15 JAMES SHUBIN
My solution... JAMES SHUBIN
Local secret generation ● Good DevOps hackers use/know/love GPG (PGP) ● Tell puppet about your public key ● Locally generate and encrypt secrets with public key ● Optionally mail it out to your admin email address ● Use FreeIPA to build out your security infrastructure 17 JAMES SHUBIN
live demo... JAMES SHUBIN
Red Hat funds good hackers so that we can... ● Work on open source / free software things... ● Speak at events like this... ● Hack on good products and solutions... ● For access to products, solutions, and support, visit: ht tps: / / redhat .com/ 19 JAMES SHUBIN
Learn more ● The Technical Blog of James: https://ttboj.wordpress.com/ ● Puppet-IPA: https://github.com/purpleidea/puppet-ipa ● Technical article about this technique: https://ttboj.wordpress.com/2014/06/06/securely-managing- secrets-for-freeipa-with-puppet/ ● Contact me if you have any other questions: purpleidea @ { irc, twitter, redhat.com } 20 JAMES SHUBIN
Q & A ? JAMES SHUBIN
Thank you & Happy Hacking ! JAMES SHUBIN

Empfohlen

Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet
 
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
Tom Limoncelli
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
CTruncer
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
CTruncer
 
Volley Android
Volley AndroidVolley Android
Volley Android
zezzi Castillo
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to Android
Vlatko Kosturjak
 
Ripping web accessible .git files
Ripping web accessible .git filesRipping web accessible .git files
Ripping web accessible .git files
Vlatko Kosturjak
 
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCSWonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Vlatko Kosturjak
 

Empfohlen

Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet
 
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
Tom Limoncelli
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
CTruncer
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
CTruncer
 
Volley Android
Volley AndroidVolley Android
Volley Android
zezzi Castillo
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to Android
Vlatko Kosturjak
 
Ripping web accessible .git files
Ripping web accessible .git filesRipping web accessible .git files
Ripping web accessible .git files
Vlatko Kosturjak
 
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCSWonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Vlatko Kosturjak
 
We codeil save kermit
We codeil save kermitWe codeil save kermit
We codeil save kermit
Victor Trakhtenberg
 
Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013
Puppet
 
Lessons learned from Node.js - Callbacks / Promises
Lessons learned from Node.js - Callbacks / PromisesLessons learned from Node.js - Callbacks / Promises
Lessons learned from Node.js - Callbacks / Promises
Jason K Yau
 
Around the PHP Community
Around the PHP CommunityAround the PHP Community
Around the PHP Community
Ben Ramsey
 
8-9-10=Jessie,Stretch,Buster
8-9-10=Jessie,Stretch,Buster8-9-10=Jessie,Stretch,Buster
8-9-10=Jessie,Stretch,Buster
Hideki Yamane
 
Debugging NET Applications With WinDBG
Debugging NET Applications With WinDBGDebugging NET Applications With WinDBG
Debugging NET Applications With WinDBG
Cory Foy
 
Having fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projectsHaving fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projects
Jean-Frederic Clere
 
Website Hacking Oldie
Website Hacking OldieWebsite Hacking Oldie
Website Hacking Oldie
Aung Khant
 
Open source applications softwares
Open source applications softwaresOpen source applications softwares
Open source applications softwares
Tushar B Kute
 
WeCode IL: Save Kermit
WeCode IL: Save KermitWeCode IL: Save Kermit
WeCode IL: Save Kermit
Victor Trakhtenberg
 
Is rust language really safe?
Is rust language really safe? Is rust language really safe?
Is rust language really safe?
Nullbyte Security Conference
 
Profile all the things! - Capital Go 2017
Profile all the things! - Capital Go 2017 Profile all the things! - Capital Go 2017
Profile all the things! - Capital Go 2017
John Potocny
 
Useful Vim Plugins
Useful Vim PluginsUseful Vim Plugins
Useful Vim Plugins
anveo
 
Symfony2 - A Short Introduction
Symfony2 - A Short IntroductionSymfony2 - A Short Introduction
Symfony2 - A Short Introduction
Andy Grunwald
 
Dynomite Eureka Registry With Prana
Dynomite Eureka Registry With PranaDynomite Eureka Registry With Prana
Dynomite Eureka Registry With Prana
Diego Pacheco
 
ProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacementProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacement
Wei-Ning Huang
 
Web socket with php v2
Web socket with php v2Web socket with php v2
Web socket with php v2
Leonardo Rifeli
 
Redis導入
Redis導入Redis導入
Redis導入
Kazuma Furuhashi
 
Webdevcon pierrejoye-php54-and-other
Webdevcon pierrejoye-php54-and-otherWebdevcon pierrejoye-php54-and-other
Webdevcon pierrejoye-php54-and-other
Pierre Joye
 
Building dsl using groovy
Building dsl using groovyBuilding dsl using groovy
Building dsl using groovy
Puneet Behl
 
OSDC 2017 | Mgmt Config: Autonomous systems by James Shubin
OSDC 2017 | Mgmt Config: Autonomous systems by James ShubinOSDC 2017 | Mgmt Config: Autonomous systems by James Shubin
OSDC 2017 | Mgmt Config: Autonomous systems by James Shubin
NETWAYS
 
OSDC 2017 - James Shubin - MGMT config autonomous systems
OSDC 2017 - James Shubin - MGMT config autonomous systemsOSDC 2017 - James Shubin - MGMT config autonomous systems
OSDC 2017 - James Shubin - MGMT config autonomous systems
NETWAYS
 

Weitere ähnliche Inhalte

Was ist angesagt?

Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013
Puppet
 
Website Hacking Oldie
Website Hacking OldieWebsite Hacking Oldie
Website Hacking Oldie
Aung Khant
 
Useful Vim Plugins
Useful Vim PluginsUseful Vim Plugins
Useful Vim Plugins
anveo
 

Was ist angesagt? (20)

We codeil save kermit
We codeil save kermitWe codeil save kermit
We codeil save kermit
 
Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013
 
Lessons learned from Node.js - Callbacks / Promises
Lessons learned from Node.js - Callbacks / PromisesLessons learned from Node.js - Callbacks / Promises
Lessons learned from Node.js - Callbacks / Promises
 
Around the PHP Community
Around the PHP CommunityAround the PHP Community
Around the PHP Community
 
8-9-10=Jessie,Stretch,Buster
8-9-10=Jessie,Stretch,Buster8-9-10=Jessie,Stretch,Buster
8-9-10=Jessie,Stretch,Buster
 
Debugging NET Applications With WinDBG
Debugging NET Applications With WinDBGDebugging NET Applications With WinDBG
Debugging NET Applications With WinDBG
 
Having fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projectsHaving fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projects
 
Website Hacking Oldie
Website Hacking OldieWebsite Hacking Oldie
Website Hacking Oldie
 
Open source applications softwares
Open source applications softwaresOpen source applications softwares
Open source applications softwares
 
WeCode IL: Save Kermit
WeCode IL: Save KermitWeCode IL: Save Kermit
WeCode IL: Save Kermit
 
Is rust language really safe?
Is rust language really safe? Is rust language really safe?
Is rust language really safe?
 
Profile all the things! - Capital Go 2017
Profile all the things! - Capital Go 2017 Profile all the things! - Capital Go 2017
Profile all the things! - Capital Go 2017
 
Useful Vim Plugins
Useful Vim PluginsUseful Vim Plugins
Useful Vim Plugins
 
Symfony2 - A Short Introduction
Symfony2 - A Short IntroductionSymfony2 - A Short Introduction
Symfony2 - A Short Introduction
 
Dynomite Eureka Registry With Prana
Dynomite Eureka Registry With PranaDynomite Eureka Registry With Prana
Dynomite Eureka Registry With Prana
 
ProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacementProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacement
 
Web socket with php v2
Web socket with php v2Web socket with php v2
Web socket with php v2
 
Redis導入
Redis導入Redis導入
Redis導入
 
Webdevcon pierrejoye-php54-and-other
Webdevcon pierrejoye-php54-and-otherWebdevcon pierrejoye-php54-and-other
Webdevcon pierrejoye-php54-and-other
 
Building dsl using groovy
Building dsl using groovyBuilding dsl using groovy
Building dsl using groovy
 

Ähnlich wie Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (Intermediate)

Monitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike Adolphs
Monitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike AdolphsMonitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike Adolphs
Monitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike Adolphs
NETWAYS
 
Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008
Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008
Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008
Dr Nic Williams
 
How We Won Gamedev By Rolling Our Own Tech (notes included)
How We Won Gamedev By Rolling Our Own Tech (notes included)How We Won Gamedev By Rolling Our Own Tech (notes included)
How We Won Gamedev By Rolling Our Own Tech (notes included)
Mihai Gosa
 
HackPittsburgh Updates For DevHousePgh
HackPittsburgh Updates For DevHousePghHackPittsburgh Updates For DevHousePgh
HackPittsburgh Updates For DevHousePgh
Marty McGuire
 
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reBSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
Chandra Pratap
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
Francois Marier
 

Ähnlich wie Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (Intermediate) (20)

OSDC 2017 | Mgmt Config: Autonomous systems by James Shubin
OSDC 2017 | Mgmt Config: Autonomous systems by James ShubinOSDC 2017 | Mgmt Config: Autonomous systems by James Shubin
OSDC 2017 | Mgmt Config: Autonomous systems by James Shubin
 
OSDC 2017 - James Shubin - MGMT config autonomous systems
OSDC 2017 - James Shubin - MGMT config autonomous systemsOSDC 2017 - James Shubin - MGMT config autonomous systems
OSDC 2017 - James Shubin - MGMT config autonomous systems
 
Berlinsides2017
Berlinsides2017Berlinsides2017
Berlinsides2017
 
a Sales Consultants guide to presenting and demos
a Sales Consultants guide to presenting and demosa Sales Consultants guide to presenting and demos
a Sales Consultants guide to presenting and demos
 
Empire Work shop
Empire Work shopEmpire Work shop
Empire Work shop
 
Monitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike Adolphs
Monitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike AdolphsMonitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike Adolphs
Monitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike Adolphs
 
Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008
Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008
Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008
 
How We Won Gamedev By Rolling Our Own Tech (notes included)
How We Won Gamedev By Rolling Our Own Tech (notes included)How We Won Gamedev By Rolling Our Own Tech (notes included)
How We Won Gamedev By Rolling Our Own Tech (notes included)
 
Advanced View of Projects Raspberry Pi List - Raspberry PI Projects (1).pdf
Advanced View of Projects Raspberry Pi List - Raspberry PI Projects (1).pdfAdvanced View of Projects Raspberry Pi List - Raspberry PI Projects (1).pdf
Advanced View of Projects Raspberry Pi List - Raspberry PI Projects (1).pdf
 
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells FargoPuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
 
My talk on Piter Py 2016
My talk on Piter Py 2016My talk on Piter Py 2016
My talk on Piter Py 2016
 
HackPittsburgh Updates For DevHousePgh
HackPittsburgh Updates For DevHousePghHackPittsburgh Updates For DevHousePgh
HackPittsburgh Updates For DevHousePgh
 
One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009
 
HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)
 
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reBSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
 
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...
 
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
 
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorial
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
 
HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)
 

Mehr von Puppet

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
Puppet
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
Puppet
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
Puppet
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
Puppet
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
Puppet
 

Mehr von Puppet (20)

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyaml
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
 
Puppet camp vscode
Puppet camp vscodePuppet camp vscode
Puppet camp vscode
 
Modules of the twenties
Modules of the twentiesModules of the twenties
Modules of the twenties
 
Applying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codeApplying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance code
 
KGI compliance as-code approach
KGI compliance as-code approachKGI compliance as-code approach
KGI compliance as-code approach
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
 
Keynote: Puppet camp compliance
Keynote: Puppet camp complianceKeynote: Puppet camp compliance
Keynote: Puppet camp compliance
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
 
Puppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet: The best way to harden Windows
Puppet: The best way to harden Windows
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
 
Accelerating azure adoption with puppet
Accelerating azure adoption with puppetAccelerating azure adoption with puppet
Accelerating azure adoption with puppet
 
Puppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael Pinson
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin Reeuwijk
 
Take control of your dev ops dumping ground
Take control of your dev ops dumping groundTake control of your dev ops dumping ground
Take control of your dev ops dumping ground
 
100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software
 
Puppet User Group
Puppet User GroupPuppet User Group
Puppet User Group
 
Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOps
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
 

Kürzlich hochgeladen

TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
anilsa9823
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
anilsa9823
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 

Kürzlich hochgeladen (20)

How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 

Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (Intermediate)

  • 1. Securely managing secrets with FreeIPA and Puppet James Shubin, @purpleidea Config Mgmt. Architect Systems Engineering Group, Red Hat Puppet Camp, Boston 2014 1 JAMES SHUBIN
  • 2. Who am I ? ● Puppet Hacker ● Config Mgmt. Architect @ Red Hat ● Technical Blogger: The Technical Blog of James https://ttboj.wordpress.com/ ● Physiologist (Cardiology Specialization) ● All around hoopy frood... 2 JAMES SHUBIN
  • 3. 3 the status-quo of secret management in puppet is pretty poor... JAMES SHUBIN
  • 4. Example 1 class { '::foo': password => 'super-secret-thing', bad_idea => true, } 4 JAMES SHUBIN
  • 6. Example 2 class { '::foo': hashed => '$1$mF86/UHC$WvcIcX2t6crBz2onW...', bad_idea => true, } 6 JAMES SHUBIN
  • 8. Example 3 # secret.yaml --- foo::params::password: 'ohai' foo::params::bad_idea: true 8 JAMES SHUBIN
  • 10. there are some solutions which are better than others, but they are still not perfect... 10 JAMES SHUBIN
  • 11. hiera-gpg ● Cute, but private key management can be a problem... ● Probably a good idea for existing infrastructures, where you have one repo that is widely shared... ● Other issues: http://slashdevslashrandom.wordpress.com/2013/06/0 3/my-griefs-with-hiera-gpg/ ● Code: https://github.com/crayfishx/hiera-gpg 11 JAMES SHUBIN
  • 12. hiera-eyaml ● Better than hiera-gpg ! ● Still has a private key management problem... ● Comes with nice secret editing tools... ● We still have to trust puppet more than necessary... ● Code: https://github.com/TomPoulton/hiera-eyaml 12 JAMES SHUBIN
  • 13. blackbox ● Same problems as all the other asymmetric solutions ● Nice documentation ! ● Honest and upfront about the risks... ● Comes with 20% more Limoncelli :) ● Code: https://github.com/StackExchange/blackbox 13 JAMES SHUBIN
  • 14. 14 do I love any of these solutions ? JAMES SHUBIN
  • 15. NOPE 15 JAMES SHUBIN
  • 17. Local secret generation ● Good DevOps hackers use/know/love GPG (PGP) ● Tell puppet about your public key ● Locally generate and encrypt secrets with public key ● Optionally mail it out to your admin email address ● Use FreeIPA to build out your security infrastructure 17 JAMES SHUBIN
  • 19. Red Hat funds good hackers so that we can... ● Work on open source / free software things... ● Speak at events like this... ● Hack on good products and solutions... ● For access to products, solutions, and support, visit: ht tps: / / redhat .com/ 19 JAMES SHUBIN
  • 20. Learn more ● The Technical Blog of James: https://ttboj.wordpress.com/ ● Puppet-IPA: https://github.com/purpleidea/puppet-ipa ● Technical article about this technique: https://ttboj.wordpress.com/2014/06/06/securely-managing- secrets-for-freeipa-with-puppet/ ● Contact me if you have any other questions: purpleidea @ { irc, twitter, redhat.com } 20 JAMES SHUBIN
  • 21. Q & A ? JAMES SHUBIN
  • 22. Thank you & Happy Hacking ! JAMES SHUBIN