What is the correct way to use Chef-server's 'validation key'?

Posted by Socio on Server Fault See other posts from Server Fault or by Socio
Published on 2012-10-31T09:05:06Z Indexed on 2012/12/19 23:05 UTC
Read the original article Hit count: 138

Filed under:

security

|

chef

It seems to me that the recommended way of adding clients to a chef server - or my understanding of it - is flawed.

When the chef-client runs, it checks if it has a client key. If the client key does not exist, it then attempts to "borrow" the validation client's identity to register itself with the server. In order to do that, the validation client's private key needs to be copied to the host and placed in /etc/chef/validation.pem.

So the "validation key" is basically the superuser credential, allowing anyone who possesses it full access to the chef server? Am I reading this right?

Surely the correct model would be for clients to generate their own keypair, and submit the public key to the chef server. Clients should never need access to this superuser "validation key".

How can I do it in this, more secure, manner?

© Server Fault or respective owner

Related posts about security

sudo apt-get update errors

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
Here is what I get on my terminal when running sudo apt-get update errors. I dont know if the issue is from my sources.list or my proxy setup(have not made any changes to proxies). Thank you for any help in advanced. Ign http://security.ubuntu.com oneiric-security Release.gpg Ign http://security… >>> More
The Security-Developer Gap: Why IT Security Can't Fix Your Security Problems Alone

as seen on Devx - Search for 'Devx'
Two well-known white hats explain how hackers take advantage of security holes left by enterprise application developers. >>> More
The Security-Developer Gap: Why IT Security Can't Fix Your Security Problems Alone

as seen on Internet.com - Search for 'Internet.com'
Two well-known white hats explain how hackers take advantage of security holes left by enterprise application developers. >>> More
StackOverFlowError while creating Mac object on AS400/Java

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello all, I am a newbie to AS400-Java programming. I am trying to create my first program to test the implementation of Message Authentication Code (MAC). I am trying to use the HMACSHA1 hash function. My (Java 1.4) program runs fine on a dev box (V5R4).But fails terribly on the QA box (V5R3). My… >>> More
Google App Engine - Spring Security Issue (java.security.AccessControlException)

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm currently getting the AccessControlException below when I deploy to app engine (I don't see it when I run in my local environment). I'm using GAE 1.3.1, Spring 3.0.1, and Spring Security 3.0.2. Any ideas how to get around this issue? It appears to be an issue with Spring Security trying to get… >>> More

Related posts about chef

Chef-solo cannot locate an nginx recipe template

as seen on Server Fault - Search for 'Server Fault'
I have been recently experimenting with Chef. I thought I would attempt to rebuild my personal web server using chef-solo. It's an AWS instance running the Amazon 64bit Linux AMI. My first objective is to install nginx. I have cloned the Opscode cookbook repository, and am using their nginx cookbook… >>> More
Open Source Chef Server can't upload cookbook

as seen on Server Fault - Search for 'Server Fault'
I just setup the open source chef server on an Ubuntu 12.04 EC2 instance, I've setup my webui and am able to get responses from my knife commands ie: knife node list, knife client list, knife user list, etc... I'm able to update roles, databags, environments, etc... but I cannot upload any cookbooks… >>> More
Chef: nested data bag data to template file returns "can't convert String into Integer"

as seen on Server Fault - Search for 'Server Fault'
I'm creating simple test recipe with a template and data bag. What I'm trying to do is creating a config file from data bag that has simple nested information, but I receive error "can't convert String into Integer" Here are my setting file 1) recipe/default.rb data1 = data_bag_item( 'mytest',… >>> More
Vagrant up doesn't load chef configs and doesn't keep an error log

as seen on Server Fault - Search for 'Server Fault'
I'm trying to set up a vagrant box and I'm running with all sort of troubles. Right now I'm getting a strange error message where it states there's a stack trace file with more info, but that file is no where to be found. This is the error: stdin: is not a tty [Sun, 16 Sep 2012 18:31:47 +0000]… >>> More
What are the benefits of running chef-server instead of chef-solo?

as seen on Server Fault - Search for 'Server Fault'
I am looking at automated deployment solutions for my team and have been playing with Chef for the past few days. I've been able to get a simple web app up an running from a base Red Hat VM using chef-solo. Our end goal is to use Chef (or another system) to automatically deploy application topologies… >>> More