Consider relaxing security checks in getcert.cgi for puppetagain certificate grabbing [for seamonkey]

RESOLVED DUPLICATE of bug 939543

Status

Infrastructure & Operations
RelOps: Puppet
RESOLVED DUPLICATE of bug 939543
5 years ago
4 years ago

People

(Reporter: Callek, Assigned: rail)

Tracking

Details

(Reporter)

Description

5 years ago
So, in puppet320, we have getcert.cgi which is used by the puppetizing process to allow us to automatically generate and have puppet-signed certs for hosts.

https://wiki.mozilla.org/ReleaseEngineering/PuppetAgain/Puppetization_Process

The getcert.cgi script has builtin security checks, for the following:

* Host is within the 10.*.*.* range.
* Host is in DNS (per what the machine sees)
* Hosts DNS reverse maps to mozilla.com
* Hosts IP falls within an array of regex's we provide in secrets

The first 3 of the above blocks SeaMonkey from using this script for the following reasons:

* SeaMonkey hosts are allocated public IP ranges (63.245.223.*) [though no public netflows]
* SeaMonkey hosts must use Google DNS servers, and we don't expose DNS, for these IPs
* due to no DNS, no mozilla.com DNS

The IP regex is still doable/useable.

-----

I don't even know if this is possible to do without DNS, but if it is would make setting up SeaMonkey machines easier... if its not I would love to figure out what I need to document to make it happen.

First needinfo to dustin if this is even something we can both do technically and something he would be `willing` to support in puppetAgain even if we config in order to keep all moco sec walls here.

If :dustin agrees with it, we'd then need to get opsec signoff before we can make it happen.

-----

I won't be offended if this is a horrible idea, even for seamonkey and someone feels strong enough to wontfix
Flags: needinfo?(dustin)
The 10.0/8 check is redundant to the IP regexes, so that could be removed without issue.

DNS is required for functionality, not just security.  One option may be adding things to /etc/hosts on the puppetmaster.  But your hosts are in global DNS, so I don't see why that's an issue.

dustin@cerf ~ $ host sea-puppet.community.scl3.mozilla.com
sea-puppet.community.scl3.mozilla.com has address 63.245.223.125
dustin@cerf ~ $ host 63.245.223.125
125.223.245.63.in-addr.arpa domain name pointer sea-puppet.community.scl3.mozilla.com.
dustin@cerf ~ $

So yes, feel free to remove the 10.*.*.* check.  The rest should stay.  Please do that in a non-sec bug.
Flags: needinfo?(dustin)
Group: core-security → infra
Group: infra
Component: Server Operations: RelEng → RelOps: Puppet
Product: mozilla.org → Infrastructure & Operations
QA Contact: arich → dustin
Assignee: server-ops-releng → bugspam.Callek
Rail, while you're changing getcert.cgi, can you remove the hard-coded 10.* check?  Easiest will be to just dupe this bug to wherever you make that change.
Assignee: bugspam.Callek → rail
(In reply to Dustin J. Mitchell [:dustin] (I read my bugmail; don't needinfo me) from comment #2)
> Rail, while you're changing getcert.cgi, can you remove the hard-coded 10.*
> check?  Easiest will be to just dupe this bug to wherever you make that
> change.

Done!
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 939543
You need to log in before you can comment on or make changes to this bug.