Reputation: 7633
Chef chef-validator.pem security
Hi I am setting up a cluster of machines using chef at offsite locations. If one of these machines was stolen, what damage can the attacker do to my chef-server or other nodes by having possession of chef-validator.pem ? What other things can they access through chef? Thanks!
Upvotes: 8
Views: 4230
Answers (5)
Reputation: 21
They can even connect any node to the chef server with the stolen key via the following steps.
Copying and pasting the validator key into /etc/chef folder on any machine
Creating client.rb file with the following details
log_location STDOUT chef_server_url "https://api.chef.io/organizations/ORGNAME" validation_client_name 'ORGNAME-validator' validation_key '/etc/chef/validater.pem'
3: Run chef-client to connect to the chef server
Upvotes: 2
Reputation: 3974
As of Chef 12.2.0 the validation key is no longer required:
https://blog.chef.io/2015/04/16/validatorless-bootstraps/
You can delete your validation key on your workstation and then knife will use your user credentials to create the node and client.
There's also some other nice features of this since whatever you supply for the run_list and environment is also applied to the node when it is created. No more relying on the first-boot.json file to be read by the chef-client and the run having to complete before the node.save creates the node at the end of the bootstrapping process.
Upvotes: 5
Reputation: 179
Basically, chef-client uses 2 mode authentication for to the server :- 1) organization validator.pem and 2) user.pem
Unless and until there is the correct combination of these 2 keys. chef-client wont be able to authenticate with the chef server.
Upvotes: 2
Reputation: 77951
This was one of the items discussed at a recent Foodfight episode on managing "secrets" in chef. Highly recommended watching:
The knife bootstrap operation uploads this key when initializing new chef clients. Possession of this key enables the client to register itself against your chef server. That is actually its only function, once the client is up and running the validation key is no longer needed.
But it can be abused.... As @cbl has pointed out, if an unauthorized 3rd party gets access to this key they can create new clients that can see everything on your chef server that normal clients can see. It can theoretically be used to create a Denial of Service attack on your chef server, by flooding it with registration requests.
The foodfight panel recommend a simple solution. Enable the chef-client cookbook on all nodes. It contains a "delete_validation" recipe that will remove the validation key and reduce your risk exposure.
Upvotes: 15
Reputation: 2566
The validator key is used to create new clients on the Chef Server.
Once the attacker gets hold of it, he can pretend he's a node in your infrastructure and have access to the same information any node has.
If you have sensitive information in an unencrypted data bag, for example, he'll have access to that.
Basically he'll be able to run any recipe from any cookbook, do searches (and have access to all your other nodes' attributes), read data bags, etc.
Keep that in mind when writing cookbooks and populating the other objects in the server. You could also somehow monitor the chef server for any suspicious client creation activity, and if you have any reason believe that the validator key has been stolen, revoke it and issue a new one.
It's probably a good idea to rotate the key periodically as well.
Upvotes: 5
Related Questions
- Error during chef verify
- Chef clients and validators
- Chef PEM file invalid or mis-named?
- Chef Solo - Chef::Exceptions::PrivateKeyMissing
- Adding Security Using Chef Cookbook Pipeline
- Not able to locate chef pem files
- How to run security updates with Chef?
- Chef Custom Resource Guards
- Chef_client with Vagrant where is "validation.pem"
- Undefined method `checksum' for Chef::Resource::Directory