SlideShare uma empresa Scribd logo
1 de 22
Baixar para ler offline
Securely managing secrets 
with FreeIPA and Puppet 
James Shubin, @purpleidea 
Config Mgmt. Architect 
Systems Engineering Group, Red Hat 
Puppet Camp, Boston 2014 
1 JAMES SHUBIN
Who am I ? 
● Puppet Hacker 
● Config Mgmt. Architect @ Red Hat 
● Technical Blogger: The Technical Blog of James 
https://ttboj.wordpress.com/ 
● Physiologist (Cardiology Specialization) 
● All around hoopy frood... 
2 JAMES SHUBIN
3 
the status-quo of secret 
management in puppet is 
pretty poor... 
JAMES SHUBIN
Example 1 
class { '::foo': 
password => 'super-secret-thing', 
bad_idea => true, 
} 
4 JAMES SHUBIN
5 JAMES SHUBIN
Example 2 
class { '::foo': 
hashed => '$1$mF86/UHC$WvcIcX2t6crBz2onW...', 
bad_idea => true, 
} 
6 JAMES SHUBIN
7 JAMES SHUBIN
Example 3 
# secret.yaml 
--- 
foo::params::password: 'ohai' 
foo::params::bad_idea: true 
8 JAMES SHUBIN
9 JAMES SHUBIN
there are some solutions 
which are better than others, 
but they are still not perfect... 
10 
JAMES SHUBIN
hiera-gpg 
● Cute, but private key management can be a problem... 
● Probably a good idea for existing infrastructures, 
where you have one repo that is widely shared... 
● Other issues: 
http://slashdevslashrandom.wordpress.com/2013/06/0 
3/my-griefs-with-hiera-gpg/ 
● Code: https://github.com/crayfishx/hiera-gpg 
11 JAMES SHUBIN
hiera-eyaml 
● Better than hiera-gpg ! 
● Still has a private key management problem... 
● Comes with nice secret editing tools... 
● We still have to trust puppet more than necessary... 
● Code: https://github.com/TomPoulton/hiera-eyaml 
12 JAMES SHUBIN
blackbox 
● Same problems as all the other asymmetric solutions 
● Nice documentation ! 
● Honest and upfront about the risks... 
● Comes with 20% more Limoncelli :) 
● Code: https://github.com/StackExchange/blackbox 
13 JAMES SHUBIN
14 
do I love any of these 
solutions ? 
JAMES SHUBIN
NOPE 
15 JAMES SHUBIN
My solution... 
JAMES SHUBIN
Local secret generation 
● Good DevOps hackers use/know/love GPG (PGP) 
● Tell puppet about your public key 
● Locally generate and encrypt secrets with public key 
● Optionally mail it out to your admin email address 
● Use FreeIPA to build out your security infrastructure 
17 JAMES SHUBIN
live demo... 
JAMES SHUBIN
Red Hat funds good hackers so that we can... 
● Work on open source / free software things... 
● Speak at events like this... 
● Hack on good products and solutions... 
● For access to products, solutions, and support, visit: 
ht tps: / / redhat .com/ 
19 JAMES SHUBIN
Learn more 
● The Technical Blog of James: 
https://ttboj.wordpress.com/ 
● Puppet-IPA: 
https://github.com/purpleidea/puppet-ipa 
● Technical article about this technique: 
https://ttboj.wordpress.com/2014/06/06/securely-managing- 
secrets-for-freeipa-with-puppet/ 
● Contact me if you have any other questions: 
purpleidea @ { irc, twitter, redhat.com } 
20 JAMES SHUBIN
Q & A ? 
JAMES SHUBIN
Thank you & Happy Hacking ! 
JAMES SHUBIN

Mais conteúdo relacionado

Mais procurados

Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013Puppet
 
Lessons learned from Node.js - Callbacks / Promises
Lessons learned from Node.js - Callbacks / PromisesLessons learned from Node.js - Callbacks / Promises
Lessons learned from Node.js - Callbacks / PromisesJason K Yau
 
Around the PHP Community
Around the PHP CommunityAround the PHP Community
Around the PHP CommunityBen Ramsey
 
8-9-10=Jessie,Stretch,Buster
8-9-10=Jessie,Stretch,Buster8-9-10=Jessie,Stretch,Buster
8-9-10=Jessie,Stretch,BusterHideki Yamane
 
Debugging NET Applications With WinDBG
Debugging  NET Applications With WinDBGDebugging  NET Applications With WinDBG
Debugging NET Applications With WinDBGCory Foy
 
Having fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projectsHaving fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projectsJean-Frederic Clere
 
Website Hacking Oldie
Website Hacking OldieWebsite Hacking Oldie
Website Hacking OldieAung Khant
 
Open source applications softwares
Open source applications softwaresOpen source applications softwares
Open source applications softwaresTushar B Kute
 
Profile all the things! - Capital Go 2017
 Profile all the things! - Capital Go 2017 Profile all the things! - Capital Go 2017
Profile all the things! - Capital Go 2017John Potocny
 
Useful Vim Plugins
Useful Vim PluginsUseful Vim Plugins
Useful Vim Pluginsanveo
 
Symfony2 - A Short Introduction
Symfony2 - A Short IntroductionSymfony2 - A Short Introduction
Symfony2 - A Short IntroductionAndy Grunwald
 
Dynomite Eureka Registry With Prana
Dynomite Eureka Registry With PranaDynomite Eureka Registry With Prana
Dynomite Eureka Registry With PranaDiego Pacheco
 
ProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacementProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacementWei-Ning Huang
 
Webdevcon pierrejoye-php54-and-other
Webdevcon pierrejoye-php54-and-otherWebdevcon pierrejoye-php54-and-other
Webdevcon pierrejoye-php54-and-otherPierre Joye
 
Building dsl using groovy
Building dsl using groovyBuilding dsl using groovy
Building dsl using groovyPuneet Behl
 

Mais procurados (20)

We codeil save kermit
We codeil   save kermitWe codeil   save kermit
We codeil save kermit
 
Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013
 
Lessons learned from Node.js - Callbacks / Promises
Lessons learned from Node.js - Callbacks / PromisesLessons learned from Node.js - Callbacks / Promises
Lessons learned from Node.js - Callbacks / Promises
 
Around the PHP Community
Around the PHP CommunityAround the PHP Community
Around the PHP Community
 
8-9-10=Jessie,Stretch,Buster
8-9-10=Jessie,Stretch,Buster8-9-10=Jessie,Stretch,Buster
8-9-10=Jessie,Stretch,Buster
 
Debugging NET Applications With WinDBG
Debugging  NET Applications With WinDBGDebugging  NET Applications With WinDBG
Debugging NET Applications With WinDBG
 
Having fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projectsHaving fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projects
 
Website Hacking Oldie
Website Hacking OldieWebsite Hacking Oldie
Website Hacking Oldie
 
Open source applications softwares
Open source applications softwaresOpen source applications softwares
Open source applications softwares
 
WeCode IL: Save Kermit
WeCode IL:  Save KermitWeCode IL:  Save Kermit
WeCode IL: Save Kermit
 
Is rust language really safe?
Is rust language really safe? Is rust language really safe?
Is rust language really safe?
 
Profile all the things! - Capital Go 2017
 Profile all the things! - Capital Go 2017 Profile all the things! - Capital Go 2017
Profile all the things! - Capital Go 2017
 
Useful Vim Plugins
Useful Vim PluginsUseful Vim Plugins
Useful Vim Plugins
 
Symfony2 - A Short Introduction
Symfony2 - A Short IntroductionSymfony2 - A Short Introduction
Symfony2 - A Short Introduction
 
Dynomite Eureka Registry With Prana
Dynomite Eureka Registry With PranaDynomite Eureka Registry With Prana
Dynomite Eureka Registry With Prana
 
ProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacementProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacement
 
Web socket with php v2
Web socket with php v2Web socket with php v2
Web socket with php v2
 
Redis導入
Redis導入Redis導入
Redis導入
 
Webdevcon pierrejoye-php54-and-other
Webdevcon pierrejoye-php54-and-otherWebdevcon pierrejoye-php54-and-other
Webdevcon pierrejoye-php54-and-other
 
Building dsl using groovy
Building dsl using groovyBuilding dsl using groovy
Building dsl using groovy
 

Semelhante a Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (Intermediate)

OSDC 2017 | Mgmt Config: Autonomous systems by James Shubin
OSDC 2017 | Mgmt Config: Autonomous systems by James ShubinOSDC 2017 | Mgmt Config: Autonomous systems by James Shubin
OSDC 2017 | Mgmt Config: Autonomous systems by James ShubinNETWAYS
 
OSDC 2017 - James Shubin - MGMT config autonomous systems
OSDC 2017 - James Shubin - MGMT config autonomous systemsOSDC 2017 - James Shubin - MGMT config autonomous systems
OSDC 2017 - James Shubin - MGMT config autonomous systemsNETWAYS
 
Berlinsides2017
Berlinsides2017Berlinsides2017
Berlinsides2017aestetix
 
a Sales Consultants guide to presenting and demos
a Sales Consultants guide to presenting and demosa Sales Consultants guide to presenting and demos
a Sales Consultants guide to presenting and demosJustin King
 
Monitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike Adolphs
Monitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike AdolphsMonitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike Adolphs
Monitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike AdolphsNETWAYS
 
Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008
Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008
Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008Dr Nic Williams
 
How We Won Gamedev By Rolling Our Own Tech (notes included)
How We Won Gamedev By Rolling Our Own Tech (notes included)How We Won Gamedev By Rolling Our Own Tech (notes included)
How We Won Gamedev By Rolling Our Own Tech (notes included)Mihai Gosa
 
Advanced View of Projects Raspberry Pi List - Raspberry PI Projects (1).pdf
Advanced View of Projects Raspberry Pi List - Raspberry PI Projects (1).pdfAdvanced View of Projects Raspberry Pi List - Raspberry PI Projects (1).pdf
Advanced View of Projects Raspberry Pi List - Raspberry PI Projects (1).pdfIsmailkhan77481
 
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells FargoPuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells FargoPuppet
 
My talk on Piter Py 2016
My talk on Piter Py 2016My talk on Piter Py 2016
My talk on Piter Py 2016Alex Chistyakov
 
HackPittsburgh Updates For DevHousePgh
HackPittsburgh Updates For DevHousePghHackPittsburgh Updates For DevHousePgh
HackPittsburgh Updates For DevHousePghMarty McGuire
 
One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009Philippe Gamache
 
HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)Phillip Maddux
 
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reBSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reChandra Pratap
 
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...DevSecCon
 
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...Sandro Zaccarini
 
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialSecurity BSides London
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwordsFrancois Marier
 
HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)Phillip Maddux
 

Semelhante a Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (Intermediate) (20)

OSDC 2017 | Mgmt Config: Autonomous systems by James Shubin
OSDC 2017 | Mgmt Config: Autonomous systems by James ShubinOSDC 2017 | Mgmt Config: Autonomous systems by James Shubin
OSDC 2017 | Mgmt Config: Autonomous systems by James Shubin
 
OSDC 2017 - James Shubin - MGMT config autonomous systems
OSDC 2017 - James Shubin - MGMT config autonomous systemsOSDC 2017 - James Shubin - MGMT config autonomous systems
OSDC 2017 - James Shubin - MGMT config autonomous systems
 
Berlinsides2017
Berlinsides2017Berlinsides2017
Berlinsides2017
 
a Sales Consultants guide to presenting and demos
a Sales Consultants guide to presenting and demosa Sales Consultants guide to presenting and demos
a Sales Consultants guide to presenting and demos
 
Empire Work shop
Empire Work shopEmpire Work shop
Empire Work shop
 
Monitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike Adolphs
Monitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike AdolphsMonitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike Adolphs
Monitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike Adolphs
 
Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008
Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008
Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008
 
How We Won Gamedev By Rolling Our Own Tech (notes included)
How We Won Gamedev By Rolling Our Own Tech (notes included)How We Won Gamedev By Rolling Our Own Tech (notes included)
How We Won Gamedev By Rolling Our Own Tech (notes included)
 
Advanced View of Projects Raspberry Pi List - Raspberry PI Projects (1).pdf
Advanced View of Projects Raspberry Pi List - Raspberry PI Projects (1).pdfAdvanced View of Projects Raspberry Pi List - Raspberry PI Projects (1).pdf
Advanced View of Projects Raspberry Pi List - Raspberry PI Projects (1).pdf
 
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells FargoPuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
 
My talk on Piter Py 2016
My talk on Piter Py 2016My talk on Piter Py 2016
My talk on Piter Py 2016
 
HackPittsburgh Updates For DevHousePgh
HackPittsburgh Updates For DevHousePghHackPittsburgh Updates For DevHousePgh
HackPittsburgh Updates For DevHousePgh
 
One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009
 
HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)
 
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reBSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
 
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...
 
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
 
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorial
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
 
HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)
 

Mais de Puppet

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyamlPuppet
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)Puppet
 
Puppet camp vscode
Puppet camp vscodePuppet camp vscode
Puppet camp vscodePuppet
 
Modules of the twenties
Modules of the twentiesModules of the twenties
Modules of the twentiesPuppet
 
Applying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codeApplying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codePuppet
 
KGI compliance as-code approach
KGI compliance as-code approachKGI compliance as-code approach
KGI compliance as-code approachPuppet
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationPuppet
 
Keynote: Puppet camp compliance
Keynote: Puppet camp complianceKeynote: Puppet camp compliance
Keynote: Puppet camp compliancePuppet
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowPuppet
 
Puppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Puppet
 
Accelerating azure adoption with puppet
Accelerating azure adoption with puppetAccelerating azure adoption with puppet
Accelerating azure adoption with puppetPuppet
 
Puppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkPuppet
 
Take control of your dev ops dumping ground
Take control of your  dev ops dumping groundTake control of your  dev ops dumping ground
Take control of your dev ops dumping groundPuppet
 
100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy SoftwarePuppet
 
Puppet User Group
Puppet User GroupPuppet User Group
Puppet User GroupPuppet
 
Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsPuppet
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyPuppet
 

Mais de Puppet (20)

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyaml
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
 
Puppet camp vscode
Puppet camp vscodePuppet camp vscode
Puppet camp vscode
 
Modules of the twenties
Modules of the twentiesModules of the twenties
Modules of the twenties
 
Applying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codeApplying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance code
 
KGI compliance as-code approach
KGI compliance as-code approachKGI compliance as-code approach
KGI compliance as-code approach
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
 
Keynote: Puppet camp compliance
Keynote: Puppet camp complianceKeynote: Puppet camp compliance
Keynote: Puppet camp compliance
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
 
Puppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet: The best way to harden Windows
Puppet: The best way to harden Windows
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
 
Accelerating azure adoption with puppet
Accelerating azure adoption with puppetAccelerating azure adoption with puppet
Accelerating azure adoption with puppet
 
Puppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael Pinson
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin Reeuwijk
 
Take control of your dev ops dumping ground
Take control of your  dev ops dumping groundTake control of your  dev ops dumping ground
Take control of your dev ops dumping ground
 
100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software
 
Puppet User Group
Puppet User GroupPuppet User Group
Puppet User Group
 
Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOps
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
 

Último

Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Incrobinwilliams8624
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilVICTOR MAESTRE RAMIREZ
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...OnePlan Solutions
 
New ThousandEyes Product Features and Release Highlights: March 2024
New ThousandEyes Product Features and Release Highlights: March 2024New ThousandEyes Product Features and Release Highlights: March 2024
New ThousandEyes Product Features and Release Highlights: March 2024ThousandEyes
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxJoão Esperancinha
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsJaydeep Chhasatia
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesShyamsundar Das
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionsNirav Modi
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorShane Coughlan
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024Mind IT Systems
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadIvo Andreev
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyRaymond Okyere-Forson
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxAutus Cyber Tech
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfTobias Schneck
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Jaydeep Chhasatia
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies
 
Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native BuildpacksVish Abrams
 
How to Improve the Employee Experience? - HRMS Software
How to Improve the Employee Experience? - HRMS SoftwareHow to Improve the Employee Experience? - HRMS Software
How to Improve the Employee Experience? - HRMS SoftwareNYGGS Automation Suite
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIIvo Andreev
 

Último (20)

Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Inc
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-Council
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
 
New ThousandEyes Product Features and Release Highlights: March 2024
New ThousandEyes Product Features and Release Highlights: March 2024New ThousandEyes Product Features and Release Highlights: March 2024
New ThousandEyes Product Features and Release Highlights: March 2024
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptx
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security Challenges
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspections
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and Bad
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human Beauty
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptx
 
Salesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptxSalesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptx
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in Trivandrum
 
Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native Buildpacks
 
How to Improve the Employee Experience? - HRMS Software
How to Improve the Employee Experience? - HRMS SoftwareHow to Improve the Employee Experience? - HRMS Software
How to Improve the Employee Experience? - HRMS Software
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AI
 

Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (Intermediate)

  • 1. Securely managing secrets with FreeIPA and Puppet James Shubin, @purpleidea Config Mgmt. Architect Systems Engineering Group, Red Hat Puppet Camp, Boston 2014 1 JAMES SHUBIN
  • 2. Who am I ? ● Puppet Hacker ● Config Mgmt. Architect @ Red Hat ● Technical Blogger: The Technical Blog of James https://ttboj.wordpress.com/ ● Physiologist (Cardiology Specialization) ● All around hoopy frood... 2 JAMES SHUBIN
  • 3. 3 the status-quo of secret management in puppet is pretty poor... JAMES SHUBIN
  • 4. Example 1 class { '::foo': password => 'super-secret-thing', bad_idea => true, } 4 JAMES SHUBIN
  • 6. Example 2 class { '::foo': hashed => '$1$mF86/UHC$WvcIcX2t6crBz2onW...', bad_idea => true, } 6 JAMES SHUBIN
  • 8. Example 3 # secret.yaml --- foo::params::password: 'ohai' foo::params::bad_idea: true 8 JAMES SHUBIN
  • 10. there are some solutions which are better than others, but they are still not perfect... 10 JAMES SHUBIN
  • 11. hiera-gpg ● Cute, but private key management can be a problem... ● Probably a good idea for existing infrastructures, where you have one repo that is widely shared... ● Other issues: http://slashdevslashrandom.wordpress.com/2013/06/0 3/my-griefs-with-hiera-gpg/ ● Code: https://github.com/crayfishx/hiera-gpg 11 JAMES SHUBIN
  • 12. hiera-eyaml ● Better than hiera-gpg ! ● Still has a private key management problem... ● Comes with nice secret editing tools... ● We still have to trust puppet more than necessary... ● Code: https://github.com/TomPoulton/hiera-eyaml 12 JAMES SHUBIN
  • 13. blackbox ● Same problems as all the other asymmetric solutions ● Nice documentation ! ● Honest and upfront about the risks... ● Comes with 20% more Limoncelli :) ● Code: https://github.com/StackExchange/blackbox 13 JAMES SHUBIN
  • 14. 14 do I love any of these solutions ? JAMES SHUBIN
  • 15. NOPE 15 JAMES SHUBIN
  • 17. Local secret generation ● Good DevOps hackers use/know/love GPG (PGP) ● Tell puppet about your public key ● Locally generate and encrypt secrets with public key ● Optionally mail it out to your admin email address ● Use FreeIPA to build out your security infrastructure 17 JAMES SHUBIN
  • 19. Red Hat funds good hackers so that we can... ● Work on open source / free software things... ● Speak at events like this... ● Hack on good products and solutions... ● For access to products, solutions, and support, visit: ht tps: / / redhat .com/ 19 JAMES SHUBIN
  • 20. Learn more ● The Technical Blog of James: https://ttboj.wordpress.com/ ● Puppet-IPA: https://github.com/purpleidea/puppet-ipa ● Technical article about this technique: https://ttboj.wordpress.com/2014/06/06/securely-managing- secrets-for-freeipa-with-puppet/ ● Contact me if you have any other questions: purpleidea @ { irc, twitter, redhat.com } 20 JAMES SHUBIN
  • 21. Q & A ? JAMES SHUBIN
  • 22. Thank you & Happy Hacking ! JAMES SHUBIN