Project

General

Profile

Actions

User story #6253

closed

User story #6363: Secure agent/server communication

Generate 4k rsa keys for agents

Added by Florian Heigl almost 10 years ago. Updated over 6 years ago.

Status:
Released
Priority:
3
Category:
System integration
Target version:
UX impact:
Suggestion strength:
User visibility:
Effort required:
Name check:
Fix check:
Regression:

Description

Hi,

CFEngine by default uses a 2Kbit RSA key.
There is no way in cf-key to change the value as of now.

On the other hand it is just a key, so it would be possible to create a far safer 4k one.
it would be viable to pre-seed that key, even for all hosts since rudder already has it's own CFEngine package.

I think on the root server / relay servers it is even more important, so at worst it could just be put in docs & manually done when setting up the root / relays.


Subtasks 1 (0 open1 closed)

User story #12095: Generate 4k rsa keys for agents during factory resetReleasedBenoît PECCATTEActions

Related issues 2 (0 open2 closed)

Related to Rudder - User story #8552: Add a command to show agent auth infoReleasedBenoît PECCATTEActions
Related to Rudder - User story #12241: Backport key size option for cf-keyReleasedBenoît PECCATTEActions
Actions #1

Updated by François ARMAND almost 10 years ago

  • Assignee set to Benoît PECCATTE
  • Priority changed from N/A to 3
  • Target version set to 3.1.0~beta1

You are clearly right that 2048 RSA key won't do forever. Actually, we should not even have to do compile anything to change key sizes, it should just be an option of cf-key.

Benoit, I'm sure you burn to look into cf-key code to see how the key size is chosen so that we can at least understand the complexity of the query.

Actions #2

Updated by Benoît PECCATTE almost 10 years ago

  • Parent task set to #6363
Actions #3

Updated by Benoît PECCATTE almost 10 years ago

  • Status changed from New to 8
  • Assignee deleted (Benoît PECCATTE)

This will be done with the rest of the security related tickets in parent ticket #6363

Actions #4

Updated by Benoît PECCATTE over 9 years ago

In rudder-agent postinst, we call
/var/rudder/cfengine-community/bin/cf-key

This call can be simply replaced by:

openssl genrsa -des3 -out localhost.priv -passout "pass:Cfengine passphrase" 4096
openssl rsa -in localhost.priv -passin "pass:Cfengine passphrase" -RSAPublicKey_out -out localhost.pub

Actions #5

Updated by Benoît PECCATTE over 9 years ago

RSAPublicKey_out is the default when it is not supported, so use it when it works and don't when it doesn't

Silly ? yes

Actions #6

Updated by Benoît PECCATTE over 9 years ago

  • Status changed from 8 to New
Actions #7

Updated by Vincent MEMBRÉ over 9 years ago

  • Target version changed from 3.1.0~beta1 to 3.1.0~rc1
Actions #8

Updated by Vincent MEMBRÉ over 9 years ago

  • Target version changed from 3.1.0~rc1 to 3.1.0
Actions #9

Updated by Vincent MEMBRÉ over 9 years ago

  • Target version changed from 3.1.0 to 3.1.1
Actions #10

Updated by Vincent MEMBRÉ over 9 years ago

  • Target version changed from 3.1.1 to 3.1.2
Actions #11

Updated by Jonathan CLARKE over 9 years ago

  • Target version changed from 3.1.2 to 3.2.0~beta1
Actions #12

Updated by Vincent MEMBRÉ about 9 years ago

  • Target version changed from 3.2.0~beta1 to 3.2.0~rc1
Actions #13

Updated by Benoît PECCATTE about 9 years ago

  • Target version changed from 3.2.0~rc1 to 3.2.0~rc2
Actions #14

Updated by Benoît PECCATTE almost 9 years ago

  • Target version changed from 3.2.0~rc2 to 3.2.0
Actions #15

Updated by Vincent MEMBRÉ almost 9 years ago

  • Target version changed from 3.2.0 to 3.2.1
Actions #16

Updated by Vincent MEMBRÉ almost 9 years ago

  • Target version changed from 3.2.1 to 3.2.2
Actions #17

Updated by Alexis Mousset almost 9 years ago

  • Target version changed from 3.2.2 to 4.0.0~rc2
Actions #18

Updated by Alexis Mousset over 8 years ago

Actions #19

Updated by François ARMAND about 8 years ago

  • Target version changed from 4.0.0~rc2 to 4.1.0~beta1
Actions #20

Updated by Vincent MEMBRÉ almost 8 years ago

  • Target version changed from 4.1.0~beta1 to 4.1.0~beta2
Actions #21

Updated by Vincent MEMBRÉ almost 8 years ago

  • Target version changed from 4.1.0~beta2 to 4.1.0~beta3
Actions #22

Updated by Vincent MEMBRÉ almost 8 years ago

  • Target version changed from 4.1.0~beta3 to 4.1.0~rc1
Actions #23

Updated by François ARMAND almost 8 years ago

  • Target version changed from 4.1.0~rc1 to 4.2.0~beta1
Actions #24

Updated by Alexis Mousset over 7 years ago

  • Target version changed from 4.2.0~beta1 to 4.2.0~beta2
Actions #25

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 4.2.0~beta2 to 4.2.0~beta3
Actions #26

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 4.2.0~beta3 to 4.2.0~rc1
Actions #27

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 4.2.0~rc1 to 4.2.0~rc2
Actions #28

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 4.2.0~rc2 to 4.2.0
Actions #29

Updated by Vincent MEMBRÉ about 7 years ago

  • Target version changed from 4.2.0 to 4.2.1
Actions #30

Updated by Vincent MEMBRÉ about 7 years ago

  • Target version changed from 4.2.1 to 4.2.2
Actions #31

Updated by Alexis Mousset about 7 years ago

  • Subject changed from CFEngine Improvement: root server / relay keys to Generate 4k rsa keys for agents
  • Target version changed from 4.2.2 to 4.3.0~beta1
Actions #32

Updated by Vincent MEMBRÉ almost 7 years ago

  • Target version changed from 4.3.0~beta1 to 4.3.0~rc1
Actions #33

Updated by Benoît PECCATTE almost 7 years ago

  • Status changed from New to In progress
  • Assignee set to Benoît PECCATTE
Actions #34

Updated by Benoît PECCATTE almost 7 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Benoît PECCATTE to Alexis Mousset
  • Pull Request set to https://github.com/Normation/rudder-packages/pull/1495
Actions #35

Updated by Vincent MEMBRÉ almost 7 years ago

  • Target version changed from 4.3.0~rc1 to 4.3.0~rc2
Actions #36

Updated by Alexis Mousset almost 7 years ago

Actions #37

Updated by Vincent MEMBRÉ over 6 years ago

  • Target version changed from 4.3.0~rc2 to 4.3.0~rc3
Actions #38

Updated by Alexis Mousset over 6 years ago

  • Status changed from Pending technical review to New
Actions #39

Updated by Alexis Mousset over 6 years ago

  • Status changed from New to In progress
Actions #40

Updated by Alexis Mousset over 6 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis Mousset to Benoît PECCATTE
  • Pull Request changed from https://github.com/Normation/rudder-packages/pull/1495 to https://github.com/Normation/rudder-packages/pull/1568
Actions #41

Updated by Alexis Mousset over 6 years ago

  • Status changed from Pending technical review to Pending release
Actions #42

Updated by Vincent MEMBRÉ over 6 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 4.3.0~rc3 which was released today.

Actions

Also available in: Atom PDF