Project

General

Profile

User story #6253

Generate 4k rsa keys for agents

Added by Florian Heigl about 5 years ago. Updated almost 2 years ago.

Status:
Released
Priority:
3
Category:
System integration
Target version:
Suggestion strength:
User visibility:
Effort required:

Description

Hi,

CFEngine by default uses a 2Kbit RSA key.
There is no way in cf-key to change the value as of now.

On the other hand it is just a key, so it would be possible to create a far safer 4k one.
it would be viable to pre-seed that key, even for all hosts since rudder already has it's own CFEngine package.

I think on the root server / relay servers it is even more important, so at worst it could just be put in docs & manually done when setting up the root / relays.


Subtasks

User story #12095: Generate 4k rsa keys for agents during factory resetReleasedBenoît PECCATTEActions

Related issues

Related to Rudder - User story #8552: Add a command to show agent auth infoReleasedBenoît PECCATTEActions
Related to Rudder - User story #12241: Backport key size option for cf-keyReleasedBenoît PECCATTEActions
#1

Updated by François ARMAND about 5 years ago

  • Assignee set to Benoît PECCATTE
  • Priority changed from N/A to 3
  • Target version set to 3.1.0~beta1

You are clearly right that 2048 RSA key won't do forever. Actually, we should not even have to do compile anything to change key sizes, it should just be an option of cf-key.

Benoit, I'm sure you burn to look into cf-key code to see how the key size is chosen so that we can at least understand the complexity of the query.

#2

Updated by Benoît PECCATTE about 5 years ago

  • Parent task set to #6363
#3

Updated by Benoît PECCATTE about 5 years ago

  • Status changed from New to 8
  • Assignee deleted (Benoît PECCATTE)

This will be done with the rest of the security related tickets in parent ticket #6363

#4

Updated by Benoît PECCATTE about 5 years ago

In rudder-agent postinst, we call
/var/rudder/cfengine-community/bin/cf-key

This call can be simply replaced by:

openssl genrsa -des3 -out localhost.priv -passout "pass:Cfengine passphrase" 4096
openssl rsa -in localhost.priv -passin "pass:Cfengine passphrase" -RSAPublicKey_out -out localhost.pub

#5

Updated by Benoît PECCATTE about 5 years ago

RSAPublicKey_out is the default when it is not supported, so use it when it works and don't when it doesn't

Silly ? yes

#6

Updated by Benoît PECCATTE about 5 years ago

  • Status changed from 8 to New
#7

Updated by Vincent MEMBRÉ almost 5 years ago

  • Target version changed from 3.1.0~beta1 to 3.1.0~rc1
#8

Updated by Vincent MEMBRÉ almost 5 years ago

  • Target version changed from 3.1.0~rc1 to 3.1.0
#9

Updated by Vincent MEMBRÉ almost 5 years ago

  • Target version changed from 3.1.0 to 3.1.1
#10

Updated by Vincent MEMBRÉ over 4 years ago

  • Target version changed from 3.1.1 to 3.1.2
#11

Updated by Jonathan CLARKE over 4 years ago

  • Target version changed from 3.1.2 to 3.2.0~beta1
#12

Updated by Vincent MEMBRÉ over 4 years ago

  • Target version changed from 3.2.0~beta1 to 3.2.0~rc1
#13

Updated by Benoît PECCATTE over 4 years ago

  • Target version changed from 3.2.0~rc1 to 3.2.0~rc2
#14

Updated by Benoît PECCATTE over 4 years ago

  • Target version changed from 3.2.0~rc2 to 3.2.0
#15

Updated by Vincent MEMBRÉ about 4 years ago

  • Target version changed from 3.2.0 to 3.2.1
#16

Updated by Vincent MEMBRÉ about 4 years ago

  • Target version changed from 3.2.1 to 3.2.2
#17

Updated by Alexis MOUSSET about 4 years ago

  • Target version changed from 3.2.2 to 4.0.0~rc2
#18

Updated by Alexis MOUSSET almost 4 years ago

#19

Updated by François ARMAND over 3 years ago

  • Target version changed from 4.0.0~rc2 to 4.1.0~beta1
#20

Updated by Vincent MEMBRÉ about 3 years ago

  • Target version changed from 4.1.0~beta1 to 4.1.0~beta2
#21

Updated by Vincent MEMBRÉ about 3 years ago

  • Target version changed from 4.1.0~beta2 to 4.1.0~beta3
#22

Updated by Vincent MEMBRÉ about 3 years ago

  • Target version changed from 4.1.0~beta3 to 4.1.0~rc1
#23

Updated by François ARMAND about 3 years ago

  • Target version changed from 4.1.0~rc1 to 4.2.0~beta1
#24

Updated by Alexis MOUSSET almost 3 years ago

  • Target version changed from 4.2.0~beta1 to 4.2.0~beta2
#25

Updated by Vincent MEMBRÉ almost 3 years ago

  • Target version changed from 4.2.0~beta2 to 4.2.0~beta3
#26

Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 4.2.0~beta3 to 4.2.0~rc1
#27

Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 4.2.0~rc1 to 4.2.0~rc2
#28

Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 4.2.0~rc2 to 4.2.0
#29

Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 4.2.0 to 4.2.1
#30

Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 4.2.1 to 4.2.2
#31

Updated by Alexis MOUSSET over 2 years ago

  • Subject changed from CFEngine Improvement: root server / relay keys to Generate 4k rsa keys for agents
  • Target version changed from 4.2.2 to 4.3.0~beta1
#32

Updated by Vincent MEMBRÉ about 2 years ago

  • Target version changed from 4.3.0~beta1 to 4.3.0~rc1
#33

Updated by Benoît PECCATTE about 2 years ago

  • Status changed from New to In progress
  • Assignee set to Benoît PECCATTE
#34

Updated by Benoît PECCATTE about 2 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Benoît PECCATTE to Alexis MOUSSET
  • Pull Request set to https://github.com/Normation/rudder-packages/pull/1495
#35

Updated by Vincent MEMBRÉ about 2 years ago

  • Target version changed from 4.3.0~rc1 to 4.3.0~rc2
#36

Updated by Alexis MOUSSET about 2 years ago

#37

Updated by Vincent MEMBRÉ about 2 years ago

  • Target version changed from 4.3.0~rc2 to 4.3.0~rc3
#38

Updated by Alexis MOUSSET about 2 years ago

  • Status changed from Pending technical review to New
#39

Updated by Alexis MOUSSET about 2 years ago

  • Status changed from New to In progress
#40

Updated by Alexis MOUSSET about 2 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis MOUSSET to Benoît PECCATTE
  • Pull Request changed from https://github.com/Normation/rudder-packages/pull/1495 to https://github.com/Normation/rudder-packages/pull/1568
#41

Updated by Alexis MOUSSET about 2 years ago

  • Status changed from Pending technical review to Pending release
#42

Updated by Vincent MEMBRÉ almost 2 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 4.3.0~rc3 which was released today.

Also available in: Atom PDF