User story #6363: Secure agent/server communication - Rudder - Issue Tracker

Status changed from In progress to Pending technical review
Assignee changed from Nicolas CHARLES to Benoît PECCATTE
Pull Request set to https://github.com/Normation/rudder-techniques/pull/1052

PR https://github.com/Normation/rudder-techniques/pull/1052

Actions

Copy link

#19

Updated by Nicolas CHARLES about 8 years ago

Status changed from Pending technical review to New
Pull Request deleted (~~https://github.com/Normation/rudder-techniques/pull/1052~~)

Actions

Copy link

#20

Updated by François ARMAND about 8 years ago

Target version changed from 4.0.0~rc2 to 4.1.0~beta1

Actions

Copy link

#21

Updated by Vincent MEMBRÉ almost 8 years ago

Target version changed from 4.1.0~beta1 to 4.1.0~beta2

Actions

Copy link

#22

Updated by Vincent MEMBRÉ almost 8 years ago

Target version changed from 4.1.0~beta2 to 4.1.0~beta3

Actions

Copy link

#23

Updated by Vincent MEMBRÉ almost 8 years ago

Target version changed from 4.1.0~beta3 to 4.1.0~rc1

Actions

Copy link

#24

Updated by François ARMAND almost 8 years ago

Target version changed from 4.1.0~rc1 to 4.2.0~beta1

Actions

Copy link

#25

Updated by Benoît PECCATTE over 7 years ago

Related to deleted (User story #6591: Inventory endpoint should not listen to any)

Actions

Copy link

#26

Updated by Alexis Mousset over 7 years ago

Target version changed from 4.2.0~beta1 to 4.2.0~beta2

Actions

Copy link

#27

Updated by Vincent MEMBRÉ over 7 years ago

Target version changed from 4.2.0~beta2 to 4.2.0~beta3

Actions

Copy link

#28

Updated by Benoît PECCATTE over 7 years ago

Assignee deleted (~~Benoît PECCATTE~~)

Actions

Copy link

#29

Updated by Vincent MEMBRÉ over 7 years ago

Target version changed from 4.2.0~beta3 to 4.2.0~rc1

Actions

Copy link

#30

Updated by Vincent MEMBRÉ about 7 years ago

Target version changed from 4.2.0~rc1 to 4.2.0~rc2

Actions

Copy link

#31

Updated by Vincent MEMBRÉ about 7 years ago

Target version changed from 4.2.0~rc2 to 4.2.0

Actions

Copy link

#32

Updated by Vincent MEMBRÉ about 7 years ago

Target version changed from 4.2.0 to 4.2.1

Actions

Copy link

#33

Updated by Vincent MEMBRÉ about 7 years ago

Target version changed from 4.2.1 to 4.2.2

Actions

Copy link

#34

Updated by Alexis Mousset about 7 years ago

Target version changed from 4.2.2 to Ideas (not version specific)
Private changed from No to Yes

Actions

Copy link

#35

Updated by Alexis Mousset about 7 years ago

Description updated (diff)

Actions

Copy link

#36

Updated by Alexis Mousset about 7 years ago

Description updated (diff)

Actions

Copy link

#37

Updated by Alexis Mousset about 7 years ago

Description updated (diff)

Actions

Copy link

#38

Updated by Alexis Mousset over 6 years ago

Description updated (diff)

Actions

Copy link

#39

Updated by Alexis Mousset about 6 years ago

Description updated (diff)

Actions

Copy link

#40

Updated by Alexis Mousset about 6 years ago

Description updated (diff)

Actions

Copy link

#41

Updated by Alexis Mousset about 6 years ago

Description updated (diff)

Actions

Copy link

#42

Updated by Alexis Mousset about 6 years ago

Description updated (diff)

Actions

Copy link

#43

Updated by Alexis Mousset about 6 years ago

Description updated (diff)

Actions

Copy link

#44

Updated by Alexis Mousset about 6 years ago

Description updated (diff)

Actions

Copy link

#45

Updated by Alexis Mousset about 6 years ago

Description updated (diff)

Actions

Copy link

#46

Updated by Alexis Mousset about 6 years ago

Description updated (diff)

Actions

Copy link

#47

Updated by Alexis Mousset about 6 years ago

Description updated (diff)

Actions

Copy link

#48

Updated by Alexis Mousset about 6 years ago

Description updated (diff)

Actions

Copy link

#49

Updated by Alexis Mousset over 5 years ago

Description updated (diff)

Actions

Copy link

#50

Updated by Alexis Mousset over 5 years ago

Description updated (diff)

Actions

Copy link

#51

Updated by Alexis Mousset over 5 years ago

Related to User story #11835: Make curl invocation's ignore certificate configurable added

Actions

Copy link

#52

Updated by Alexis Mousset over 5 years ago

Related to Bug #14866: It is possible to download policies from any Windows node knowing its id by getting a forged inventory accepted added

Actions

Copy link

#53

Updated by Alexis Mousset about 5 years ago

Description updated (diff)

Actions

Copy link

#54

Updated by Alexis Mousset about 5 years ago

Status changed from New to Pending release

Actions

Copy link

#55

Updated by Alexis Mousset over 4 years ago

Category changed from Architecture - Code maintenance to Security

Actions

Copy link

#56

Updated by Vincent MEMBRÉ over 3 years ago

Related to User story #6350: We need access log on rudder added

Actions

Copy link

#57

Updated by Vincent MEMBRÉ over 3 years ago

Status changed from Pending release to Released

Actions

Copy link

#58

Updated by Alexis Mousset almost 3 years ago

Description updated (diff)

Actions

Copy link

#59

Updated by Alexis Mousset almost 3 years ago

Description updated (diff)

Actions

Copy link

#60

Updated by Alexis Mousset almost 3 years ago

Description updated (diff)

Actions

Copy link

#61

Updated by Alexis Mousset almost 3 years ago

Description updated (diff)

Actions

Copy link

#62

Updated by Alexis Mousset almost 3 years ago

Description updated (diff)

Actions

Copy link

#63

Updated by Alexis Mousset almost 3 years ago

Description updated (diff)

Actions

Copy link

#64

Updated by Alexis Mousset almost 3 years ago

Description updated (diff)

Actions

Copy link

#65

Updated by Alexis Mousset almost 3 years ago

Description updated (diff)

Actions

Copy link

#66

Updated by Alexis Mousset almost 3 years ago

Description updated (diff)

Actions

Copy link

#67

Updated by Alexis Mousset over 1 year ago

Private changed from Yes to No

Rudder version	Transport	Client Identification	Client Authentication	Server Authentication
4.1	TLS 1.0+, "classic" protocol available for 3.1 agents with initial policies	node UUID	allowed networks AND (use an IP declared in the inventory OR know the hostname of the node OR private key matching the public key in the inventory)	Broken TOFU on server key
4.3, 5.0	TLS 1.0+	node UUID	allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)	Broken TOFU on server key
6.0	TLS 1.2+	node UUID	allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)	Broken TOFU on server key
6.1, 6.2	TLS 1.2+	node UUID	allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)	TOFU or pre-shared server key
7.0	TLS 1.2+	node UUID	allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)	TOFU or pre-shared server key

Rudder version	Transport	Client Identification	Client Authentication	Server Authentication
4.1	TLS 1.0+, "classic" protocol available for 3.1 agents with initial policies	None	allowed networks AND (IP of the declared policy server OR know the hostname of the policy server)	Broken TOFU on server key
4.3, 5.0	TLS 1.0+	None	allowed networks AND IP of the declared policy server (which provides TOFU on the key)	Broken TOFU on server key
6.0	TLS 1.2+	None	allowed networks AND IP of the declared policy server (which provides TOFU on the key)	Broken TOFU on server key
6.1, 6.2	TLS 1.2+	None	allowed networks AND IP of the declared policy server (which provides TOFU on the key)	TOFU or pre-shared server key
7.0	TLS 1.2+	None	allowed networks AND IP of the declared policy server (which provides TOFU on the key)	TOFU or pre-shared server key

Rudder version	Transport	Client Identification	Client Authentication	Server Authentication
4.3, 5.0	TLS 1.0+	node UUID	allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)	IP
6.0, 6.1, 6.2	TLS 1.2+	node UUID	allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)	IP
7.0	TLS 1.2+	node UUID	allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)	TOFU or pre-shared server key

Rudder version	Rudder agent	Transport	Client Identification	Client Authentication	Server Authentication
4.1, 4.3, 5.0	Linux	HTTPS with TLS 1.0+	node UUID	allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU)	IP
4.1, 4.3, 5.0	AIX	HTTP	node UUID	allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU)	IP
4.1, 4.3, 5.0	Windows DSC	HTTPS with TLS 1.0+	node UUID	allowed networks	IP
6.0, 6.1, 6.2	Windows DSC	HTTPS with TLS 1.2+	node UUID	allowed networks	IP
6.0, 6.1, 6.2	Linux, AIX	HTTPS with TLS 1.2+	node UUID	allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU)	(optional) existing PKI
7.0	All	HTTPS with TLS 1.2+	node UUID	allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU)	TOFU or pre-shared server key

Rudder version	Transport	Client Identification	Client Authentication	Server Authentication
4.1, 4.3, 5.0	Plain text TCP/UDP	node UUID	None	IP
6.0, 6.1, 6.2	HTTPS with TLS 1.2+	node UUID	allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU) but syslog fallback	(optional) existing PKI
7.0	HTTPS with TLS 1.2+	node UUID	allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU)	TOFU or pre-shared server key

Bug #6348: Do not download file that are not for you in /var/rudder/tools	Rejected		2015-03-05	Actions
Architecture #6351: Agent recent enough should use their key to authenticate	Rejected		2015-03-05	Actions
Architecture #6352: Create shared-secure for smooth transition to key based authentication	Rejected		2015-03-05	Actions
Architecture #6354: Stop generating access rules for share when the agent has migrated	Rejected		2015-03-05	Actions
Architecture #6360: Update allowlegacyconnects to disallow old agents	Rejected			Actions
Architecture #6366: Help the user setup signed certificates	Resolved			Actions
User story #6253: Generate 4k rsa keys for agents	Released	Benoît PECCATTE		Actions
User story #12095: Generate 4k rsa keys for agents during factory reset	Released	Benoît PECCATTE		Actions
Bug #1146: Change the acceptation system of server / nodes	Rejected		2011-03-28	Actions
Bug #5907: Any user can forge a fake report	Rejected			Actions
Bug #5154: Node key not deleted after deleting a node in the web ui	Released	François ARMAND		Actions
User story #6591: Inventory endpoint should not listen to any	Rejected			Actions
User story #7986: Make copying the tools encrypted again	Rejected	Benoît PECCATTE		Actions

Related to Rudder - User story #6589: Improve Rudder security in 3.1: Inventory signature and security, SELinux compliance	Released		2015-04-07	Actions
Related to Rudder - User story #11835: Make curl invocation's ignore certificate configurable	Rejected			Actions
Related to Rudder - Bug #14866: It is possible to download policies from any Windows node knowing its id by getting a forged inventory accepted	Released	François ARMAND		Actions
Related to Rudder - User story #6350: We need access log on rudder	Rejected			Actions
Blocked by Rudder - User story #5673: Add support to parameters in ncf techniques written with ncf builder	Released	Benoît PECCATTE	2014-10-21	Actions

Project

General

Profile

Rudder

Custom queries

User story #6363

Secure agent/server communication

Node policies¶

CFEngine node policies¶

Remote run¶

Windows DSC node policies¶

Inventories¶

Reports¶

Sending a file to another node (shared file)¶

Updated by Benoît PECCATTE over 9 years ago

Updated by Vincent MEMBRÉ over 9 years ago

Updated by Benoît PECCATTE over 9 years ago

Updated by Vincent MEMBRÉ over 9 years ago

Updated by Vincent MEMBRÉ over 9 years ago

Updated by Benoît PECCATTE over 9 years ago

Updated by Vincent MEMBRÉ over 9 years ago

Updated by Jonathan CLARKE over 9 years ago

Updated by Vincent MEMBRÉ almost 9 years ago

Updated by Benoît PECCATTE almost 9 years ago

Updated by Benoît PECCATTE almost 9 years ago

Updated by Vincent MEMBRÉ almost 9 years ago

Updated by Vincent MEMBRÉ over 8 years ago

Updated by Alexis Mousset over 8 years ago

Updated by Vincent MEMBRÉ over 8 years ago

Updated by Nicolas CHARLES about 8 years ago

Updated by Nicolas CHARLES about 8 years ago

Updated by Nicolas CHARLES about 8 years ago

Updated by François ARMAND about 8 years ago

Updated by Vincent MEMBRÉ almost 8 years ago

Updated by Vincent MEMBRÉ almost 8 years ago

Updated by Vincent MEMBRÉ almost 8 years ago

Updated by François ARMAND almost 8 years ago

Updated by Benoît PECCATTE over 7 years ago

Updated by Alexis Mousset over 7 years ago

Updated by Vincent MEMBRÉ over 7 years ago

Updated by Benoît PECCATTE over 7 years ago

Updated by Vincent MEMBRÉ over 7 years ago

Updated by Vincent MEMBRÉ about 7 years ago

Updated by Vincent MEMBRÉ about 7 years ago

Updated by Vincent MEMBRÉ about 7 years ago

Updated by Vincent MEMBRÉ about 7 years ago

Updated by Alexis Mousset about 7 years ago

Updated by Alexis Mousset about 7 years ago

Updated by Alexis Mousset about 7 years ago

Updated by Alexis Mousset about 7 years ago

Updated by Alexis Mousset over 6 years ago

Updated by Alexis Mousset about 6 years ago

Updated by Alexis Mousset about 6 years ago

Updated by Alexis Mousset about 6 years ago

Updated by Alexis Mousset about 6 years ago

Updated by Alexis Mousset about 6 years ago

Updated by Alexis Mousset about 6 years ago

Updated by Alexis Mousset about 6 years ago

Updated by Alexis Mousset about 6 years ago

Updated by Alexis Mousset about 6 years ago

Updated by Alexis Mousset about 6 years ago

Updated by Alexis Mousset over 5 years ago

Updated by Alexis Mousset over 5 years ago

Updated by Alexis Mousset over 5 years ago

Updated by Alexis Mousset over 5 years ago

Updated by Alexis Mousset about 5 years ago

Updated by Alexis Mousset about 5 years ago

Updated by Alexis Mousset over 4 years ago

Updated by Vincent MEMBRÉ over 3 years ago

Updated by Vincent MEMBRÉ over 3 years ago

Updated by Alexis Mousset almost 3 years ago

Updated by Alexis Mousset almost 3 years ago

Updated by Alexis Mousset almost 3 years ago

Updated by Alexis Mousset almost 3 years ago

Updated by Alexis Mousset almost 3 years ago

Updated by Alexis Mousset almost 3 years ago

Updated by Alexis Mousset almost 3 years ago

Updated by Alexis Mousset almost 3 years ago

Updated by Alexis Mousset almost 3 years ago

Updated by Alexis Mousset over 1 year ago