Secure knife use

Tim_Dunphy · January 18, 2013, 3:09am

Hello list,

Is there a way to secure my community chef server so that one may only use
knife commands from specific IPs. My friend made a valid point that if
anyone were able to hack my git server (unlikely but possible) they would
be able to wreak havok on my infrastructure using my own chef server. Any
thoughts on this?

Thanks
Tim

–
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

dcondomitti · January 18, 2013, 3:11am

They would need your client certificate to do anything. That should only be
on the machine you’re running knife on, not in source control. If you still
want ip restrictions do it with firewall rules or source filtering in
something in front of chef-server (nginx, etc)

On Jan 17, 2013, at 7:09 PM, Tim Dunphy bluethundr@gmail.com wrote:

Hello list,

Is there a way to secure my community chef server so that one may only use
knife commands from specific IPs. My friend made a valid point that if
anyone were able to hack my git server (unlikely but possible) they would
be able to wreak havok on my infrastructure using my own chef server. Any
thoughts on this?

Thanks
Tim

–
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

Tim_Dunphy · January 18, 2013, 12:24pm

Excellent points made. Thank you for your reply!

On Thu, Jan 17, 2013 at 10:11 PM, Daniel Condomitti
daniel@condomitti.comwrote:

They would need your client certificate to do anything. That should only
be on the machine you're running knife on, not in source control. If you
still want ip restrictions do it with firewall rules or source filtering in
something in front of chef-server (nginx, etc)

On Jan 17, 2013, at 7:09 PM, Tim Dunphy bluethundr@gmail.com wrote:

Hello list,

Is there a way to secure my community chef server so that one may only
use knife commands from specific IPs. My friend made a valid point that if
anyone were able to hack my git server (unlikely but possible) they would
be able to wreak havok on my infrastructure using my own chef server. Any
thoughts on this?

Thanks
Tim

--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

Topic		Replies	Views
How to restrict IPs that can SSH Chef Infra Client	2	617	March 28, 2023
Private certificate issue with chef server (knife ssl check - unable to get local issuer certificate) Chef Infra (archive)	0	671	January 18, 2018
Struggling mightily with SSL on Windows Chef Infra (archive)	3	1136	November 16, 2016
Chef Infra Client certificate trust requirement Chef Infra (archive)	3	405	February 7, 2020
Chef 12 Server trusted_certs Chef Infra (archive)	1	266	January 23, 2015

Secure knife use

Related Topics