Secure knife use


#1

Hello list,

Is there a way to secure my community chef server so that one may only use
knife commands from specific IPs. My friend made a valid point that if
anyone were able to hack my git server (unlikely but possible) they would
be able to wreak havok on my infrastructure using my own chef server. Any
thoughts on this?

Thanks
Tim


GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B


#2

They would need your client certificate to do anything. That should only be
on the machine you’re running knife on, not in source control. If you still
want ip restrictions do it with firewall rules or source filtering in
something in front of chef-server (nginx, etc)

On Jan 17, 2013, at 7:09 PM, Tim Dunphy bluethundr@gmail.com wrote:

Hello list,

Is there a way to secure my community chef server so that one may only use
knife commands from specific IPs. My friend made a valid point that if
anyone were able to hack my git server (unlikely but possible) they would
be able to wreak havok on my infrastructure using my own chef server. Any
thoughts on this?

Thanks
Tim


GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B


#3

Excellent points made. Thank you for your reply!

On Thu, Jan 17, 2013 at 10:11 PM, Daniel Condomitti
daniel@condomitti.comwrote:

They would need your client certificate to do anything. That should only
be on the machine you’re running knife on, not in source control. If you
still want ip restrictions do it with firewall rules or source filtering in
something in front of chef-server (nginx, etc)

On Jan 17, 2013, at 7:09 PM, Tim Dunphy bluethundr@gmail.com wrote:

Hello list,

Is there a way to secure my community chef server so that one may only
use knife commands from specific IPs. My friend made a valid point that if
anyone were able to hack my git server (unlikely but possible) they would
be able to wreak havok on my infrastructure using my own chef server. Any
thoughts on this?

Thanks
Tim


GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B


GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B