Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Chef chef-validator.pem security

Hi I am setting up a cluster of machines using chef at offsite locations. If one of these machines was stolen, what damage can the attacker do to my chef-server or other nodes by having possession of chef-validator.pem ? What other things can they access through chef? Thanks!

like image 283
benathon Avatar asked Oct 19 '13 04:10

benathon


2 Answers

This was one of the items discussed at a recent Foodfight episode on managing "secrets" in chef. Highly recommended watching:

  • http://foodfightshow.org/2013/07/secret-chef.html

The knife bootstrap operation uploads this key when initializing new chef clients. Possession of this key enables the client to register itself against your chef server. That is actually its only function, once the client is up and running the validation key is no longer needed.

But it can be abused.... As @cbl has pointed out, if an unauthorized 3rd party gets access to this key they can create new clients that can see everything on your chef server that normal clients can see. It can theoretically be used to create a Denial of Service attack on your chef server, by flooding it with registration requests.

The foodfight panel recommend a simple solution. Enable the chef-client cookbook on all nodes. It contains a "delete_validation" recipe that will remove the validation key and reduce your risk exposure.

like image 57
Mark O'Connor Avatar answered Sep 25 '22 18:09

Mark O'Connor


The validator key is used to create new clients on the Chef Server.

Once the attacker gets hold of it, he can pretend he's a node in your infrastructure and have access to the same information any node has.

If you have sensitive information in an unencrypted data bag, for example, he'll have access to that.

Basically he'll be able to run any recipe from any cookbook, do searches (and have access to all your other nodes' attributes), read data bags, etc.

Keep that in mind when writing cookbooks and populating the other objects in the server. You could also somehow monitor the chef server for any suspicious client creation activity, and if you have any reason believe that the validator key has been stolen, revoke it and issue a new one.

It's probably a good idea to rotate the key periodically as well.

like image 26
cassianoleal Avatar answered Sep 24 '22 18:09

cassianoleal