User story #6253
closed
User story #6363: Secure agent/server communication
Generate 4k rsa keys for agents
Description
Hi,
CFEngine by default uses a 2Kbit RSA key.
There is no way in cf-key to change the value as of now.
On the other hand it is just a key, so it would be possible to create a far safer 4k one.
it would be viable to pre-seed that key, even for all hosts since rudder already has it's own CFEngine package.
I think on the root server / relay servers it is even more important, so at worst it could just be put in docs & manually done when setting up the root / relays.
Updated by François ARMAND about 9 years ago
- Assignee set to Benoît PECCATTE
- Priority changed from N/A to 3
- Target version set to 3.1.0~beta1
You are clearly right that 2048 RSA key won't do forever. Actually, we should not even have to do compile anything to change key sizes, it should just be an option of cf-key.
Benoit, I'm sure you burn to look into cf-key code to see how the key size is chosen so that we can at least understand the complexity of the query.
Updated by Benoît PECCATTE about 9 years ago
- Status changed from New to 8
- Assignee deleted (
Benoît PECCATTE)
This will be done with the rest of the security related tickets in parent ticket #6363
Updated by Benoît PECCATTE about 9 years ago
In rudder-agent postinst, we call
/var/rudder/cfengine-community/bin/cf-key
This call can be simply replaced by:
openssl genrsa -des3 -out localhost.priv -passout "pass:Cfengine passphrase" 4096 openssl rsa -in localhost.priv -passin "pass:Cfengine passphrase" -RSAPublicKey_out -out localhost.pub
Updated by Benoît PECCATTE about 9 years ago
RSAPublicKey_out is the default when it is not supported, so use it when it works and don't when it doesn't
Silly ? yes
Updated by Vincent MEMBRÉ almost 9 years ago
- Target version changed from 3.1.0~beta1 to 3.1.0~rc1
Updated by Vincent MEMBRÉ almost 9 years ago
- Target version changed from 3.1.0~rc1 to 3.1.0
Updated by Vincent MEMBRÉ almost 9 years ago
- Target version changed from 3.1.0 to 3.1.1
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 3.1.1 to 3.1.2
Updated by Jonathan CLARKE over 8 years ago
- Target version changed from 3.1.2 to 3.2.0~beta1
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 3.2.0~beta1 to 3.2.0~rc1
Updated by Benoît PECCATTE over 8 years ago
- Target version changed from 3.2.0~rc1 to 3.2.0~rc2
Updated by Benoît PECCATTE over 8 years ago
- Target version changed from 3.2.0~rc2 to 3.2.0
Updated by Vincent MEMBRÉ about 8 years ago
- Target version changed from 3.2.0 to 3.2.1
Updated by Vincent MEMBRÉ about 8 years ago
- Target version changed from 3.2.1 to 3.2.2
Updated by Alexis Mousset about 8 years ago
- Target version changed from 3.2.2 to 4.0.0~rc2
Updated by Alexis Mousset almost 8 years ago
- Related to User story #8552: Add a command to show agent auth info added
Updated by François ARMAND over 7 years ago
- Target version changed from 4.0.0~rc2 to 4.1.0~beta1
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 4.1.0~beta1 to 4.1.0~beta2
Updated by Vincent MEMBRÉ about 7 years ago
- Target version changed from 4.1.0~beta2 to 4.1.0~beta3
Updated by Vincent MEMBRÉ about 7 years ago
- Target version changed from 4.1.0~beta3 to 4.1.0~rc1
Updated by François ARMAND about 7 years ago
- Target version changed from 4.1.0~rc1 to 4.2.0~beta1
Updated by Alexis Mousset almost 7 years ago
- Target version changed from 4.2.0~beta1 to 4.2.0~beta2
Updated by Vincent MEMBRÉ almost 7 years ago
- Target version changed from 4.2.0~beta2 to 4.2.0~beta3
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.2.0~beta3 to 4.2.0~rc1
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.2.0~rc1 to 4.2.0~rc2
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.2.0~rc2 to 4.2.0
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.2.0 to 4.2.1
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.2.1 to 4.2.2
Updated by Alexis Mousset over 6 years ago
- Subject changed from CFEngine Improvement: root server / relay keys to Generate 4k rsa keys for agents
- Target version changed from 4.2.2 to 4.3.0~beta1
Updated by Vincent MEMBRÉ about 6 years ago
- Target version changed from 4.3.0~beta1 to 4.3.0~rc1
Updated by Benoît PECCATTE about 6 years ago
- Status changed from New to In progress
- Assignee set to Benoît PECCATTE
Updated by Benoît PECCATTE about 6 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Benoît PECCATTE to Alexis Mousset
- Pull Request set to https://github.com/Normation/rudder-packages/pull/1495
Updated by Vincent MEMBRÉ about 6 years ago
- Target version changed from 4.3.0~rc1 to 4.3.0~rc2
Updated by Alexis Mousset about 6 years ago
- Related to User story #12241: Backport key size option for cf-key added
Updated by Vincent MEMBRÉ about 6 years ago
- Target version changed from 4.3.0~rc2 to 4.3.0~rc3
Updated by Alexis Mousset about 6 years ago
- Status changed from Pending technical review to New
Updated by Alexis Mousset about 6 years ago
- Status changed from New to In progress
Updated by Alexis Mousset about 6 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Alexis Mousset to Benoît PECCATTE
- Pull Request changed from https://github.com/Normation/rudder-packages/pull/1495 to https://github.com/Normation/rudder-packages/pull/1568
Updated by Alexis Mousset about 6 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder-packages|f3ab846333c9f37ee6a318cf289091987abad46f.
Updated by Vincent MEMBRÉ about 6 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 4.3.0~rc3 which was released today.
- 4.3.0~rc3: Announce Changelog
- Download: https://www.rudder-project.org/site/get-rudder/downloads/