2

I am just getting started with salt and I am wondering how the saltmaster is being authenticated against the clients. I know that when connecting a minion the master has to accept the public key of the minion and therefore no unauthorized minions can connect. But what keeps someone from pretending to be the saltmaster, have all minions connecting to the wrong server and happily executing code and giving full access to an attacker?

Of course the minion connects to a given IP Address or hostname but it should be quite easy to hijack that...

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
Alexander
  • 23
  • 3

1 Answers1

1

Without extra effort nothing is preventing a (dubiously determined) attacker from initiating a man-in-the-middle attack during the first key exchange and all subsequent connections. This is the same risk inherent in any key exchange over the internet.

You can verify the fingerprints of both the master and the minion.

On master: sudo salt-key -F

On minion: sudo salt-call --local key.finger

But then you would have to trust that there isn't also an (elaborate) (sustained) man in the middle attack between you and the machine in question when you ssh into it. It is turtles all the way down.

The truly paranoid would have to pre-generate the keys offline (master and all minions) and hope along with the rest of us that their CPU's aren't somehow compromised in subtle ways we haven't yet discovered.

You can verify that the minion does refuse connecting to the master if the key doesn't later match up. Shutdown salt-minion, backup /etc/salt/pki/minion/minion_master.pub, alter it, and then start salt-minion in debug mode: sudo salt-minion -l debug

Dan Garthwaite
  • 2,922
  • 18
  • 29
  • I know that it is hard to prevent a man in the middle attack on the initial key exchange. my question was if the minion saves the key of the master and refuses to connect to a master with a different key – Alexander Dec 15 '14 at 19:04
  • The minion does save the key of the master, and it does refuse connection if it doesn't match. You can test this by backing up `/etc/salt/pki/minion/minion_master.pub`, altering it, and rerunning `sudo salt-minion -l debug`. – Dan Garthwaite Dec 15 '14 at 20:04
  • thx - that was exactly what i wanted to know – Alexander Dec 17 '14 at 20:04