Chef Chef-Validator.Pem Security

Chef chef-validator.pem security

This was one of the items discussed at a recent Foodfight episode on managing "secrets" in chef. Highly recommended watching:

http://foodfightshow.org/2013/07/secret-chef.html

The knife bootstrap operation uploads this key when initializing new chef clients. Possession of this key enables the client to register itself against your chef server. That is actually its only function, once the client is up and running the validation key is no longer needed.

But it can be abused.... As @cbl has pointed out, if an unauthorized 3rd party gets access to this key they can create new clients that can see everything on your chef server that normal clients can see. It can theoretically be used to create a Denial of Service attack on your chef server, by flooding it with registration requests.

The foodfight panel recommend a simple solution. Enable the chef-client cookbook on all nodes. It contains a "delete_validation" recipe that will remove the validation key and reduce your risk exposure.

Preventing Chef client from accessing all data on server

That's unfortunately only possible with Enterprise Chef - the commercial version.

Chef clients and validators

Answering your updated questions

1) Validation.Pem (and client.rb) would be created after the bootstrap process. you need to run the command(knife configure client) shown below in order to create those file. once those files are created in the ~/.chef directory you need to move them to /etc/chef

 knife configure client ~/.chef  
 sudo su
 mkdir -p /etc/chef
cp ~/.chef/client.rb /etc/chef
cp ~/.chef/validation.pem /etc/chef

and the output would be

Creating client configuration
Writing client.rb
Writing validation.pem

2) Client.pem will be created during the first chef-client run. Excerpts from the Chef Documenation

"During the first chef-client run, this(client.pem) private key does not exist. Instead, the chef-client will attempt to use the private key assigned to the chef-validator, located in /etc/chef/validation.pem. (If, for any reason, the chef-validator is unable to make an authenticated request to the Chef server, the initial chef-client run will fail.)"

For instance, I generally do it in the following manner. once the client is set up(for the first time) and I run the chef recipe on that node using chef-client command as below then it would automatically create client.pem

chef-client -o Cookbook_name::Recipe_Name

3) MAKE SURE YOUR HOSTNAME IS UNIQUE/CORRECT BEFORE DOING THIS. On Centos, change the /etc/sysconfig/network file and use /etc/init.d/network restart to rebind everything.

My answer to first question is the solution here. After running the command(generally this command is run after bootstrap)

knife configure client ~/.chef

the hostname of the client node would be automatically created in the chef-server.

Answers to your first and second questions(before editing the question)

1) Everything you see in the following link http://mychefserver.example.com/clients are the sent of nodes(physical machines) that are registered with that particular Chef-Server. Chef-Client is an agent that would be running on each of every node that is registered with the chef-server. Chef-client is used to run the recipes on the corresponding nodes. Below is the way to run the chef recipe on a node using chef client.

chef-client -o Cookbook_name::Recipe_Name

Putting all together clients are the set of nodes which are connected to chef-server chef-client is an agent running in all the nodes and is used to register the node with the chef-server in order to bring the node to the desired state. There are many other uses of chef-client. For details visit [Chef-Client][1] the documentation page.

2) A bootstrap is a process that installs the chef-client on a target system so that it can run as a chef-client and communicate with a Chef server.

To put in another way bootstrap process is the way to install chef-client on a node(hardware machine) and make that node as one of the client for that chef-server. only once the bootstrap process is completed that particular node will be visible in the clients list in your

http://mychefserver.example.com/clients

chef-client failed to register to chef-server

You need to additionally configure your chef client with the trusted SSL certs as described in the following document:

https://docs.chef.io/chef_client_security.html

Alternatively disable SSL verification, by adding the following to your client.rb file:

ssl_verify_mode :verify_none

Have you considered using "knife bootstrap" to setup chef on new nodes? A lot easier and will do most of this hard work for you.

OpsWorks for Chef Automate and Chef validator-key

You can retrieve the key (Chef Server never stores the private half of keys for security) but you should be able to reset the key or create a new validator client using knife client commands. The only thing special about the validator client is it has create permissions on the client container (which you can set up using knife-acl).

Chef encountered an error attempting to create the client

You have the validation client name set to learnchef, which would be very unusual. It's usually $orgname-validator or $orgname-validation depending on the version of Chef Server. If you have knife working locally, you can check with knife client list.

Chef Chef-Validator.Pem Security