Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]

3 Security

3.1 Setup a Minion to Master Validation Fingerprint

In highly secure network configurations you may wish to ensure your minions are connecting a specific master. To setup validation from minion to master enter the masters fingerprint within the /etc/salt/minion configuration file. See the following procedure:

  1. On the master enter the following command as root and note the fingerprint:

    salt-key -F master

    On your minion, open the minion configuration file located in /etc/salt/minion. Uncomment the following line and enter the masters fingerprint replacing the example fingerprint:

    master_finger: 'ba:30:65:2a:d6:9e:20:4f:d8:b2:f3:a7:d4:65:11:13'
  2. Restart the salt-minion service:

    # systemctl restart salt-minion

For more information on configuring security from a minion see: https://docs.saltstack.com/en/latest/ref/configuration/minion.html

3.2 Signing Repository Metadata

3.2.1 Generate a Custom GPG key

To sign repository metadata a custom GPG key is required. Create a new GPG key as root via the following steps.

$> gpg --gen-key

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: company sign key
Email address: company@example.com
Comment:
You selected this USER-ID:
    "company sign key <company@example.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

gpg: key 607FABDB marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/607FABDB 2018-07-09
      Key fingerprint = ACF5 4698 EC70 FD6A F8C9  942B A7A1 9301 607F ABDB
uid       [ultimate] company sign key <company@example.com>
sub   2048R/A812FA62 2018-07-09

3.2.2 Configure signing metadata

There are two configuration files which needs to be changed to enable signing of metadata.

  1. /etc/rhn/signing.conf to specify KEYID and PASSPHRASE

  2. /etc/rhn/rhn.conf to enable signing metadata

Example for /etc/rhn/signing.conf:

KEYID="607FABDB"

GPGPASS="MySecretPassword"

To enable signing of metadata please add the following in /etc/rhn/rhn.conf:

sign_metadata = 1

All spacewalk services must be restarted after modifying 'rhn.conf'.

3.2.3 Regenerate all metadata

After enabling signing metadata, all metadata needs to be re-generated. This can be done with a small SQL script:

$> spacewalk-sql -i
psql (9.6.9)
Type "help" for help.

susemanager=# insert into rhnRepoRegenQueue (id, CHANNEL_LABEL, REASON, FORCE)
susemanager-# (select sequence_nextval('rhn_repo_regen_queue_id_seq'), C.label, 'changed signing of metadata', 'Y' from rhnChannel C);
INSERT 0 40
susemanager=# \q
$>

3.2.4 Trust the GPG key on all clients

When this feature is enabled, all clients have to trust the new GPG key. If the new GPG key is not imported on the client, installation or updating of packages is not possible.

  1. Export the GPG key and make it availabel in the 'pub/' directory.

    # gpg --batch --export -a -o <output filename> <KEYID>
    $> gpg --batch --export -a -o /srv/www/htdocs/pub/company.key 607FABDB
  2. Import the GPG key on all clients

    This can be done using a remote command on all clients

    # rpm --import http://<server.domain.top/pub/keyname.key
    $> rpm --import http://suma-refhead-srv.mgr.suse.de/pub/company.key
    Tip
    Tip: Tip

    For salt managed systems it might make sense to use a state to trust GPG keys.