verify master pubkey signature on first pubkey connection

previously the minion would take any master pubkey for granted and write it to minion_master.pub.
2024-11-07 08:58:59 +00:00 · 2014-06-25 00:57:22 -07:00 · 2014-06-25 00:57:22 -07:00 · decbe41612
commit decbe41612
parent c447bd0847
1 changed files with 17 additions and 3 deletions
--- a/salt/crypt.py
+++ b/salt/crypt.py
@ -391,9 +391,23 @@ class Auth(object):
                return ''
            return aes
        else:
-            salt.utils.fopen(m_pub_fn, 'w+').write(payload['pub_key'])
-            aes, token = self.decrypt_aes(payload, False)
-            return aes
+            # verify the masters pubkey signature if the minion
+            # has not received any masters pubkey before
+            if self.opts['verify_master_pub']:
+                if self.verify_pubkey_sig(payload['pub_key'],
+                                          payload['pub_sig']):
+                    log.info('Received signed and verified master pubkey '
+                             'from master {0}'.format(self.opts['master']))
+                    m_pub_fn = os.path.join(self.opts['pki_dir'], self.mpub)
+                    salt.utils.fopen(m_pub_fn, 'w+').write(payload['pub_key'])
+                    aes, token = self.decrypt_aes(payload, False)
+                    return aes
+            # the minion has not received any masters pubkey yet, write
+            # the newly received pubkey to minion_master.pub
+            else:
+                salt.utils.fopen(m_pub_fn, 'w+').write(payload['pub_key'])
+                aes, token = self.decrypt_aes(payload, False)
+                return aes

    def sign_in(self, timeout=60, safe=True, tries=1):
        '''