Merge remote-tracking branch 'upstream/2014.7' into merge-forward-2015.5

Conflicts:
    conf/minion
    doc/conf.py
    salt/modules/file.py

conf/minion

@@ -483,9 +483,9 @@
 # will be shown for each state run.
 #state_output_profile: True
 
-# Fingerprint of the master public key to double verify the master is valid,
-# the master fingerprint can be found by running "salt-key -F master" on the
-# salt master.
+# Fingerprint of the master public key to validate the identity of your Salt master
+# before the initial key exchange. The master fingerprint can be found by running
+# "salt-key -F master" on the Salt master.
 #master_finger: ''
 
 

doc/_themes/saltstack2/layout.html

@@ -295,7 +295,7 @@
 
         <!--analytics-->
         <script type="text/javascript" language="javascript">llactid=23943</script>
-        <script type="text/javascript" language="javascript" src="http://t6.trackalyzer.com/trackalyze.js"></script>
+        <script type="text/javascript" language="javascript" src="https://trackalyzer.com/trackalyze_secure.js"></script>
 
         <script>
         var _gaq = _gaq || [];

doc/ref/configuration/index.rst

@@ -101,6 +101,41 @@ Running Salt
 There is also a full :doc:`troubleshooting guide</topics/troubleshooting/index>`
 available.
 
+.. _key-identity:
+
+Key Identity
+============
+
+Salt provides commands to validate the identity of your Salt master
+and Salt minions before the initial key exchange. Validating key identity helps
+avoid inadvertently connecting to the wrong Salt master, and helps prevent
+a potential MiTM attack when establishing the initial connection.
+
+Master Key Fingerprint
+----------------------
+
+Print the master key fingerprint by running the following command on the Salt master:
+
+.. code-block:: bash
+
+   salt-key -F master
+
+Copy the ``master.pub`` fingerprint from the *Local Keys* section, and then set this value
+as the :conf_minion:`master_finger` in the minion configuration file. Save the configuration
+file and then restart the Salt minion.
+
+Minion Key Fingerprint
+----------------------
+
+Run the following command on each Salt minion to view the minion key fingerprint:
+
+.. code-block:: bash
+
+   salt-call --local key.finger
+
+Compare this value to the value that is displayed when you run the
+``salt-key --finger <MINION_ID>`` command on the Salt master.
+
 
 Key Management
 ==============

doc/ref/configuration/minion.rst

@@ -868,6 +868,21 @@ minion to clean the keys.
 
     open_mode: False
 
+.. conf_minion:: master_finger
+
+``master_finger``
+-----------------
+
+Default: ``''``
+
+Fingerprint of the master public key to validate the identity of your Salt master
+before the initial key exchange. The master fingerprint can be found by running
+"salt-key -F master" on the Salt master.
+
+.. code-block:: yaml
+
+   master_finger: 'ba:30:65:2a:d6:9e:20:4f:d8:b2:f3:a7:d4:65:11:13'
+
 .. conf_minion:: verify_master_pubkey_sign
 
 

doc/topics/tutorials/walkthrough.rst

@@ -191,9 +191,13 @@ The easiest way to accept the minion key is to accept all pending keys:
 
 .. note::
 
-    Keys should be verified! The secure thing to do before accepting a key is
-    to run ``salt-key -f minion-id`` to print the fingerprint of the minion's
-    public key. This fingerprint can then be compared against the fingerprint
+    Keys should be verified! Print the master key fingerprint by running ``salt-key -F master``
+    on the Salt master. Copy the ``master.pub`` fingerprint from the Local Keys section,
+    and then set this value as the :conf_minion:`master_finger` in the minion configuration
+    file. Restart the Salt minion.
+
+    On the minion, run ``salt-key -f minion-id`` to print the fingerprint of the
+    minion's public key. This fingerprint can then be compared against the fingerprint
     generated on the minion.
 
     On the master: