master_finger configuration docs

switch a script to use https:// instead of http:// Refs #25751
2025-04-17 10:10:20 +00:00 · 2015-08-06 20:23:22 -06:00 · 2015-08-06 20:23:22 -06:00 · d220c83f77
commit d220c83f77
parent 4bd4bc41f2
5 changed files with 63 additions and 9 deletions
--- a/conf/minion
+++ b/conf/minion
@ -464,9 +464,9 @@
 # states is cluttering the logs. Set it to True to ignore them.
 #state_output_diff: False

-# Fingerprint of the master public key to double verify the master is valid,
-# the master fingerprint can be found by running "salt-key -F master" on the
-# salt master.
+# Fingerprint of the master public key to validate the identity of your Salt Master
+# before the initial key exchange. the master fingerprint can be found by running
+# "salt-key -F master" on the Salt master.
 #master_finger: ''


--- a/doc/_themes/saltstack2/layout.html
+++ b/doc/_themes/saltstack2/layout.html
@ -295,7 +295,7 @@

        <!--analytics-->
        <script type="text/javascript" language="javascript">llactid=23943</script>
-        <script type="text/javascript" language="javascript" src="http://t6.trackalyzer.com/trackalyze.js"></script>
+        <script type="text/javascript" language="javascript" src="https://trackalyzer.com/trackalyze_secure.js"></script>

        <script>
        var _gaq = _gaq || [];
--- a/doc/ref/configuration/index.rst
+++ b/doc/ref/configuration/index.rst
@ -101,6 +101,41 @@ Running Salt
 There is also a full :doc:`troubleshooting guide</topics/troubleshooting/index>`
 available.

+.. _key-identity:
+
+Key Identity
+============
+
+Salt provides commands to validate the identity of your Salt master
+and Salt minions before the initial key exchange. Validating key identity helps
+avoid inadvertently connecting to the wrong Salt master, and helps prevent
+a potential MiTM attack when establishing the initial connection.
+
+Master Key Fingerprint
+----------------------
+
+Print the master key fingerprint by running the following command on the Salt master:
+
+.. code-block:: bash
+
+   salt-key -F master
+
+Copy the ``master.pub`` fingerprint from the *Local Keys* section, and then set this value
+as the :conf_minion:`master_finger` in the minion configuration file. Save the configuration
+file and then restart the Salt minion.
+
+Minion Key Fingerprint
+----------------------
+
+Run the following command on each Salt minion to view the minion key fingerprint:
+
+.. code-block:: bash
+
+   salt-call --local key.finger
+
+Compare this value to the value that is displayed when you run the
+``salt-key --finger <MINION_ID>`` command on the Salt master.
+

 Key Management
 ==============
--- a/doc/ref/configuration/minion.rst
+++ b/doc/ref/configuration/minion.rst
@ -811,6 +811,21 @@ minion to clean the keys.

    open_mode: False

+.. conf_minion:: master_finger
+
+``master_finger``
+-----------------
+
+Default: ``''``
+
+Fingerprint of the master public key to validate the identity of your Salt master
+before the initial key exchange. The master fingerprint can be found by running
+"salt-key -F master" on the Salt master.
+
+.. code-block:: yaml
+
+   master_finger: 'ba:30:65:2a:d6:9e:20:4f:d8:b2:f3:a7:d4:65:11:13'
+
 .. conf_minion:: verify_master_pubkey_sign


--- a/doc/topics/tutorials/walkthrough.rst
+++ b/doc/topics/tutorials/walkthrough.rst
@ -193,14 +193,18 @@ The easiest way to accept the minion key is to accept all pending keys:

 .. note::

-    Keys should be verified! The secure thing to do before accepting a key is
-    to run ``salt-key -f minion-id`` to print the fingerprint of the minion's
-    public key. This fingerprint can then be compared against the fingerprint
+    Keys should be verified! Print the master key fingerprint by running ``salt-key -F master``
+    on the Salt master. Copy the ``master.pub`` fingerprint from the Local Keys section,
+    and then set this value as the :conf_minion:`master_finger` in the minion configuration
+    file. Restart the Salt minion.
+
+    On the minion, run ``salt-key -f minion-id`` to print the fingerprint of the
+    minion's public key. This fingerprint can then be compared against the fingerprint
    generated on the minion.

    On the master:

-    .. code-block: bash
+    .. code-block:: bash

        # salt-key -f foo.domain.com
        Unaccepted Keys:
@ -208,7 +212,7 @@ The easiest way to accept the minion key is to accept all pending keys:

    On the minion:

-    .. code-block: bash
+    .. code-block:: bash

        # salt-call key.finger --local
        local: