Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
t
Tyler Fisher
09/30/2019, 8:17 PMHey? Is anyone familiar with how to generate JSON Web Tokens that can be used by Kolide Fleet, and Kolide Launcher? https://jwt.io/
The installer for Kolide Fleet requires a JWT token that hosts will use for enrolment, but the documentation doesn't mention how to generate one: https://github.com/kolide/fleet/blob/545bc6fccb278d9489914f36b85d879b1a0ba17d/docs/infrastructure/configuring-the-fleet-binary.md#auth_jwt_key
I'm new to JWT, and am currently in the process of writing an Ansible playbook which can be used to deploy Kolide Fleet, and osquery via the Kolide Launcher.
z
zwass
09/30/2019, 8:18 PMIt’s just looking for a random string to use as the secret key for the jwt tokens it generates.
t
Tyler Fisher
09/30/2019, 8:20 PMSweet, so
auth_jwt_keyAh, gotcha, it's the secret key that's used to construct an enrolment token that agents can use to connect to a particular Fleet server.
Do you know if the only way to get a JWT token which can be used to enrol osquery agents is via the web UI, or via the
fleetctl get enroll-secretz
zwass
09/30/2019, 8:40 PMYour first point is correct. This key is only used to generate JWT tokens that are used for user auth. The enroll secret is randomly generated, but you could perhaps write a script that updates the value in the db.
w
wtheaker
09/30/2019, 8:46 PMHere's how I'm doing it with Docker:
Generate a string to be used for JWT:
openssl rand -base64 32.envKOLIDE_AUTH_JWT_KEYt
Tyler Fisher
09/30/2019, 8:46 PMAwesome, thanks @zwass, @wtheaker! 😄
I was able to retrieve the token via `fleetctl get enroll-secret`:
# fleetctl config set --address <https://localhost:8080>
# fleetctl config set --rootca /opt/kolide/fleet/tls/fleet.crt
# fleet login
# fleetctl login
Log in using the standard Fleet credentials.
Email: <email>
Password:
[+] Fleet login successful and context configured!
# fleetctl get enroll-secret
sVhrv<...>8t6Ffkolide.sessionsNot sure if there's a more pragmatic way to do it though, I've only known about JWT for about 30 minutes.
z
zwass
09/30/2019, 8:51 PMJwt is not something that you ever need to deal with directly. Agents do not use user sessions, they enroll with the enroll secret and are issued node keys.
t
Tyler Fisher
09/30/2019, 8:52 PMAh, gotcha, not familiar with the protocol, sorry, I'm trying to figure out how to get the enrol secret, I keep misusing terminology in weird ways...