Title
#kolide
t

Tyler Fisher

09/30/2019, 8:17 PM
Hey? Is anyone familiar with how to generate JSON Web Tokens that can be used by Kolide Fleet, and Kolide Launcher? https://jwt.io/ The installer for Kolide Fleet requires a JWT token that hosts will use for enrolment, but the documentation doesn't mention how to generate one: https://github.com/kolide/fleet/blob/545bc6fccb278d9489914f36b85d879b1a0ba17d/docs/infrastructure/configuring-the-fleet-binary.md#auth_jwt_key I'm new to JWT, and am currently in the process of writing an Ansible playbook which can be used to deploy Kolide Fleet, and osquery via the Kolide Launcher.
zwass

zwass

09/30/2019, 8:18 PM
It’s just looking for a random string to use as the secret key for the jwt tokens it generates.
t

Tyler Fisher

09/30/2019, 8:20 PM
Sweet, so
auth_jwt_key
is not actually the JWT token, it's the secret key that's used to create the JWT token?
8:26 PM
Ah, gotcha, it's the secret key that's used to construct an enrolment token that agents can use to connect to a particular Fleet server.
8:37 PM
Do you know if the only way to get a JWT token which can be used to enrol osquery agents is via the web UI, or via the
fleetctl get enroll-secret
command? I'm provisioning a development environment, and was wondering if it's possible to know the enrolment secret in advance - I'm not familiar with JWT, looking at the source code for hints on how this is used: https://github.com/kolide/fleet/blob/06832697d0e6ed6b2ca0220ef5434791db7b0a27/server/service/service_sessions.go#L286-L293
zwass

zwass

09/30/2019, 8:40 PM
Your first point is correct. This key is only used to generate JWT tokens that are used for user auth. The enroll secret is randomly generated, but you could perhaps write a script that updates the value in the db.
w

wtheaker

09/30/2019, 8:46 PM
Here's how I'm doing it with Docker: Generate a string to be used for JWT:
openssl rand -base64 32
Paste that string into
.env
as
KOLIDE_AUTH_JWT_KEY
t

Tyler Fisher

09/30/2019, 8:46 PM
Awesome, thanks @zwass, @wtheaker! 😄 I was able to retrieve the token via fleetctl get enroll-secret:
# fleetctl config set --address <https://localhost:8080>
# fleetctl config set --rootca /opt/kolide/fleet/tls/fleet.crt
# fleet login
# fleetctl login
Log in using the standard Fleet credentials.
Email: <email>
Password:
[+] Fleet login successful and context configured!
# fleetctl get enroll-secret
sVhrv<...>8t6Ff
And it looks like JWT tokens are stored in the
kolide.sessions
table - so, I should be able to read the contents of this table before I try to enrol agents with the Kolide Fleet server I'm standing up.
8:47 PM
Not sure if there's a more pragmatic way to do it though, I've only known about JWT for about 30 minutes.
zwass

zwass

09/30/2019, 8:51 PM
Jwt is not something that you ever need to deal with directly. Agents do not use user sessions, they enroll with the enroll secret and are issued node keys.
t

Tyler Fisher

09/30/2019, 8:52 PM
Ah, gotcha, not familiar with the protocol, sorry, I'm trying to figure out how to get the enrol secret, I keep misusing terminology in weird ways...