TIL: Enroll secrets change over time
# kolided
David Gagliardi
05/21/2019, 8:30 PMTIL: Enroll secrets change over time
z
zwass
05/22/2019, 1:31 AM
Enroll secrets can change over time but currently I don't think there is a mechanism in Fleet that would do so automatically.
d
David Gagliardi
05/22/2019, 4:29 PMfascinating... would a restart of the fleet service induce that perhaps? I guess I can experiment and report back here
David Gagliardi
05/22/2019, 4:33 PMwell, a restart did not change it... I'll go back a look over previous enroll_secret's from past hosts I've installed.
z
zwass
05/22/2019, 5:03 PM
The enroll secret is stored in the DB and shouldn’t change
d
David Gagliardi
05/22/2019, 5:30 PMcrazy town, but i have an enroll secret for the fleet server itself and my mac that are quite different... i don't think it's worth a witch hunt over, I'm a very new user to fleet and osquery itself, so I'm going to err on the side of I did something wrong.
David Gagliardi
05/22/2019, 5:31 PMI'll continue to keep an eye for it though now that I know the intended behavior
z
zwass
05/22/2019, 6:07 PM
It's possible you enrolled the mac with the Fleet enroll secret and subsequently changed the enroll secret on the mac. The changed secret wouldn't be used unless the mac was deleted in Fleet and had to re-enroll.
zwass
05/22/2019, 6:07 PM
Because the individual node provides the enroll secret to Fleet which returns a node key that is used for further authentication.