help-cfengine
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authenticate by key only?

From: Frank Smith
Subject: Re: Authenticate by key only?
Date: Mon, 17 Jun 2002 10:04:44 -0500 
--On Sunday, June 16, 2002 18:22:15 +0200 Mark.Burgess@iu.hio.no wrote:




I think skipverify is what you want. Where do the docs imply the reverse?

M


The documentation claims:


- SkipVerify
-
- If connecting hosts use a Network Address Translator in order to share
- an IP address, reverse lookup will fail to give a correct verification
- of host identity. You can switch off cfservd's verification of host
- identity for specific IP addresses or patterns using this command. E.g.
-
- SkipVerify = ( 192.0.0.10  192.0.2.  )
-
-
- NOTE!! This is a security risk because it means that cfservd implicitly
- trusts the connecting hosts! You should be very careful in using Network
- Address Translators in a secure environment. It is not recommended for
- sites which require a high level of security.


I took this to mean that SkipVerify skipped ALL verifications, not just
the DNS check, as it implies that all the connection requires is to be
from a certain IP address to be authenticated.  I will experiment with it
to see if my assumption is incorrect.

Frank



On 14 Jun, Frank Smith wrote:

Normally cfservd does double-reverse lookups to verify hostnames, but I
have a few hosts where this won't work due to NAT and other reasons.  They
do all have unique IPs, so I want to be able to skip the DNS lookups for
those hosts only and just use the public keys for authentication (those
were already exchanged after cfengine was installed on the clients).
   SkipVerify= does part of what I want, but the documentation implies it
just relies on IP and not the keys.  Is there some other option I've missed
or some other way around it, or is the only option to hack the source?

Thanks,
Frank

--
Frank Smith                                                fsmith@hoovers.com
Systems Administrator                                     Voice: 512-374-4673
Hoover's Online                                             Fax: 512-374-4501




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~





--
Frank Smith                                                fsmith@hoovers.com
Systems Administrator                                     Voice: 512-374-4673
Hoover's Online                                             Fax: 512-374-4501
reply via email to
[Prev in Thread] Current Thread [Next in Thread]