help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: where is the best moment to populate the keys


From: Lumpkin, Buddy
Subject: RE: where is the best moment to populate the keys
Date: Tue, 18 Jun 2002 11:36:46 -0700

When I try the example below (or a similar example where I generate new
keys on the client, add the trustkey=true under copy and even copy over
the keys from the other server.

Here's what I get:

Connect to x0319p01 = 10.1.90.2, port h=5308
Loaded /var/cfengine/ppkeys/root-10.1.90.2.pub
cfengine:x0319p49: BAD: key could not be accepted on trust
cfengine:x0319p49: Key-authentication for x0319p49.nordstrom.net failed
cfengine:x0319p49: Unable to establish connection with x0319p01


ppkeys contains:

localhost.priv       
localhost.pub        
root-10.1.90.2.pub  
root-10.16.5.3.pub  
root-10.16.7.4.pub  
root-10.16.9.5.pub


Where root-10.1.90.2.pub is the public key of the other system.

Here is my update.conf:

copy:

   any::

        $(master_cfinput)       dest=$(cache)/inputs
                                r=inf
                                mode=700
                                type=checksum
                                exclude=*.lst
                                exclude=*~
                                exclude=#*
                                server=$(policyhost)
                                trustkey=true




Any ideas?

-----Original Message-----
From: Brian Youngstrom [mailto:address@hidden
Sent: Thursday, May 30, 2002 10:16 AM
To: address@hidden
Subject: Re: where is the best moment to populate the keys


Buddy,

I'm still experimenting with cfengine v2.0.x, but I have come up with
something that may work for you.  

I distribute cfengine via rpm (we're a Redhat shop).  As part of the
install, I create a file 'bootstrap' that contains:

control: actionsequence = ( resolve netconfig copy )
    sysadm  = ( address@hidden )

    resolve:
        1.2.3.4
        1.2.3.5

    defaultroute:
        1_2_3::
            1.2.3.100
        1_2_4::
            1.2.4.100

    copy:
        /master/cf/
            dest=/var/cfengine/inputs/
            trustkey=true
            server=cfmaster
            recurse=1
            owner=root
            group=wheel
            mode=400
            backup=false
            purge=true
            inform=false

I call this script during rpm install (in the %post) as 'cfagent -f
bootstrap' (after calling cfkey).  This contacts the master server,
trusting the key this time only.  The server stores the new host key,
the client stores the server key and copies the most recent cfengine
scripts, purging the bootstrap file.

I have each potential client listed in the cfenvd.conf TrustKeysFrom
directive.

One of my scripts is cf.update.  This file is:

control: actionsequence = ( copy )
        access  = ( root )
        sysadm  = ( address@hidden )

copy:
        /master/cf/
                dest=/var/cfengine/inputs
                server=cfmaster
                recurse=1
                owner=root
                group=wheel
                mode=400
                type=mtime
                backup=false
                purge=true
                inform=false

Very similar to bootstrap, but does not trust the server key.  I call
this file by 'cfagent -f cf.update' before calling 'cfagent' to run the
body of my scripts.  I have had problems with update.conf when there is
a syntax error in some other file.  Seems that cfengine parses
update.conf and all other files before executing update.conf (at least
with v2.0.1).

So far, this scheme has worked well for me.  Seems to avoid the implicit
trust while still providing the strong authentication that is desired.

-Brian

On Wed, May 29, 2002 at 06:23:22PM -0600, Lumpkin, Buddy wrote:
> Mark,
> 
> How do you have cfengine generate and replicate keys? What would be a
good (sane) practice that get's rid of the more manual burdon of
generating the keys manually?
> 
> I am about to setup our jumpstart server so that it copies over the
cfengine binaries and a startup script under /etc/rc2.d. I would like it
to do everything necessary to get keys in place and be properly
bootstapped and ready to run from then on.
> 
> My update.conf file makes sure that there is an entry in crontab that
will run cfexecd so im covered there ...
> 
> --Buddy
> 

-- 
Brian Youngstrom
address@hidden
University of Washington
Department of Computer Science & Engineering

_______________________________________________
Help-cfengine mailing list
address@hidden
http://mail.gnu.org/mailman/listinfo/help-cfengine



reply via email to

[Prev in Thread] Current Thread [Next in Thread]