[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: where is the best moment to populate the keys
|
From: |
Lumpkin, Buddy |
|
Subject: |
RE: where is the best moment to populate the keys |
|
Date: |
Tue, 18 Jun 2002 11:36:46 -0700 |
When I try the example below (or a similar example where I generate new
keys on the client, add the trustkey=true under copy and even copy over
the keys from the other server.
Here's what I get:
Connect to x0319p01 = 10.1.90.2, port h=5308
Loaded /var/cfengine/ppkeys/root-10.1.90.2.pub
cfengine:x0319p49: BAD: key could not be accepted on trust
cfengine:x0319p49: Key-authentication for x0319p49.nordstrom.net failed
cfengine:x0319p49: Unable to establish connection with x0319p01
ppkeys contains:
localhost.priv
localhost.pub
root-10.1.90.2.pub
root-10.16.5.3.pub
root-10.16.7.4.pub
root-10.16.9.5.pub
Where root-10.1.90.2.pub is the public key of the other system.
Here is my update.conf:
copy:
any::
$(master_cfinput) dest=$(cache)/inputs
r=inf
mode=700
type=checksum
exclude=*.lst
exclude=*~
exclude=#*
server=$(policyhost)
trustkey=true
Any ideas?
-----Original Message-----
From: Brian Youngstrom [mailto:byoung@cs.washington.edu]
Sent: Thursday, May 30, 2002 10:16 AM
To: help-cfengine@gnu.org
Subject: Re: where is the best moment to populate the keys
Buddy,
I'm still experimenting with cfengine v2.0.x, but I have come up with
something that may work for you.
I distribute cfengine via rpm (we're a Redhat shop). As part of the
install, I create a file 'bootstrap' that contains:
control: actionsequence = ( resolve netconfig copy )
sysadm = ( my@email.addr )
resolve:
1.2.3.4
1.2.3.5
defaultroute:
1_2_3::
1.2.3.100
1_2_4::
1.2.4.100
copy:
/master/cf/
dest=/var/cfengine/inputs/
trustkey=true
server=cfmaster
recurse=1
owner=root
group=wheel
mode=400
backup=false
purge=true
inform=false
I call this script during rpm install (in the %post) as 'cfagent -f
bootstrap' (after calling cfkey). This contacts the master server,
trusting the key this time only. The server stores the new host key,
the client stores the server key and copies the most recent cfengine
scripts, purging the bootstrap file.
I have each potential client listed in the cfenvd.conf TrustKeysFrom
directive.
One of my scripts is cf.update. This file is:
control: actionsequence = ( copy )
access = ( root )
sysadm = ( my@email.addr )
copy:
/master/cf/
dest=/var/cfengine/inputs
server=cfmaster
recurse=1
owner=root
group=wheel
mode=400
type=mtime
backup=false
purge=true
inform=false
Very similar to bootstrap, but does not trust the server key. I call
this file by 'cfagent -f cf.update' before calling 'cfagent' to run the
body of my scripts. I have had problems with update.conf when there is
a syntax error in some other file. Seems that cfengine parses
update.conf and all other files before executing update.conf (at least
with v2.0.1).
So far, this scheme has worked well for me. Seems to avoid the implicit
trust while still providing the strong authentication that is desired.
-Brian
On Wed, May 29, 2002 at 06:23:22PM -0600, Lumpkin, Buddy wrote:
> Mark,
>
> How do you have cfengine generate and replicate keys? What would be a
good (sane) practice that get's rid of the more manual burdon of
generating the keys manually?
>
> I am about to setup our jumpstart server so that it copies over the
cfengine binaries and a startup script under /etc/rc2.d. I would like it
to do everything necessary to get keys in place and be properly
bootstapped and ready to run from then on.
>
> My update.conf file makes sure that there is an entry in crontab that
will run cfexecd so im covered there ...
>
> --Buddy
>
--
Brian Youngstrom
byoung@cs.washington.edu
University of Washington
Department of Computer Science & Engineering
_______________________________________________
Help-cfengine mailing list
Help-cfengine@gnu.org
http://mail.gnu.org/mailman/listinfo/help-cfengine
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- RE: where is the best moment to populate the keys,
Lumpkin, Buddy <=