help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: key exchange doc


From: David Douthitt
Subject: Re: key exchange doc
Date: Fri, 20 Sep 2002 16:30:52 -0500
User-agent: Mutt/1.4i

On Fri, Sep 20, 2002 at 08:49:21AM -0700, Paul Heinlein wrote:

> I'm having trouble finding documentation concerning how to bootstrap a
> cfengine 2.x key infrastructure. To date, we've run cfengine/cfagent
> against nfs-exported configs, but we'd like to move to a cfservd/cfrun 
> architecture.
> 
> Is there an online doc that describes how to do the initial exchange 
> of public keys between hosts?

To my knowledge, there isn't one.  The general way I do it is to manually
do it with scp:

    cfkey
    export PPKEYS=/var/cfengine/ppkeys
    scp there:$PPKEYS/localhost.pub $PPKEYS/root-99.99.99.99.pub
    scp $PPKEYS/localhost.pub there:$PPKEYS/root-11.11.11.11.pub

You don't have to use PPKEYS, but it shortens lines in the example :-)
This assumes that there is 99.99.99.99 and here is 11.11.11.11 ...

You could use TrustKeysFrom to do this but I haven't tried it -
automatically trusting an unknown host scares me...

Then you should make sure that both the client and the master are in
the cfrun.hosts file

Then check the cfservd.conf file; it must have the following (in my
experience, anyway):

    * The user listed in the key (<user>-<ip>.pub) - the one who is
      to be allowed to use cfrun, must have an entry in AllowUsers

    * AllowConnectionsFrom should have both the client and master

    * cfrunCommand MUST be a valid cfagent binary (or link to it)

    * The admit: section must contain an allowable directory for
      the client and master hosts.  The cfagent binary should be
      in this directory

When this is all done, then you should be able to do two things:

    1. Use cfrun from the master to run cfagent on the client on
       demand

    2. Use the remote copy feature on the client

Maybe I should write a document :-)





reply via email to

[Prev in Thread] Current Thread [Next in Thread]