help-cfengine
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: key exchange doc

From: Mark . Burgess
Subject: Re: key exchange doc
Date: Fri, 20 Sep 2002 23:56:33 +0200 (MET DST) 
This is on the first page of the web site....


http://www.iu.hio.no/cfengine/confdir/checklist.html



M


On 20 Sep, David Douthitt wrote:
> On Fri, Sep 20, 2002 at 08:49:21AM -0700, Paul Heinlein wrote:
> 
>> I'm having trouble finding documentation concerning how to bootstrap a
>> cfengine 2.x key infrastructure. To date, we've run cfengine/cfagent
>> against nfs-exported configs, but we'd like to move to a cfservd/cfrun 
>> architecture.
>> 
>> Is there an online doc that describes how to do the initial exchange 
>> of public keys between hosts?
> 
> To my knowledge, there isn't one.  The general way I do it is to manually
> do it with scp:
> 
http://www.iu.hio.no/cfengine/confdir/checklist.html>     cfkey
>     export PPKEYS=/var/cfengine/ppkeys
>     scp there:$PPKEYS/localhost.pub $PPKEYS/root-99.99.99.99.pub
>     scp $PPKEYS/localhost.pub there:$PPKEYS/root-11.11.11.11.pub
> 
> You don't have to use PPKEYS, but it shortens lines in the example :-)
> This assumes that there is 99.99.99.99 and here is 11.11.11.11 ...
> 
> You could use TrustKeysFrom to do this but I haven't tried it -
> automatically trusting an unknown host scares me...
> 
> Then you should make sure that both the client and the master are in
> the cfrun.hosts file
> 
> Then check the cfservd.conf file; it must have the following (in my
> experience, anyway):
> 
>     * The user listed in the key (<user>-<ip>.pub) - the one who is
>       to be allowed to use cfrun, must have an entry in AllowUsers
> 
>     * AllowConnectionsFrom should have both the client and master
> 
>     * cfrunCommand MUST be a valid cfagent binary (or link to it)
> 
>     * The admit: section must contain an allowable directory for
>       the client and master hosts.  The cfagent binary should be
>       in this directory
> 
> When this is all done, then you should be able to do two things:
> 
>     1. Use cfrun from the master to run cfagent on the client on
>        demand
> 
>     2. Use the remote copy feature on the client
> 
> Maybe I should write a document :-)
> 
> 
> 
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://mail.gnu.org/mailman/listinfo/help-cfengine



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
reply via email to
[Prev in Thread] Current Thread [Next in Thread]