[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: key exchange doc
|
From: |
Mark . Burgess |
|
Subject: |
Re: key exchange doc |
|
Date: |
Sat, 21 Sep 2002 00:36:36 +0200 (MET DST) |
The documentation has been there from day one. Just follow the checklist
on the website (but you have to read it).
The first time you connect to an unknown host, the hosts exchange keys
as part of the connection protocol.
Since you don't want to exchange keys with just anyone, you can choose
what IP addresses you want to trust keys from on (if any).
Once a key has been accepted to a user/IP address combination, it will
never be replaced unless it is deleted manually. (Though note a caveat
for DHCP.)
Cfengine uses the same trust model as SSH -- rather than paying verisign
$100 per host to sign every hostkey, you have to verify the host identity
in some other way and explicitly say that you are going to do it.
SSH does this interactively, telling you it doesn't recognize a host
key and asking if it's okay to accept it.
Cfengine is normally run non-interactively,
so you either have to switch on an option to copy, and then switch it off again.
Or you can use cfrun to do it interactively, like with ssh.
The only difference between cfengine ssh is that ssh solves a more
general problem than cfengine. It has all kinds of layers of negotiation
that allow hosts whose crypto capabilities are unknown to find common ground.
But it doesn't do anything magical.
All authentication is based on blind trust from an initial encounter.
Until you have been introduced to someone new, there is no way
in the universe to determine their ID except to trust their word.
Mark
On 20 Sep, Lumpkin, Buddy wrote:
> Mark,
>
> If CFengine does this so easily, could you please put the instructions ou
> there.
>
> I have seen this revisited several times and I can tell you that I eventually
> just wrote a script to do it with scp.
>
> I think we are all very eager to see how to do this with CFengine.
>
> Regards,
>
> --Buddy
>
> -----Original Message-----
> From: Mark.Burgess@iu.hio.no [mailto:Mark.Burgess@iu.hio.no]
> Sent: Friday, September 20, 2002 3:00 PM
> To: david@douthitt.net
> Cc: heinlein@cse.ogi.edu; help-cfengine@gnu.org
> Subject: Re: key exchange doc
>
>
>
>> To my knowledge, there isn't one. The general way I do it is to manually
>> do it with scp:
>>
>> cfkey
>> export PPKEYS=/var/cfengine/ppkeys
>> scp there:$PPKEYS/localhost.pub $PPKEYS/root-99.99.99.99.pub
>> scp $PPKEYS/localhost.pub there:$PPKEYS/root-11.11.11.11.pub
>>
>> You don't have to use PPKEYS, but it shortens lines in the example :-)
>> This assumes that there is 99.99.99.99 and here is 11.11.11.11 ...
>
>
> There is absolutely no sense in doing this. Cfengine exchanges
> the keys much more easily.
>
>
>> You could use TrustKeysFrom to do this but I haven't tried it -
>> automatically trusting an unknown host scares me...
>
>
> Then why do you trust the secure shell? It cannot do any more
> than cfengine can. You also have to blindly trust ssh
> before the keys are exchanged.
>
> Don't kid yourself -- there's no such thing as a free lunch.
>
> Mark
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Work: +47 22453272 Email: Mark.Burgess@iu.hio.no
> Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
>
>
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://mail.gnu.org/mailman/listinfo/help-cfengine
>
>
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://mail.gnu.org/mailman/listinfo/help-cfengine
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272 Email: Mark.Burgess@iu.hio.no
Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~