help-cfengine
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: key exchange doc

From: David Douthitt
Subject: Re: key exchange doc
Date: Mon, 23 Sep 2002 15:36:23 -0500
User-agent: Mutt/1.4i 
On Sat, Sep 21, 2002 at 12:36:36AM +0200, Mark.Burgess@iu.hio.no wrote:

> The documentation has been there from day one. Just follow the checklist
> on the website (but you have to read it).

The documentation was not enough for me.  The only relevant documentation
on running cfengine 2 for the first time, and setting up keys was:

4. Install as per manual.

There is no checklist that explains everything as I detailed it, and
the cfengine reference (especially things other than cfagent) is hard
to follow.  I'm not entirely sure that all of the options are covered
for cfrun, for example.

> Cfengine uses the same trust model as SSH -- rather than paying verisign
> $100 per host to sign every hostkey,

You don't have to pay VeriSign a penny - make your own CA.  I've done it,
and so have many others.

> you have to verify the host identity
> in some other way and explicitly say that you are going to do it.
> SSH does this interactively, telling you it doesn't recognize a host
> key and asking if it's okay to accept it. 

You can, if you like, add the host certificate before the run.

> Cfengine is normally run non-interactively,
> so you either have to switch on an option to copy,
> and then switch it off again.
> Or you can use cfrun to do it interactively, like with ssh.

True.

> All authentication is based on blind trust from an initial encounter.
> Until you have been introduced to someone new, there is no way
> in the universe to determine their ID except to trust their word.

True.  You have to trust the remote host if you want to run
non-interactively.

The problem I see is that to do this non-interactively, you have
to trust the remote host.  That might be sufficient, but after the
key is loaded, that "trust" remains there.  What happens if the
remote host "changes" the key? That could mean there is a
"man-in-the-middle" attack, with another host pretending to
be the trusted host.  SSH either asks if you want to accept
the key, or it refuses to run at all (depending on the level
of paranoia in the configuration).

To load a key securely, you are almost required to use a manual
process - but if you want to set up a host automatically, this
is unacceptable.

Perhaps trust could be allowed only if the relevant cfengine
setup is missing?  That is, update.conf would be the only
file present, and cfagent.conf is missing, perhaps.

After cfagent is present, then the host is never trusted again.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]