[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
cfservd.conf tips
From: |
Marion Hakanson |
Subject: |
cfservd.conf tips |
Date: |
Mon, 11 Nov 2002 18:26:54 -0800 |
Folks,
Here are a few items that I couldn't easily find in the documentation
that might be helpful to other new users of cfservd. This is with
cfengine-2.0.5pre (and also 2.0.4) on SPARC/Solaris-2.6 and SPARC/Solaris-8.
Please feel free to point out where I missed something, and/or to add this
info into the cfengine docs as appropriate.
(1) The AllowConnectionsFrom, TrustKeysFrom, and so on variables in
cfservd.conf's control section seem to only work with numeric IP
addresses or ranges, and not hostnames. It looks (from debug logs)
like the names are accepted, but you'll never get a connection match.
Anyone know why? Is this a bug or a feature? I found it a bit
unexpected because you can use domain names (and patterns of them)
in the admit/deny sections.
(2) You can't use variables (macros) on the right-hand-side of access
items in the "admit" section of cfservd.conf (presumably this is also
true for the "deny" section, but I haven't tested this). If you put
a quoted macro there, as in:
admit:
$(cfrunCommand) "$(policyhost)"
you'll get the following error message when cfservd starts up:
cf:clnthost:/var/cfengine/inputs/cf.cfservd:39: Unknown item or out of
context
clnthost::Execution terminated after parsing due to errors in program
An unquoted macro in the same location allows cfservd to run, but
you end up with an empty access (admit) list.
Bug, feature, or high cranial density on my part? I found it unexpected
because macros work in the "control" section, and on the left-hand-side
of admit/deny statements.
(3) There are a few access/sanity checks in the cfrun/cfservd authentication
process which weren't obvious to me. In addition to needing the public
key of the cfrun host on the client cfservd and vice-versa, the client
cfservd needs in cfservd.conf to:
(a) define the "cfrunCommand" macro. Cfservd will warn you if the
path you define is not an absolute path, or if the object does
not exist, but if you leave it undefined (I naively expected there
to be a compiled-in default), it says nothing. You just get a
deliberately-vague "authentication failed" diagnostic.
(b) List at least "root" in the "AllowUsers" macro. As above, if you
leave this empty, you get "authentication failed". This is mentioned
somewhere in the documentation, but it was hard for me to find.
(c) You must give the cfrun host access to $(cfrunCommand) in the
"admit" section. Again, "authentication failed" is the indication
that you forgot to do this. I believe this requirement is alluded
to in one of the cfservd.conf examples, but not elsewhere.
Perhaps these three items (a,b, & c) could be added to that very
helpful primer on key exchange & security that came out last month.
As an aside, I also want to thank Mark for all those debug statements.
They'd be even more useful if cfservd (on Solaris, anyway) would put
stdout/stderr in line-buffered mode. As it stands now, if cfservd in
debug mode is redirected to a file, you don't get all the output in
"real time" until some buffer fills up (or you kill cfservd).
Regards,
--
Marion Hakanson <hakanson@cse.ogi.edu>
CSE Computing Facilities
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- cfservd.conf tips,
Marion Hakanson <=