help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cfkey help


From: Mark . Burgess
Subject: Re: cfkey help
Date: Sun, 1 Dec 2002 10:11:29 +0100 (MET)

On 30 Nov, Nate Campi wrote:
> I don't like accepting cfengine keys on trust any more than I like
> accepting ssh host keys on trust - I'll do it if I have to but not if I
> can avoid it.
> 
> I've been able to avoid having to trust cfengine keys by generating the
> keys on a central host and disting it to the client and servers via SSH
> priv key authentication. The only problem is that my script has to move
> the host's real key out of place while the client's key is being
> generated. I wish I could tell cfkey to generate a different filename.
> 
> CFINPUTS doesn't affect this. Is there any way to do what I want without
> hacking at cfkey's source? 

Nate, this could be added to cfkey I suppose, but I would recommend
a different strategy. MAke sure that you understand what the trust
issue is really about. Cfengine is more paranoid than ssh on this,
but using ssh to distrbute cfengine keys sounds a bit like using
a Jeep instead of a van because you don't like cars.
Take a look at this help file from the FAQ

http://www.cfengine.org/confdir/keys.html

I would recommend managing a time window for the key exchanges.

M

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272            Email:  address@hidden
Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~






reply via email to

[Prev in Thread] Current Thread [Next in Thread]