[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cfkey help
Mark . Burgess
Re: cfkey help
Sun, 1 Dec 2002 17:21:42 +0100 (MET)
I don't think this is a very good reason. Most folks will not have
to wait this long, and if one doesn't have time
to wait a week or so, then probably things are moving too quickly
anyway. I would not recommend anyone to switch to a complex
cfengine setup in the space of a week.
My personal guess is that the word "trust" gives people the creeps
because most people have an unnatural trust of SSH and nothing else.
That is silly. The reason I make a song and dance of this in the
cfengien manual is to make people aware of an important issue.
Using SSH is just burying your head in the sand -- the same
problem exists there.
On 1 Dec, skaar wrote:
>> > CFINPUTS doesn't affect this. Is there any way to do what I want without
>> > hacking at cfkey's source?
>> Nate, this could be added to cfkey I suppose, but I would recommend
>> a different strategy. MAke sure that you understand what the trust
>> issue is really about. Cfengine is more paranoid than ssh on this,
>> but using ssh to distrbute cfengine keys sounds a bit like using
>> a Jeep instead of a van because you don't like cars.
>> Take a look at this help file from the FAQ
>>From a production point of view another reason to do this elsewhere
> than on each client, is that you normally don't have a couple of weeks
> to wait for cfenvd to gather enough data to give cfkey high entropy.
>> I would recommend managing a time window for the key exchanges.
>> Work: +47 22453272 Email: address@hidden
>> Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
>> Help-cfengine mailing list
Work: +47 22453272 Email: address@hidden
Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
- Re: cfkey help,
Mark . Burgess <=
- Re: cfkey help, Mark . Burgess, 2002/12/01