help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TrustKeysFrom .. a host netgroup?


From: Akop Pogosian
Subject: Re: TrustKeysFrom .. a host netgroup?
Date: Sat, 11 Jan 2003 16:09:51 -0800 (PST)

On Sat, 11 Jan 2003 address@hidden wrote:

>
> Ok, I hear you. The main reason for using IP addresses is that
> you normally want to trust a whole subnet at a time when setting
> up the keys. After that you switch off trust and be done
> with. I can add support for name lookup, but I have no use
> for it myself.
>
> I disagree with Luke -- I think DNS is much easier to spoof than IP
> addresses.
>
> M
>

Hello. What about the netgroups? For example, we have a situation
where there are many "untrusted" hosts on the same subnets with our
"trusted" hosts. We have already setup a netgroup (for NFS exports)
that includes only our hosts and it would be nice to be able to use it
in the cfeservd configuration. Of course, it would be nice to install
all the hosts at once and then turn off trust but that not an option
at our site since new host installation is an ongoing, almost a daily,
task. I understand that this doesn't add a whole lot to security but I
also don't feel like either automatically trusting hosts that don't
need to use cfengine or duplicating the list of all our "trusted" IPs
in the cfservd.conf.


-akop




reply via email to

[Prev in Thread] Current Thread [Next in Thread]