On Thu, 2003-07-10 at 03:27, ext Christopher DeMarco wrote:
On Wed, Jul 09, 2003 at 10:11:53AM -0600, Allen Bettilyon wrote:
You 'could' just write a script that deletes all the keys from your
server every so often. And than turn trustkeys on.
That's what I'm currently doing, but it doesn't seem like the "right"
thing to do... I was hoping there was a secret undocumented switch or
the like...
One thing that you could try is to define all relevant IP address ranges
into TrustKeysFrom and DynamicAddresses
(cfengine-Reference.html#DynamicAddresses). That would tell cfengine
that even though it already has key for IP address 1.2.3.4, it should
trust others who might also be using IP address 1.2.3.4. This is what we
use in lab, where we occasionally JumpStart Solaris machines, which are
used in QA.
This is only partial solution in a sense that it doesn't turn
authentication off and you still should occasionally clean old keys
away, but it should make life little bit easier with cfengine.