help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bootstrapping


From: Nate Campi
Subject: Re: Bootstrapping
Date: Wed, 18 Feb 2004 00:50:00 -0800
User-agent: Mutt/1.3.28i

On Wed, Feb 18, 2004 at 09:34:17AM +0100, address@hidden wrote:
> Yes, since I am always looking to make cfengine more in line with
> modern pervasive/mobile computing, I would welcome any suggestions
> on this. 
> 
> The main problem is that if a maskin is roaming around, then
> how can a central server really know who it is without a key?
> Thus either one tries to match a key and derive identify from it,
> or something intrinsic to the host is needed. MAC address?

Still use a key, but don't force it to match a "root-DNSNAME.pub" or
"root-192.168.1.1.pub" file, check against a list of known keys and if
it matches one then allow it; or use the name as sent by the client to
match the key instead of the IP/name at the other end of the socket.
Basically I just want some way for known hosts to use an unknown IP.

It's kind of scary to open cfservd to the world like this, but it's
scarier to allow wandering hosts to go long periods without updates. :(

Right now I make outside dynamic hosts establish a VPN, and once using a
known private IP on the VPN all the cfengine key exchanges work. This is
fine on a small scale, but since cfengine has its own key exchange and
encryption I don't need the benefit of the VPN, and I'd like to go
without it.
-- 
Nate

"Go to Heaven for the climate, Hell for the company." - Samuel Clemens





reply via email to

[Prev in Thread] Current Thread [Next in Thread]