HELP PLEASE: key distribution using CFengine

[Lumpkin, Buddy]

Hello All,

 

For the sake of this email, let’s say the client (n0319t50) ip is 10.1.45.22, and the server running cfservd (n0319p01) that I copy data from is 10.1.45.21

 

I generated a fresh set of keys on a new host where I have installed CFengine. Then I copied over the public key from a server that has config files that get copied out to other systems.

 

So I have:

 

# ls /var/cfengine/ppkeys

localhost.priv       localhost.pub        root-10.1.45.21.pub  ß ip address changed of course

 

 

On the server (n0319p01) I have not copied over the keys from the new client, but I have added the following line to cfagent.conf:

 

TrustKeysFrom = ( 10.1.45.22 10.1.45/24 )  ß note same subnet and explicit ip address of the client in ths stanza

 

I then restart cfservd for good measure on the server, but on the client it still complains about bad keys:

 

 

Checking copy from n0319p01:/etc/init.d/cfservd to /etc/init.d/cfservd

Connect to n0319p01 = 10.1.45.21, port h=5308

Loaded /var/cfengine/ppkeys/root-10.1.45.21.pub

cfengine:: BAD: key could not be accepted on trust

cfengine:: Authentication dialogue with x0319p01 failed

cfengine:: Unable to establish connection with n0319p01

Saving the setuid log in /var/cfengine/cfagent.n0319t50.log

 

 

If I copy over the localhost.pub as root-10.1.45.22.pub it works (of course).

 

Am I mis-understanding the TrustKeysFrom directive? I thought this was a way for keys to be exchanged from client to server automatically?

 

--Buddy