help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Trust dilemma


From: Martin, Jason H
Subject: RE: Trust dilemma
Date: Fri, 9 Sep 2005 12:01:13 -0700

The line you are looking for is 'TrustKeysFrom'. Cfservd will trust the
key from any ip in the given subnet the first time it sees it; if a host
changes keys it will not be trusted.

EX:
TrustKeysFrom = ( 192.168 10.3 172.16 )

http://www.cfengine.org/docs/cfengine-Reference.html#TrustKeysFrom

-Jason Martin

-----Original Message-----
From: address@hidden
[mailto:address@hidden On
Behalf Of Mark McCullough
Sent: Friday, September 09, 2005 10:06 AM
To: address@hidden
Subject: Trust dilemma


I am trying to set up a fairly standardized system where junior
sysadmins are able to add new systems into the cfengine setup.  I have
most of the steps properly automated so that they do not need special
access on the cfengine master server, except for the issue of the new
client's public key.

I can't figure out a way to force cfservd to trust a range of IPs
despite the examples given in the reference guide.  I know what ranges
of IPs I want to trust, but it seems to only trust pre-existing keys or
individual IPs.  (I can't afford to manually add every single IP).

This is cfengine 3.1.15.

I've tried tricks like ACLs on the /var/cfengine/ppkeys directory, but
that causes complaints on the master server. 

Any suggestions or am I overthinking this?

-- 
address@hidden                                   Mark McCullough
"To announce that there must be no criticism of the President, or that 
we are to stand by the President, right or wrong, is not only 
unpatriotic and servile, but is morally treasonable to the American 
public." (Theodore Roosevelt, 1918)




reply via email to

[Prev in Thread] Current Thread [Next in Thread]