help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: problems with trust


From: david . nelson
Subject: Re: problems with trust
Date: Mon, 19 Sep 2005 15:31:34 -0500


Hi Bill,

I run 'cfservd' on all systems - this allows me to do remote 'cfrun' commands.  So, I have a single cfservd.conf that I distribute out to _all_ systems.  In cfservd.conf, I basically have:

control:

  any::

    LogAllConnections = ( true )
    domain = ( mydomain.com )
    cfrunCommand = ( /var/cfengine/bin/cfagent )
    ChecksumDatabase = ( /var/cfengine/checksum-server.db )
    IfElapsed = ( 10 )
    AllowUsers = ( root )
    SyslogFacility = ( LOG_LOCAL3 )

  any.!cfserver_mydomain_com::  # Clients should only accept and trust a connection from the FQDN CFserver

    MaxConnections = ( 10 )
    AllowConnectionsFrom = ( 10.0.7.165 ) # CFserver IP
    TrustKeysFrom = ( 10.0.7.165 ) # CFserver IP

  cfserver_mydomain_com:: # The CFserver should accept and trust any clients but only from our subnets

    AllowConnectionsFrom = ( 10.0.0.0/16 192.168.0.0/16 ) # Our local subnets
    AllowMultipleConnectionsFrom = ( 10.0.0.0/16 192.168.0.0/16 ) # Our local subnets

admit:

  any::

    $(cfrunCommand) *.mydomain.com

  cfserver_mydomain_com::

    /var/cfengine/master_inputs *.mydomain.com
    /var/cfengine/master_modules *.mydomain.com
    /var/cfengine/master_scripts *.mydomain.com



I also make it a habit to restart 'cfservd' jsut to be sure althought cfservd is supposed to detect cfservd.conf updates and re-read the config file.



Now, I personally use a bootstrap CF file and also define a 'TrustKeysFrom' entry - so I imagine that you'd put the following line in 'update.conf':

TrustKeysFrom = ( 10.0.7.165 ) # Clients should only trust the CFserver

Regards,
         /\/elson



Bill Gunter <address@hidden>
Sent by: address@hidden

09/19/2005 02:42 PM

To
address@hidden
cc
Subject
Re: problems with trust





Sorry to re-post, but I'm afraid this has gotten lost in the din. I
really need to get this resolved, so any help would be greatly
appreciated.

bg

On Mon, 2005-09-12 at 12:51 -0500, Bill Gunter wrote:
> The clients and server are on the same network, 66.162.222.0/24. Here's
> the TrustKeys. The stuff on the 208.10.199.0/24 net works fine.
>
> TrustKeysFrom = (
>             208.10.199.0/24
>             66.162.222.0/24
>             216.54.235.0/24
>             192.168.199.0/24
> )
>
> On Mon, 2005-09-12 at 01:29 -0500, Tim Nelson wrote:
> > On Fri, 9 Sep 2005, Bill Gunter wrote:
> >
> > > I'm having trouble using trust to exchange keys. I got it working
> > for
> > > one server, but it's not working for another. I get this message on
> > the
> > > client while running 'cfagent -v'
> > >
> > > "cfengine:viper: BAD: key could not be accepted on trust"
> > >
> > > And similarly on the server from cfservd
> > >
> > > "No previous key found, and unable to accept this one on trust"
> > >
> > > I'm getting this when cfagent is parsing the update.conf file.
> > cfservd
> > > contains the correct TrustKeysFrom entries and update.conf has this:
> >
> >         Are the server and client on different sides of a NAT?
> >         What's your TrustKeysFrom line?
> >
> >         :)
> >
> > --  
> > Kind Regards,
> >  
> > Tim Nelson
> > Server Administrator
> >  
> > P: 03 9934 0888
> > F: 03 9934 0899
> > E: address@hidden
> > W: www.webalive.biz
> >  
> > WebAlive Technologies
> > Level 1, Innovation Building
> > Digital Harbour
> > 1010 La Trobe Street
> > Docklands Melbourne VIC 3008
> >
> > This email (including all attachments) is intended solely for the
> > named addressee. It is confidential and may contain legally privileged
> > information. If
> >
> > you receive it in error, please let us know by reply email, delete it
> > from your system and destroy any copies. This email is also subject to
> > copyright. No
> >
> > part of it should be reproduced, adapted or transmitted without the
> > written consent of the copyright owner.
> >
> > Emails may be interfered with, may contain computer viruses or other
> > defects and may not be successfully replicated on other systems. We
> > give no
> >
> > warranties in relation to these matters. If you have any doubts about
> > the authenticity of an email purportedly sent by us, please contact us
> > immediately.
> >
>
>
> _______________________________________________
> Help-cfengine mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/help-cfengine


_______________________________________________
Help-cfengine mailing list
address@hidden
http://lists.gnu.org/mailman/listinfo/help-cfengine


reply via email to

[Prev in Thread] Current Thread [Next in Thread]