[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
DynamicAddresses not working?
From: |
Jakub Turski |
Subject: |
DynamicAddresses not working? |
Date: |
Tue, 6 Dec 2005 12:21:19 +0100 |
User-agent: |
Mutt/1.5.11 |
Hi *,
My setup: one policy host, quite a few clients, each with two sets of disks.
Each client can be boot from either set of disks. To make key management
easier, I've put the IPs of those clients to both DynamicAddresses and
TrustKeysFrom variables in policyhost's cfservd.conf. But it looks like the
DynamicAddresses stanza is ignored: once I've connected from the first set of
disks to the server (and made the key exchange), I cannot do cfrun when this
client is booted from the second set of disks. What is funny: cfagent from the
client to server works, cfrun from server to client does not:
cfrun(0): .......... [ Hailing kajko.tb ] ..........
cfrun:dywersant.tb: BAD: Host authentication failed. Did you forget the domain
name or IP/DNS address registration (for ipv4 or ipv6)?
cfrun:dywersant.tb: Key-authentication for dywersant.tb failed
In the same time, when I run cfagent from the client:
cfservd on the policy host, dywersant:
cfservd: Accepting connection from 192.168.7.102
cfservd: Allowing 192.168.7.102 to connect without (re)checking ID
Non-verified Host ID is kajko.tb (Using skipverify)
Non-verified User ID seems to be root (Using skipverify)
Updating last-seen time for kajko.tb
Loaded /var/lib/cfengine2/ppkeys/root-192.168.7.102.pub
A public key was already known from kajko.tb/192.168.7.102 - no trust required
Adding IP 192.168.7.102 to SkipVerify - no need to check this if we have a key
cfservd: Strong authentication of client kajko.tb/192.168.7.102 achieved
(I'm not using SkipVerify at all, I don't know why I get those messages...)
cfagent on the client, kajko:
Checking copy from 192.168.8.98:/var/lib/cfengine2/inputs/cfagent to
/var/cfengine/inputs
Connect to 192.168.8.98 = 192.168.8.98 on port cfengine
Updating last-seen time for 192.168.8.98
Loaded /var/cfengine/ppkeys/root-192.168.8.98.pub
...............................................................
cfengine:: Strong authentication of server=192.168.8.98 connection confirmed
I've checked the md5sum of the keys:
client:
9cb834fd1ab420ca6ee5f3cafaa4e37c localhost.pub
ea3280ca28b5649f6697ae410338d65d root-192.168.8.98.pub
server:
ea3280ca28b5649f6697ae410338d65d localhost.pub
5d72e4fe78063de437ab66bf623e2316 root-192.168.7.102.pub
As you can see, the client pubkey on the server is different (from the other
diskset), but why on earth it's not updated during cfagent run? Of course, when
I delete the root-192.168.7.102.pub file from the server keys, it works, but
that's rather crude solution, as hosts can be rebooted (switching disksets) at
various times. I can also take care that both disksets have the same keys, but
I'd like to know WHY the behaviour of cfservd is different from documented :(
Anyone?
Regards,
KT.
--
__ __.---------------------------------------------------------------.__
(oo) | And God said, "E=2mv^2+2P/r" and there was popcorn! |
/ \/ \ | |
`V__V' `--.__penguin_#128720______________________________________________.--'
- DynamicAddresses not working?,
Jakub Turski <=