help-cfengine
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DynamicAddresses not working?

From: Jakub Turski
Subject: DynamicAddresses not working?
Date: Tue, 6 Dec 2005 12:21:19 +0100
User-agent: Mutt/1.5.11 
Hi *,

 My setup: one policy host, quite a few clients, each with two sets of disks.
 Each client can be boot from either set of disks. To make key management
 easier, I've put the IPs of those clients to both DynamicAddresses and
 TrustKeysFrom variables in policyhost's cfservd.conf. But it looks like the
 DynamicAddresses stanza is ignored: once I've connected from the first set of
 disks to the server (and made the  key exchange), I cannot do cfrun when this
 client is booted from the second set of disks. What is funny: cfagent from the
 client to server works, cfrun from server to client does not:

cfrun(0):         .......... [ Hailing kajko.tb ] ..........
cfrun:dywersant.tb: BAD: Host authentication failed. Did you forget the domain 
name or IP/DNS address registration (for ipv4 or ipv6)?
cfrun:dywersant.tb: Key-authentication for dywersant.tb failed
 
 In the same time, when I run cfagent from the client:

cfservd on the policy host, dywersant:

cfservd: Accepting connection from 192.168.7.102
cfservd: Allowing 192.168.7.102 to connect without (re)checking ID
Non-verified Host ID is kajko.tb (Using skipverify)
Non-verified User ID seems to be root (Using skipverify)
Updating last-seen time for kajko.tb
Loaded /var/lib/cfengine2/ppkeys/root-192.168.7.102.pub
A public key was already known from kajko.tb/192.168.7.102 - no trust required
Adding IP 192.168.7.102 to SkipVerify - no need to check this if we have a key
cfservd: Strong authentication of client kajko.tb/192.168.7.102 achieved

 (I'm not using SkipVerify at all, I don't know why I get those messages...)

cfagent on the client, kajko:

Checking copy from 192.168.8.98:/var/lib/cfengine2/inputs/cfagent to 
/var/cfengine/inputs
Connect to 192.168.8.98 = 192.168.8.98 on port cfengine
Updating last-seen time for 192.168.8.98
Loaded /var/cfengine/ppkeys/root-192.168.8.98.pub

...............................................................
cfengine:: Strong authentication of server=192.168.8.98 connection confirmed

 I've checked the md5sum of the keys:

client:
9cb834fd1ab420ca6ee5f3cafaa4e37c  localhost.pub
ea3280ca28b5649f6697ae410338d65d  root-192.168.8.98.pub

server:
ea3280ca28b5649f6697ae410338d65d  localhost.pub
5d72e4fe78063de437ab66bf623e2316  root-192.168.7.102.pub

 As you can see, the client pubkey on the server is different (from the other
diskset), but why on earth it's not updated during cfagent run? Of course, when
I delete the root-192.168.7.102.pub file from the server keys, it works, but
that's rather crude solution, as hosts can be rebooted (switching disksets) at
various times. I can also take care that both disksets have the same keys, but
I'd like to know WHY the behaviour of cfservd is different from documented :(

Anyone?

Regards,

KT.
-- 
   __    __.---------------------------------------------------------------.__
  (oo)  |        And God said, "E=2mv^2+2P/r" and there was popcorn!          |
 / \/ \ |                                                                     |
 `V__V' `--.__penguin_#128720______________________________________________.--'
reply via email to
[Prev in Thread] Current Thread [Next in Thread]