help-cfengine
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CFEngine and Road Warriors with dynamic IPs

From: Andreas Küchler
Subject: Re: CFEngine and Road Warriors with dynamic IPs
Date: Tue, 03 Jan 2006 17:59:29 +0100
User-agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) 
Hi,

skipping verification is not an option. The problem i have is not
verification in general (this is a feature i really need). The Problem
is that cfengine does not trust the hostname sent by the client but does
a reverse lookup of the incomming ip address instead. With DSL road
warriors this will fail shure as hell.
Each of my clients has it's own unique hostname (which can be queried on
a dynamic dns server) but the IPs its comming from with will vary
greatly over time.

This is how i think it could work:

1) Keys are exchanged - the client key is stored under its unique dns name
2) Client comes in and sends its hostname and key
3) cfengine looks up the key by the incomming hostname

You'll say this is less secure than checking the reverse lookup via dns
- yes maybe. But i guess it is easier to fake a reverse dns than an ssh-key.

best regards

mit freundlichen Grüßen

Andreas Kuechler

Leiter Netzwerke und Service

Cisco Certified Design Professional CCDP(TM) and CCNA(TM)
==============================================================
                                     Giegerich & Partner GmbH
+49 6103 5881 phone 71               Daimlerstrasse 1H
              fax   79               63303 Dreieich
                                     Germany
http://www.giepa.de                  andreas.kuechler@giepa.de
==============================================================
GnuPG Key 0xC362534F available at http://blackhole.pca.dfn.de/
Fingerprint 47BF 25EC 0CA3 53EF 85E8  E6A6 71F0 0380 C362 534F

Mark Burgess wrote:
> On Fri, 2005-12-30 at 10:34 +0100, Andreas Küchler wrote:
> 
>>Hi,
>>
>>i'm just experimenting with cfengine. In my situation i have a central
>>server with fixed ip address and many machines with changing ip
>>addresses (DSL Road Warriors).
>>
>>My current implementation relies on SSH Key trust where the clients hold
>>the public key of the server and thus allow him to make changes (true
>>this is a push method and you'll say that pulling is better, but hey
>>this is obviously just the reason i'm looking for cfengine as
>>replacement solution ;-))
>>
>>I've tried to set up a central cfengine server and establish a trust to
>>a client. As long as the client keeps it's ip address all goes well. But
>>this ideal situation only lasts 24 hours until the german isp kills it's
>>connection and assigns a new ip.
>>
>>Using HostnameKeys = ( on ) is also no solution because cfengine uses
>>the dns name via reverse lookup for the host - which obviously is not
>>the name of the client but the dummy name the isp has configured for the
>>RoadWarror IP the client just bought.
> 
> 
> Have you tried to use SkipVerify?
> 
> 
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]