[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CFEngine and Road Warriors with dynamic IPs

From: Marco van Beek
Subject: Re: CFEngine and Road Warriors with dynamic IPs
Date: Tue, 03 Jan 2006 17:20:05 +0000
User-agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)


Someone else on this list posted about using ssh tunnels. Perhaps what you could do is to connect the client via ssh to an ssh server, and then from there to the cfserver. You could then set that IP address to be trusted and allow multiple connections.



Andreas Küchler wrote:

skipping verification is not an option. The problem i have is not
verification in general (this is a feature i really need). The Problem
is that cfengine does not trust the hostname sent by the client but does
a reverse lookup of the incomming ip address instead. With DSL road
warriors this will fail shure as hell.
Each of my clients has it's own unique hostname (which can be queried on
a dynamic dns server) but the IPs its comming from with will vary
greatly over time.

This is how i think it could work:

1) Keys are exchanged - the client key is stored under its unique dns name
2) Client comes in and sends its hostname and key
3) cfengine looks up the key by the incomming hostname

You'll say this is less secure than checking the reverse lookup via dns
- yes maybe. But i guess it is easier to fake a reverse dns than an ssh-key.

best regards

mit freundlichen Grüßen

Andreas Kuechler

Leiter Netzwerke und Service

Cisco Certified Design Professional CCDP(TM) and CCNA(TM)
                                     Giegerich & Partner GmbH
+49 6103 5881 phone 71               Daimlerstrasse 1H
              fax   79               63303 Dreieich
                                     Germany                  address@hidden
GnuPG Key 0xC362534F available at
Fingerprint 47BF 25EC 0CA3 53EF 85E8  E6A6 71F0 0380 C362 534F

Mark Burgess wrote:

On Fri, 2005-12-30 at 10:34 +0100, Andreas Küchler wrote:


i'm just experimenting with cfengine. In my situation i have a central
server with fixed ip address and many machines with changing ip
addresses (DSL Road Warriors).

My current implementation relies on SSH Key trust where the clients hold
the public key of the server and thus allow him to make changes (true
this is a push method and you'll say that pulling is better, but hey
this is obviously just the reason i'm looking for cfengine as
replacement solution ;-))

I've tried to set up a central cfengine server and establish a trust to
a client. As long as the client keeps it's ip address all goes well. But
this ideal situation only lasts 24 hours until the german isp kills it's
connection and assigns a new ip.

Using HostnameKeys = ( on ) is also no solution because cfengine uses
the dns name via reverse lookup for the host - which obviously is not
the name of the client but the dummy name the isp has configured for the
RoadWarror IP the client just bought.

Have you tried to use SkipVerify?

Help-cfengine mailing list

reply via email to

[Prev in Thread] Current Thread [Next in Thread]