help-cfengine
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CFEngine and Road Warriors with dynamic IPs

From: Jason Edgecombe
Subject: Re: CFEngine and Road Warriors with dynamic IPs
Date: Tue, 03 Jan 2006 19:34:20 -0500
User-agent: Mozilla Thunderbird 1.0.6 (Macintosh/20050716) 
Andreas Küchler wrote:


Hi,

i'm just experimenting with cfengine. In my situation i have a central
server with fixed ip address and many machines with changing ip
addresses (DSL Road Warriors).

My current implementation relies on SSH Key trust where the clients hold
the public key of the server and thus allow him to make changes (true
this is a push method and you'll say that pulling is better, but hey
this is obviously just the reason i'm looking for cfengine as
replacement solution ;-))

I've tried to set up a central cfengine server and establish a trust to
a client. As long as the client keeps it's ip address all goes well. But
this ideal situation only lasts 24 hours until the german isp kills it's
connection and assigns a new ip.

Using HostnameKeys = ( on ) is also no solution because cfengine uses
the dns name via reverse lookup for the host - which obviously is not
the name of the client but the dummy name the isp has configured for the
RoadWarror IP the client just bought.

Is there any way to use the ssh keys one can generate with ssh-keygen
instead of the automated approach cfengine tries? Has anyone a solution
for my problem? Am i missing some obvious point?

Hi Andreas,
I don't know of a native cfengine way of dealing with this, but I have some ideas.
1. delete the host keys of dynamic clients frequently (hourly?). cfengine will trust the client if it hasn't seen it before. doing this means that you always trust your clients.
2. use an alternative method of downloading the policy. Here is an example http://lists.gnu.org/archive/html/help-cfengine/2003-12/msg00073.html. Russell Adams uses http to download the policies which are gpg signed and verified upon download. cfengine then runs the policies normally. this is just replacing cfengines default mechanism with http. This also implicitely trusts the client.
3. use a VPN to create private network for cfengine communication. Then you could assign static IP addresses to each road warrior and route the cfengine traffic over the VPN. cfengine sees every laptop as having a static IP address and life is good. In this method, both the VPN and cfengine are used to verify the clients.
FYI, I have only had experience woth #1 with manual deletion of keys. I haven't tried #2 or #3, YMMV.
If I had to choose, I would probably go with #2 for road warriors because http is almost always allowed through firewalls. In the general case, a road warrior may connect to a restricted wireless network or something. In this case everything except http may be blocked. I know that this is more general than your case of using a known ISP. The biggest problem with #2 is the you would need to modify your copy statements to use http or bundle all files in the download.
#3 would let you preserve most of the cfengine functionality, but it introduces a dependency. 

I hope this helps.

Jason
reply via email to
[Prev in Thread] Current Thread [Next in Thread]