>> I have spent a lot of time debugging authentication problems over the >> last few weeks of implementing cfengine on our network. It seems that >> the hostname must match the forward dns which must match the reverse >> dns and the ip must be in the cfservd.conf as well as the domain and >> you must have the right key or trustkeys turned on (bad idea) >> and...what else is there? There are a ton of little details that must >> all be just right. It's almost like there should be a checklist or >> something. If you are a bad guy you won't have a key so even if you do >> get everything set up there is no problem.
This whole issue of trust really needs to be understood. Just because cfengine insists that you confront this problem does not make it less secure than any other tool (like ssh) which partially hides it. Using trustkey is not a bad idea as long as you follow protocol. Take a look at the draft booklet I sent you, which contains the checklist you request. Your specific problem is probably related to AllowMultipleConnectionsFrom M _______________________________________________ Help-cfengine mailing list [email protected] http://cfengine.org/mailman/listinfo/help-cfengine
