Excellent, Nicolas! I want to run the community edition on systems not
connected with our main network, and the nuances between that and Nova
can be baffling.
I found a section that says a little more about what you posted in the
Cfengine 3 Concept Guide, Section 7.3.3 Key exchange:
7.3.3 Key exchange
The key exchange model used by cfengine is based on that used by
OpenSSH. It is a peer to peer exchange model, not a central certificate
authority model. This means that there are no scalability bottlenecks
(at least by design, though you might introduce your own if you go for
an overly centralized architecture).
The problem of key distribution is the conundrum of every public key
infrastructure. Key exchange is handled automatically by cfengine and
all you need to do is to decide which keys to trust.
When public keys are offered to a server, they could be accepted
automatically on trust because no one is available to make a decision
about them. This would lead to a race to be the first to submit a key
claiming identity.
Even with DNS checks for correct name/IP address correlation (turned off
with |skipverify|), it might be possible to submit a false key to a server.
The server |cf-serverd| blocks the acceptance of unknown keys by
default. In order to accept such a new key, the IP address of the
presumed client must be listed in the |trustkeysfrom| stanza. Once a key
has been accepted, it will never be replaced with a new key, thus no
more trust is offered or required.
Once you have arranged for the right to connect to the server, you must
decide which hosts will have access to which files. This is done with
|access| rules.
bundle server access_rules()
{
access:
"/path/file"
admit=> { "127.0.0.1", "127.0.0.2", "127.0.0.3" },
deny=> { "192.*" };
}
On the client side, i.e. |cf-runagent| and |cf-agent|, there are three
issues:
1. Choosing which server to connect to.
2. Trusting the identity of any previously unknown servers, i.e.
trusting the server's public key to be its and no one else's. (The
issues here are the same as for the server.)
3. Choosing whether data transfers should be encrypted (with |encrypt|).
Because there are two clients for connecting to |cf-serverd| (|cf-agent|
and |cf-runagent|), there are also two ways on managing trust of server
keys by a client. One is an automated option, setting the option
|trustkey| in a |copy_from| stanza, e.g.
body copy_from example
{
# .. other settings ..
trustkey=> "true";
}
Another way is to run |cf-runagent| in interactive mode. When you run
|cf-runagent|, unknown server keys are offered to you interactively (as
with |ssh|) for you to accept or deny manually:
WARNING - You do not have a public key from host ubik.iu.hio.no =
128.39.74.25
Do you want to accept one on trust? (yes/no)
-->
On 12/23/10 4:56 PM, Nicolas Charles wrote:
> On 24/12/2010 01:45, Nick Anderson wrote:
>> That doesn't work, with a clean install.
>> #. Install cfengine via rpm
>> #. run cf-key
>> #. copy failsafe.cf to /var/cfengine/inputs
>> #. bootstrap with failsafe
>>
>> # cf-agent -BK -s 192.168.1.129
>> !! Not authorized to trust the server=192.168.1.129's public key
>> (trustkey=false)
>> !! Authentication dialogue with 192.168.1.129 failed
>>
>> So the issue here is the client does not have the servers key and cannot
>> trust the server.
>>
>> I cant quite reconcile in my head the key exchange, or the best way to
>> manage the key exchange.
> Hi Nick,
>
> The bootstrap itself is not sufficiant on a community edition. You'll
> need to exchange the key by doing an interactive session with cf-runagent :
> # cf-runagent -i -H 192.168.1.129
>
> With this, you'll be able to accept 192.168.1.129's key on your computer
>
> Regards
>
> Nicolas CHARLES
> Normation SAS - http://www.normation.com
> 44 rue Cauchy – 94110 ARCUEIL
> +33 (0)1 83 62 26 96 - +33 (0)6 14 63 25 18
>
>
> _______________________________________________
> Help-cfengine mailing list
> [email protected]
> https://cfengine.org/mailman/listinfo/help-cfengine
_______________________________________________
Help-cfengine mailing list
[email protected]
https://cfengine.org/mailman/listinfo/help-cfengine
