Hi *, My setup: one policy host, quite a few clients, each with two sets of disks. Each client can be boot from either set of disks. To make key management easier, I've put the IPs of those clients to both DynamicAddresses and TrustKeysFrom variables in policyhost's cfservd.conf. But it looks like the DynamicAddresses stanza is ignored: once I've connected from the first set of disks to the server (and made the key exchange), I cannot do cfrun when this client is booted from the second set of disks. What is funny: cfagent from the client to server works, cfrun from server to client does not:
cfrun(0): .......... [ Hailing kajko.tb ] .......... cfrun:dywersant.tb: BAD: Host authentication failed. Did you forget the domain name or IP/DNS address registration (for ipv4 or ipv6)? cfrun:dywersant.tb: Key-authentication for dywersant.tb failed In the same time, when I run cfagent from the client: cfservd on the policy host, dywersant: cfservd: Accepting connection from 192.168.7.102 cfservd: Allowing 192.168.7.102 to connect without (re)checking ID Non-verified Host ID is kajko.tb (Using skipverify) Non-verified User ID seems to be root (Using skipverify) Updating last-seen time for kajko.tb Loaded /var/lib/cfengine2/ppkeys/root-192.168.7.102.pub A public key was already known from kajko.tb/192.168.7.102 - no trust required Adding IP 192.168.7.102 to SkipVerify - no need to check this if we have a key cfservd: Strong authentication of client kajko.tb/192.168.7.102 achieved (I'm not using SkipVerify at all, I don't know why I get those messages...) cfagent on the client, kajko: Checking copy from 192.168.8.98:/var/lib/cfengine2/inputs/cfagent to /var/cfengine/inputs Connect to 192.168.8.98 = 192.168.8.98 on port cfengine Updating last-seen time for 192.168.8.98 Loaded /var/cfengine/ppkeys/root-192.168.8.98.pub ............................................................... cfengine:: Strong authentication of server=192.168.8.98 connection confirmed I've checked the md5sum of the keys: client: 9cb834fd1ab420ca6ee5f3cafaa4e37c localhost.pub ea3280ca28b5649f6697ae410338d65d root-192.168.8.98.pub server: ea3280ca28b5649f6697ae410338d65d localhost.pub 5d72e4fe78063de437ab66bf623e2316 root-192.168.7.102.pub As you can see, the client pubkey on the server is different (from the other diskset), but why on earth it's not updated during cfagent run? Of course, when I delete the root-192.168.7.102.pub file from the server keys, it works, but that's rather crude solution, as hosts can be rebooted (switching disksets) at various times. I can also take care that both disksets have the same keys, but I'd like to know WHY the behaviour of cfservd is different from documented :( Anyone? Regards, KT. -- __ __.---------------------------------------------------------------.__ (oo) | And God said, "E=2mv^2+2P/r" and there was popcorn! | / \/ \ | | `V__V' `--.__penguin_#128720______________________________________________.--' _______________________________________________ Help-cfengine mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-cfengine
