Chris St. Pierre wrote: > I'd like to set up a ruleset in cfengine so that, when I add a new > machine to the network (and to cfengine), its public key gets > automatically propagated through the other hosts.
You are dealing with cfengine keys, right? When I am building a new machine, I make sure the policy host does not have a key for the new IP address, and allow cfservd to slurp up the new keys with TrustKeysFrom. It is not the most general solution, and there are some security considerations (there is a short window where an attacker could impersonate the newly unused IP address), but it works well for me. http://www.cfengine.org/docs/cfengine-Reference.html#TrustKeysFrom > I understand that I have to run cfservd on each host -- I already am > -- but I'm not sure what the ruleset would be. I can't seem to wrap > my mind around how to copy keys from each host to the policyhost (or > to the other machines on the network) without naming each machine > explicitly in cfservd.conf. If you want to go this route, the policy host would need to initiate the copy. Nothing is needed in the client cfservd.conf other than a line to permit access to the policy host. You will need to somehow maintain the list of clients to copy from, in the cfengine code that gets interpreted by the policy host. You might be able to use an iterated copy with a variable, but I have not tried that so I am not sure if it would work. Depending on how much you are interested in a hack solution, you could also do something like generating a list of clients out of the connection logs or the connection database that cfservd keeps. That probably requires some "out of band" infrastructure though. Best, Brendan -- Senior System Administrator The University of Chicago Department of Computer Science http://www.cs.uchicago.edu/people/brendan http://praksys.blogspot.com/ _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org http://cfengine.org/mailman/listinfo/help-cfengine
