No, I'm not dealing with Cfengine keys. I'm dealing with host public keys, e.g., /etc/ssh/ssh_known_keys. I'd like to aggregate and distribute those keys without maintaining a list of hosts.
Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University On Tue, 9 May 2006, Brendan Strejcek wrote: >Chris St. Pierre wrote: > >> I'd like to set up a ruleset in cfengine so that, when I add a new >> machine to the network (and to cfengine), its public key gets >> automatically propagated through the other hosts. > >You are dealing with cfengine keys, right? When I am building a new >machine, I make sure the policy host does not have a key for the new IP >address, and allow cfservd to slurp up the new keys with TrustKeysFrom. >It is not the most general solution, and there are some security >considerations (there is a short window where an attacker could >impersonate the newly unused IP address), but it works well for me. > >http://www.cfengine.org/docs/cfengine-Reference.html#TrustKeysFrom > >> I understand that I have to run cfservd on each host -- I already am >> -- but I'm not sure what the ruleset would be. I can't seem to wrap >> my mind around how to copy keys from each host to the policyhost (or >> to the other machines on the network) without naming each machine >> explicitly in cfservd.conf. > >If you want to go this route, the policy host would need to initiate the >copy. Nothing is needed in the client cfservd.conf other than a line >to permit access to the policy host. You will need to somehow maintain >the list of clients to copy from, in the cfengine code that gets >interpreted by the policy host. You might be able to use an iterated >copy with a variable, but I have not tried that so I am not sure if it >would work. Depending on how much you are interested in a hack solution, >you could also do something like generating a list of clients out of >the connection logs or the connection database that cfservd keeps. That >probably requires some "out of band" infrastructure though. > >Best, >Brendan > >-- >Senior System Administrator >The University of Chicago >Department of Computer Science > >http://www.cs.uchicago.edu/people/brendan >http://praksys.blogspot.com/ > _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org http://cfengine.org/mailman/listinfo/help-cfengine
