Chris St. Pierre wrote:
> No, I'm not dealing with Cfengine keys. I'm dealing with host public
> keys, e.g., /etc/ssh/ssh_known_keys. I'd like to aggregate and
> distribute those keys without maintaining a list of hosts.
This a common example of a more general configuration management
problem*: a single configuration element (/etc/ssh/ssh_known_hosts)
depends on the state of an entire fabric. I don't know of an easy way to
solve this problem generally with cfengine.
I think that this inability is inherent in the cfengine architecture.
The only** network awareness cfagent has is the copy directive. This
means that the client (cfagent) is the only part of the cfengine
machinery than can effect a change in host configuration. Further, the
functioning of an individual agent is largely independent from all
other hosts in some absolute sense, and is free to trust or not trust
any other potential peer as a source for policy. This is what cfengine
literature means by the word autonomous. This manifests itself as the
inability of your cfservd node (when acting as a client) to know which
other nodes to copy keys from (unless you maintain a list out-of-band).
Stated another way, the trust relationship is one way, which simplifies
any reasoning about security. Though this is above characterized as a
problem, it should also be viewed as a security feature.
But back to practical problem solving. Here is another approach:
http://sial.org/howto/cfengine/examples/ssh-known-hosts/
I do something similar, though I do not use ssh-keyscan. I keep copies
of all my ssh key pairs on a central host. If a new machine with a
previously unused host name is built, its key pair needs to be copied to
the central location. If a new machine is built using a host name that
we already have a key for, the old key is copied to the new machine, so
that end users do not notice any changes. The global ssh_known_hosts is
then aggregated into a single file and distributed by cfengine.
* I think this problem might have been referred to as a "spanning tree"
by Paul Anderson (of LCFG) though I can't find an example of that. In
any case, the problem deserves a name so that we can talk about it
without needing to bend over backwards in explanation linguistically.
** Not completely true. cfagent can define classes based on NIS
netgroups and can query the DNS. I am probably forgetting other network
operations as well.
Best,
Brendan
--
Senior System Administrator
The University of Chicago
Department of Computer Science
http://www.cs.uchicago.edu/people/brendan
http://praksys.blogspot.com/
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
http://cfengine.org/mailman/listinfo/help-cfengine
