On Wed May 10, 2006 at 11:17:42 -0500, Brendan Strejcek wrote: >Chris St. Pierre wrote: > >> No, I'm not dealing with Cfengine keys. I'm dealing with host public >> keys, e.g., /etc/ssh/ssh_known_keys. I'd like to aggregate and >> distribute those keys without maintaining a list of hosts. > >This a common example of a more general configuration management >problem*: a single configuration element (/etc/ssh/ssh_known_hosts) >depends on the state of an entire fabric. I don't know of an easy way to >solve this problem generally with cfengine.
>But back to practical problem solving. Here is another approach: > > http://sial.org/howto/cfengine/examples/ssh-known-hosts/ We didn't solve it either, but within our cfinputs, we keep the master copy of known hosts which gets copied to the servers, and we have an alert triggered by a shellcommand that warns that the contents of the host dsa key and rsa key pub files are not in known hosts. That at least lets us know that all cfengined hosts are up to date, though requires one to manually paste the keys into the master copy. I'm not sure that automating this is a good idea though. _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org http://cfengine.org/mailman/listinfo/help-cfengine
