Someone raised a couple of good questions in a private email to me, so I
thought I'd go ahead and send my response to the whole list. I didn't know if
they'd want me to forward their response to the list, so I've omitted their
response, just to be safe. :) My apologies if you prefer attribution, feel free
to reply to this if that is the case.
First, I verified my trustkeysfrom and @(def.acl) settings were correct. As for
the second point, my remote_copy_with_backup body already has trust enabled.
body copy_from remote_copy_with_backup(filename, hostname) {
source => "$(filename)";
servers => { "$(hostname)" };
compare => "digest";
copy_backup => "true";
trustkey => "true";
}
As for my goal, I had shortened my original email to make it easier to
understand but the response made me realize that I took out an important point.
My goal is to have all systems trust lum so that they can retrieve the sudoers
file, though some systems don't need to fetch that sudoers file. However, I do
have an edit_line bundle (promiser is "$(root_homedir)/.ssh/authorized_keys")
that defines a variable by calling remotescalar(), which is a function specific
to Cfengine Nova and does not include a key exchange mechanism.
"remote_user_public_key" string => remotescalar(
"$(user)_public_ssh_key_access", "$(host)", "yes"
);
When $(host) is lum (which is the only way I'm calling this bundle right now),
it's not trusted by clients that don't retrieve sudoers and thus those systems
couldn't get lum's public ssh key. I had no other way of ensuring all systems
could successfully use the remotescalar call to get lum's public SSH key.
Justin
This electronic communication and any attachments may contain confidential and
proprietary
information of DigitalGlobe, Inc. If you are not the intended recipient, or an
agent or employee
responsible for delivering this communication to the intended recipient, or if
you have received
this communication in error, please do not print, copy, retransmit, disseminate
or
otherwise use the information. Please indicate to the sender that you have
received this
communication in error, and delete the copy you received. DigitalGlobe reserves
the
right to monitor any electronic communication sent or received by its
employees, agents
or representatives.
_______________________________________________
Help-cfengine mailing list
[email protected]
https://cfengine.org/mailman/listinfo/help-cfengine
