Forum: Cfengine Help Subject: Re: Trustkeys not being shared Author: mwlarsen Link to topic: https://cfengine.com/forum/read.php?3,17676,17724#msg-17724
neilhwatson Wrote: ------------------------------------------------------- > Key exchange is not meant to be to easy otherwise > the security model is in jeopardy. When do I give > the client the server's key? The same time I > install the client. I keep my client binaries in > a central location. I have a script that builds a > tar ball to be extracted on the client. That tar > ball includes the server's public key. > > This is a one time set up for each client. There > after Cfengine will update its own binaries. Ok, this question will surely demonstrate my complete failure to understand...the server doesn't have the client keys? Shouldn't the server have all the client keys, and all the clients the server key? Isn't this supposed to be a two-way communication? I was under the impression, based on what little I could glean from the docs, that when you installed a client, you "allowed" a two-way key exchange via running cf-runagent -i from both server and client (and were prompted to trust the machine offering the key (or not)), or set up allowconnects, allowallconnects and trustkeysfrom in the promises.cf on both sides - server and client. Is that not the case? Are you saying you actually use a non-cfengine facility to exchange the keys? Thanks in advance. _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
