Well, from my point of view, you have to add policy server's public key to ppkeys/ on clients and to accept on trust certain ranges of IP addresses reserved for clients. This way clients will trust the server according to the pre-loaded key, and server will trust clients. The trick is, you'll need to purge clients's keys from server's ppkeys/ directory to prevent authorization failures because of keys mess. The threat is, an attacker could try controlling clients using the trusted IP range, so you should avoid distribution of trustkeysfrom configuration to clients.
2010/9/13 Max Arnold <lwa...@gmail.com>: > Hello folks! > > Right now I'm evaluating different configuration management systems and > Cfengine 3 seems to be self contained and light on resources. But there is > one thing which can be showstopper for me: client machines without fixed > IP/DNS addresses. > > I skimmed briefly trough documentation and it seems that server stores > client's public key using IP address (or reverse DNS name?) in its filename. > Now if my client machines are hidden behind NAT or connected via random > wireless links, how authentication is supposed to work? I'm OK with manual > key exchange procedure, but I can not neither control nor predict IP/DNS > address which will be assigned to client machine when it connects to Cfengine > server. > > Can someone please clarify this? > > Thanks, Max > _______________________________________________ > Help-cfengine mailing list > Help-cfengine@cfengine.org > https://cfengine.org/mailman/listinfo/help-cfengine > -- SY, Seva Gluschenko. _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
