First off, Cfengine 3.1.0 due for October will have new functionality for recognizing hosts. It uses the hash of the other party's public key rather than the IP/DNS-address. Thus a host will be recognised even when changing IP/DNS addresses.
Secondly, the well known key distribution/trust issue is not possible to solve automatically without some external trusted channel. This is not a limitation of Cfengine. Thus, you ideally should exchange keys manually over some secure channel. What Cfengine allows is to assume trust from IP/DNS ranges, which is OK sometimes in practice, but you can do it any way you want. Public key certificates does not seem like a good solution since we require two-way trust and thus must sign the keys of all hosts (how is this simpler than manually copying the keys?). And it's extremely painful to manage (revocation, expiry, etc.). In short, this is not an easy issue, and the more "user-friendly" you make it, the less secure it becomes, as usual. Cfengine chooses the secure route. -- Regards, Eystein On 09/13/2010 04:49 PM, Max Arnold wrote: > On Mon, Sep 13, 2010 at 05:58:51PM +0400, Seva Gluschenko wrote: >> Well, from my point of view, you have to add policy server's public >> key to ppkeys/ on clients and to accept on trust certain ranges of IP >> addresses reserved for clients. This way clients will trust the server >> according to the pre-loaded key, and server will trust clients. The >> trick is, you'll need to purge clients's keys from server's ppkeys/ >> directory to prevent authorization failures because of keys mess. The >> threat is, an attacker could try controlling clients using the trusted >> IP range, so you should avoid distribution of trustkeysfrom >> configuration to clients. > > This is sad... Tracking random ISP address pools is a painful and > error-prone task. I want either unique client id/password or signed > SSL certificate with my own CA in order to authenticate clients and > control their access to policy server without relying on IP/DNS data. > > Anyway, thank you for clarification. > _______________________________________________ > Help-cfengine mailing list > Help-cfengine@cfengine.org > https://cfengine.org/mailman/listinfo/help-cfengine _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
