On 12/24/2010 05:04 AM, no-re...@cfengine.com wrote: > Forum: Cfengine Help > Subject: Re: Cfengine Help: How to configure a client machine to contact the > policy server and downloads updates? > Author: phnakarin > Link to topic: https://cfengine.com/forum/read.php?3,19909,19947#msg-19947 > > It would be nice if you could have 2 versions of failsafe.cf. > > (1) A tmp failsafe.cf which has trustkey -> "true"; in the in the copy_from > body and it would be should only one time bootstrap to the policy-hub on the > fresh installation machines. > (2) A proper working robust lifetime failsafe.cf on the policy-hub (trustkey > -> "false";) which would replace the first one when the clients fetch the > latest policy from the hub. > > Once you have a new machine with cfengine installed, then just put the tmp > failsafe.cf to somewhere (I would prefer /var/cfengine/inputs) and run it > once. The keys would be exchanged automatically and the machine would fetch > the policy from the hub nicely. If you have copy_backup => "true"; on, the > tmp one would be appeared as failsafe.cf.cfsaved. If not, the contents in the > file should be identical as the one on the policy-hub.
Right, and there is nothing wrong with doing it that way. I was trying to figure out what the minimum I needed to have was. I think I have found the minimum needed is a failsafe.cf with trustkey => true. If you dont want that automatic trust you you are going to need a policy.cf file so that cf-runagent can run interactively, or you will have to maintain two separate failsafe.cf files. I thought about it quite a bit and I have decided defaulting trust in both directions makes sense. It presents little more risk that the first time I connect to any server with ssh. On an initial connection with ssh it prompts you to save the fingerprint so that a mismatch can be detected in the future. I have rarely typed no for an initial connection, yes is my defaut response. Subsequent connections receiving mis-matches are a different story. So I suppose it makes sense to just trust on initial connection, it will error if there is ever a miss-match. That brings up the question how can I instruct SSH to automatically save a host fingerprint on initial connection. -- Nick Anderson <n...@cmdln.org> _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
