On 3/18/11 8:41 AM, no-re...@cfengine.com wrote: > Forum: Cfengine Help > Subject: Old cfengine client, new localhost.priv localhost.pub keys (Nova) > Author: debheller > Link to topic: https://cfengine.com/forum/read.php?3,21210,21210#msg-21210 > > We have bandwidth measurement test servers that are built from clones. These > servers are not backed up (however, given the problem I'm about to describe, > we'll be backing up /var/cfengine/ppkeys in the very near future). > > Recently we lost a disk on one of the servers, and new clone disk was > immediately put into service. Unfortunately, the cfengine private key > (/var/cfengine/ppkeys/localhost.priv) was lost. So, we could not initiate a > trust relationship with the policy server based upon the old key pairs. > > The easiest solution is to re-boostrap the client to the policy server, which > has been done. However, what would be the best way of removing the old > public keys for the client from the policy and distribution servers?
I've seen this handled three ways: 1. Lenient security, ease of use Just auto-accept new keys for your hosts. You must trust your clients. 2. Extra work for admins A support script (rmkey $host) is developed which uses carefully crafted keys (locking down what/where) and sanity checks to enable admins to selectively/quickly purge keys from the desired cache. (E.g. Look at domain of hostname, determine policyhost, ssh rm). 3. Update OS builds Kickstart/jumpstart/net-install can be updated to preserve existing ppkeys contents, if they exist....else generate new. _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
