Forum: Cfengine Help
Subject: Re: Cfengine Help: Updating shadow encrypted fields
Author: sauer
Link to topic: https://cfengine.com/forum/read.php?3,22452,22498#msg-22498
Tokarski Boleslaw Wrote:
-------------------------------------------------------
> The thing is: on some setups (particularly ours)
> you just *have* to
> trust the client's ppkey. The number of added
> hosts is just too large to
> manually add the trusts on the server. Thus, you
> might have a machine
> that 'just' connected to the server and acquired
> the .cf file along with
> a hash.
This is far from impossible to resolve. In our case, a process runs "cf-key -f
newhost" in a directory when a new machine is scheduled to be built. An
automated process copies the public keys to the cf-serverd systems, renaming
them appropriately (root-hostname.pub). The cfengine installer script puts
both correct keys on the individual remote systems (renaming to
localhost.{pub,priv}, of course) before it runs for the first time. You
combine that with a fairly simple Dynamic DNS setup (if you don't want to
manage hostname allocation through the same "I need a new host, here's the
steps" process used to generate the keys), and your keys still map to a single
hostname.
I suppose if you're just randomly building machines without any planning, this
is a little more difficult - but if that's the case, there are bigger problems
to solve. I was at one point considering a process where the installer just
creates new keys and emails them to a procmail address which puts them in a
hodling queue. Then an admin ultimately approves trusting the keys (to verify
that keys should have actually been regenerated) through a quick web-app that
basically does the last part of the above process. Then I realized that I
don't trust the scrutiny level of people doing the approval. The idea might
work for others, though. ;)
The point is that you never "have" to trust keys from clients.
_______________________________________________
Help-cfengine mailing list
[email protected]
https://cfengine.org/mailman/listinfo/help-cfengine
