Forum: Cfengine Help
Subject: Making cf-runagent work
Author: sauer
Link to topic: https://cfengine.com/forum/read.php?3,22525,22525#msg-22525
So, I've given up on the manual. I'm not sure what I'm missing to make
cf-runagent actually work. I have a test server running cf-serverd with the
folowing config. I've run the config and the cf-serverd through a sed filter
(replacing hostnames/IP addresses) to keep the lawyers happy. I've done the
key exchange, and that appears to work, but I'm clearly missing a critical
component required to allow running the command. I don't know if I've messed
up a regex or if I'm just completely missing the boat somewhere. I've tried
removing the escapes on the IP addresses and using netmasks (/8 and /32, as
relevant) to no avail. Here's the cf-runagent output, the server
configuration, and the server output. Can someone who's made this work let me
know what dumb mistake I'm making (and make a suggestion for helping the
documentation)? :)
cf-runagent - Open Source 3.0.4 and 3.1.5 behave the same
cf-serverd - Open Source 3.1.5 from cfengine-provided RPM
runagent:
$ sudo cf-runagent -i -H testserver -n
sf_cf3 !! Unspecified server refusal (see verbose server output)
control configuration in promises.cf:
body server control {
allowconnects => { @(access_rules.mynet) };
allowallconnects => { @(access_rules.mynet) };
trustkeymyrom => { @(access_rules.mynet) };
maxconnections => "1024";
hostnamekeys => "true";
logallconnections => "false";
logencryptedtranmyers => "false";
serverfacility => "LOG_USER";
cfruncommand => "$(sys.cf_agent)";
allowusers => { "root", "user" };
}
# group server access rules together in a bundle
bundle server access_rules()
{
vars:
"mynet" slist => { escape("127.0.0.1"),
escape("::1"),
"1\..*",
".*\.domain\.org" };
access:
"$(sys.cf_agent)"
admit => { @(access_rules.mynet) },
maproot => { @(access_rules.mynet) };
"/opt/security/cfconf/"
admit => { @(access_rules.mynet) };
roles:
".*" authorize => { "root", "user" };
}
Server output (I hit enter a couple of times before firing up cf-runagent):
myprefix>
myprefix> Summarize control promises
myprefix> Granted access to paths :
myprefix> Path: "/var/cfengine/bin/cf-agent" (encrypt=0)
myprefix> Admit: .*\.domain\.org root=
myprefix> .*\.domain\.org,
myprefix> 1\..*,
myprefix> \:\:1,
myprefix> 127\.0\.0\.1,
myprefix> Admit: 1\..* root=
myprefix> .*\.domain\.org,
myprefix> 1\..*,
myprefix> \:\:1,
myprefix> 127\.0\.0\.1,
myprefix> Admit: \:\:1 root=
myprefix> .*\.domain\.org,
myprefix> 1\..*,
myprefix> \:\:1,
myprefix> 127\.0\.0\.1,
myprefix> Admit: 127\.0\.0\.1 root=
myprefix> .*\.domain\.org,
myprefix> 1\..*,
myprefix> \:\:1,
myprefix> 127\.0\.0\.1,
myprefix> Path: /opt/security/cfconf (encrypt=0)
myprefix> Admit: .*\.domain\.org root=
myprefix> Admit: 1\..* root=
myprefix> Admit: \:\:1 root=
myprefix> Admit: 127\.0\.0\.1 root=
myprefix> Path: /opt/security/gathered_keys (encrypt=0)
myprefix> Admit: .*\.domain\.org root=
myprefix> Admit: 1\..* root=
myprefix> Admit: \:\:1 root=
myprefix> Admit: 127\.0\.0\.1 root=
myprefix> Denied access to paths :
myprefix> Path: "/var/cfengine/bin/cf-agent"
myprefix> Path: /opt/security/cfconf
myprefix> Path: /opt/security/gathered_keys
myprefix> -> Host IPs allowed connection access :
myprefix> .... IP: 127\.0\.0\.1
myprefix> .... IP: \:\:1
myprefix> .... IP: 1\..*
myprefix> .... IP: .*\.domain\.org
myprefix> Host IPs denied connection access :
myprefix> Host IPs allowed multiple connection access :
myprefix> .... IP: 127\.0\.0\.1
myprefix> .... IP: \:\:1
myprefix> .... IP: 1\..*
myprefix> .... IP: .*\.domain\.org
myprefix> Host IPs from whom we shall accept public keys on trust :
myprefix> .... IP: 127\.0\.0\.1
myprefix> .... IP: \:\:1
myprefix> .... IP: 1\..*
myprefix> .... IP: .*\.domain\.org
myprefix> Users from whom we accept connections :
myprefix> .... USERS: root
myprefix> .... USERS: user
myprefix> Host IPs from NAT which we don't verify :
myprefix> Dynamical Host IPs (e.g. DHCP) whose bindings could vary over time :
myprefix> Listening for connections ...
myprefix> -> Writing last-seen observations
myprefix> -> Keyring is empty
myprefix> -> Accepting a connection
myprefix> Accepting connection from "1.2.3.4"
myprefix> New connection...(from 1.2.3.4:sd 4)
myprefix> Spawning new thread...
myprefix> Allowing 1.2.3.4 to connect without (re)checking ID
myprefix> Non-verified Host ID is host.domain.org (Using skipverify)
myprefix> Non-verified User ID seems to be root (Using skipverify)
myprefix> -> Public key identity of host "1.2.3.4" is
"MD5=7f21e6dfcc6fdcb970f4db7a2841705d"
myprefix> -> Last saw 1.2.3.4 (-MD5=7f21e6dfcc6fdcb970f4db7a2841705d) first
time now
myprefix> -> Going to secondary storage for key
myprefix> -> Going to secondary storage for key
myprefix> A public key was already known from host.domain.org/1.2.3.4 - no
trust required
myprefix> Adding IP 1.2.3.4 to SkipVerify - no need to check this if we have a
key
myprefix> The public key identity was confirmed as r...@host.domain.org
myprefix> -> Strong authentication of client host.domain.org/1.2.3.4 achieved
myprefix> -> Receiving session key from client (size=256)...
myprefix> User root granted connection privileges
myprefix> Host host.domain.org denied access to /var/cfengine/bin/cf-agent
myprefix> Server refusal due to denied access to requested object
myprefix> From (host=host.domain.org,user=root,ip=1.2.3.4)
myprefix> REFUSAL of request from connecting host: (EXEC )
myprefix> -> Writing last-seen observations
myprefix> -> Last saw -MD5=7f21e6dfcc6fdcb970f4db7a2841705d (alias 1.2.3.4) at
Mon Jun 20 01:58:31 2011
(noexpiry 21.1 <= 168.0)
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
