Could it be that "$(sys.cf_agent)" doesn't have the same value on the server and the client ? (just a wild guess)
Nicolas CHARLES Normation SAS - http://www.normation.com 44 rue Cauchy – 94110 Arcueil, FRANCE Standard +33 (0)1 83 62 26 96 Tél direct +33 (0)1 83 62 57 47 On 20/06/2011 09:22, no-re...@cfengine.com wrote: > Forum: Cfengine Help > Subject: Making cf-runagent work > Author: sauer > Link to topic: https://cfengine.com/forum/read.php?3,22525,22525#msg-22525 > > So, I've given up on the manual. I'm not sure what I'm missing to make > cf-runagent actually work. I have a test server running cf-serverd with the > folowing config. I've run the config and the cf-serverd through a sed filter > (replacing hostnames/IP addresses) to keep the lawyers happy. I've done the > key exchange, and that appears to work, but I'm clearly missing a critical > component required to allow running the command. I don't know if I've messed > up a regex or if I'm just completely missing the boat somewhere. I've tried > removing the escapes on the IP addresses and using netmasks (/8 and /32, as > relevant) to no avail. Here's the cf-runagent output, the server > configuration, and the server output. Can someone who's made this work let > me know what dumb mistake I'm making (and make a suggestion for helping the > documentation)? :) > > cf-runagent - Open Source 3.0.4 and 3.1.5 behave the same > cf-serverd - Open Source 3.1.5 from cfengine-provided RPM > > runagent: > > $ sudo cf-runagent -i -H testserver -n > sf_cf3 !! Unspecified server refusal (see verbose server output) > > > > control configuration in promises.cf: > > body server control { > allowconnects => { @(access_rules.mynet) }; > allowallconnects => { @(access_rules.mynet) }; > trustkeymyrom => { @(access_rules.mynet) }; > > maxconnections => "1024"; > hostnamekeys => "true"; > logallconnections => "false"; > logencryptedtranmyers => "false"; > serverfacility => "LOG_USER"; > > cfruncommand => "$(sys.cf_agent)"; > allowusers => { "root", "user" }; > } > > # group server access rules together in a bundle > bundle server access_rules() > { > vars: > "mynet" slist => { escape("127.0.0.1"), > escape("::1"), > "1\..*", > ".*\.domain\.org" }; > access: > "$(sys.cf_agent)" > admit => { @(access_rules.mynet) }, > maproot => { @(access_rules.mynet) }; > "/opt/security/cfconf/" > admit => { @(access_rules.mynet) }; > roles: > ".*" authorize => { "root", "user" }; > } > > > > Server output (I hit enter a couple of times before firing up cf-runagent): > > myprefix> > myprefix> Summarize control promises > myprefix> Granted access to paths : > myprefix> Path: "/var/cfengine/bin/cf-agent" (encrypt=0) > myprefix> Admit: .*\.domain\.org root= > myprefix> .*\.domain\.org, > myprefix> 1\..*, > myprefix> \:\:1, > myprefix> 127\.0\.0\.1, > myprefix> Admit: 1\..* root= > myprefix> .*\.domain\.org, > myprefix> 1\..*, > myprefix> \:\:1, > myprefix> 127\.0\.0\.1, > myprefix> Admit: \:\:1 root= > myprefix> .*\.domain\.org, > myprefix> 1\..*, > myprefix> \:\:1, > myprefix> 127\.0\.0\.1, > myprefix> Admit: 127\.0\.0\.1 root= > myprefix> .*\.domain\.org, > myprefix> 1\..*, > myprefix> \:\:1, > myprefix> 127\.0\.0\.1, > myprefix> Path: /opt/security/cfconf (encrypt=0) > myprefix> Admit: .*\.domain\.org root= > myprefix> Admit: 1\..* root= > myprefix> Admit: \:\:1 root= > myprefix> Admit: 127\.0\.0\.1 root= > myprefix> Path: /opt/security/gathered_keys (encrypt=0) > myprefix> Admit: .*\.domain\.org root= > myprefix> Admit: 1\..* root= > myprefix> Admit: \:\:1 root= > myprefix> Admit: 127\.0\.0\.1 root= > myprefix> Denied access to paths : > myprefix> Path: "/var/cfengine/bin/cf-agent" > myprefix> Path: /opt/security/cfconf > myprefix> Path: /opt/security/gathered_keys > myprefix> -> Host IPs allowed connection access : > myprefix> .... IP: 127\.0\.0\.1 > myprefix> .... IP: \:\:1 > myprefix> .... IP: 1\..* > myprefix> .... IP: .*\.domain\.org > myprefix> Host IPs denied connection access : > myprefix> Host IPs allowed multiple connection access : > myprefix> .... IP: 127\.0\.0\.1 > myprefix> .... IP: \:\:1 > myprefix> .... IP: 1\..* > myprefix> .... IP: .*\.domain\.org > myprefix> Host IPs from whom we shall accept public keys on trust : > myprefix> .... IP: 127\.0\.0\.1 > myprefix> .... IP: \:\:1 > myprefix> .... IP: 1\..* > myprefix> .... IP: .*\.domain\.org > myprefix> Users from whom we accept connections : > myprefix> .... USERS: root > myprefix> .... USERS: user > myprefix> Host IPs from NAT which we don't verify : > myprefix> Dynamical Host IPs (e.g. DHCP) whose bindings could vary over time > : > myprefix> Listening for connections ... > myprefix> -> Writing last-seen observations > myprefix> -> Keyring is empty > > > myprefix> -> Accepting a connection > myprefix> Accepting connection from "1.2.3.4" > myprefix> New connection...(from 1.2.3.4:sd 4) > myprefix> Spawning new thread... > myprefix> Allowing 1.2.3.4 to connect without (re)checking ID > myprefix> Non-verified Host ID is host.domain.org (Using skipverify) > myprefix> Non-verified User ID seems to be root (Using skipverify) > myprefix> -> Public key identity of host "1.2.3.4" is > "MD5=7f21e6dfcc6fdcb970f4db7a2841705d" > myprefix> -> Last saw 1.2.3.4 (-MD5=7f21e6dfcc6fdcb970f4db7a2841705d) > first time now > myprefix> -> Going to secondary storage for key > myprefix> -> Going to secondary storage for key > myprefix> A public key was already known from host.domain.org/1.2.3.4 - no > trust required > myprefix> Adding IP 1.2.3.4 to SkipVerify - no need to check this if we have > a key > myprefix> The public key identity was confirmed as r...@host.domain.org > myprefix> -> Strong authentication of client host.domain.org/1.2.3.4 > achieved > myprefix> -> Receiving session key from client (size=256)... > myprefix> User root granted connection privileges > myprefix> Host host.domain.org denied access to /var/cfengine/bin/cf-agent > myprefix> Server refusal due to denied access to requested object > myprefix> From (host=host.domain.org,user=root,ip=1.2.3.4) > myprefix> REFUSAL of request from connecting host: (EXEC ) > myprefix> -> Writing last-seen observations > myprefix> -> Last saw -MD5=7f21e6dfcc6fdcb970f4db7a2841705d (alias > 1.2.3.4) at Mon Jun 20 01:58:31 2011 > (noexpiry 21.1<= 168.0) > > > _______________________________________________ > Help-cfengine mailing list > Help-cfengine@cfengine.org > https://cfengine.org/mailman/listinfo/help-cfengine _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
