Forum: CFEngine Help Subject: cf-serverd seems to be allowing connects from system w/new keys Author: dhubler Link to topic: https://cfengine.com/forum/read.php?3,26443,26443#msg-26443
My cf-serverd seems to be automatically accepting all ssl keys from machines, not just the first time. I have a running cf-serverd configured with following config http://pastebin.com/raw.php?i=QywmVgQX I'm able to connect to cf-serverd service fine when executing promises such as copying remote files. I was testing what happens when the keys are deleted then regenerated on a remote machine and then remote machines attempt to again connect cf-serverd process. I was expected cf-serverd to reject my requests, but to my surprise, cf-serverd happily allows them to connect and it accepts there newly generated keys. Here's a listing of keys my cf-serverd server has accepted, notice a growing list of keys from the same IP address 10.93.47.55 # cf-key -s Direction IP Name Key Incoming 127.0.0.1 localhost MD5=eb0b725b147d5ac56f2cd2995af71e47 Incoming 10.93.47.55 10.93.47.55 MD5=988a2cce37ebe5bc4d28a25aad7facdf Incoming 10.92.241.96 one.3zuce.com MD5=7d8aa811820b4f99fe81c307867aeb6a Outgoing 10.92.241.96 one.3zuce.com MD5=7d8aa811820b4f99fe81c307867aeb6a Incoming 10.93.47.55 10.93.47.55 MD5=fe952484e0c1e7aee8215baf2e457b0e Incoming 10.93.47.55 10.93.47.55 MD5=1624a45ff144cba04153ced1423b4edd # ls -al total 36 drwx------ 2 root root 4096 Jul 11 10:53 . drwxr-xr-x 11 root root 4096 Jul 10 22:15 .. -rw------- 1 root root 1743 Jul 10 14:36 localhost.priv -rw------- 1 root root 426 Jul 10 14:36 localhost.pub -rw------- 1 root root 426 Jul 11 10:53 root-MD5=1624a45ff144cba04153ced1423b4edd.pub -rw------- 1 root root 426 Jul 10 16:00 root-MD5=7d8aa811820b4f99fe81c307867aeb6a.pub -rw------- 1 root root 426 Jul 10 15:50 root-MD5=988a2cce37ebe5bc4d28a25aad7facdf.pub -rw------- 1 root root 426 Jul 10 22:15 root-MD5=fe952484e0c1e7aee8215baf2e457b0e.pub -rw------- 1 root root 426 Jul 10 14:44 sipx-MD5=eb0b725b147d5ac56f2cd2995af71e47.pub Am I misreading the documentation: "The server cf-serverd blocks the acceptance of unknown keys by default. In order to accept such a new key, the IP address of the presumed client must be listed in the trustkeysfrom stanza of a server bundle (these bundles can be placed in any file). ***Once a key has been accepted, it will never be replaced with a new key***, thus no more trust is offered or required." Thanks for any clarification on this matter, Douglas --a happy cfengine user _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
