Forum: CFEngine Help
Subject: Re: cf-serverd seems to be allowing connects from system w/new keys
Author: dhubler
Link to topic: https://cfengine.com/forum/read.php?3,26443,26446#msg-26446
Here's my ACL
body server control {
skipverify => { ".*" };
allowconnects => { @(sipx.allowed_addrs) };
allowallconnects => { @(sipx.allowed_addrs) };
maxconnections => "5";
trustkeysfrom => { @(sipx.allowed_addrs) };
logallconnections => "true";
cfruncommand => "/usr/sbin/cf-agent -Kvf
/usr/share/sipxecs/cfinputs/promises.cf";
allowusers => { @(sipx.allowed_users) };
}
And if I remove "trustkeysfrom" then remote connections they are adequately
rejected, however then they are rejected even on very first attempts to connect:
cf3> Allowing 10.93.47.55 to connect without (re)checking ID
cf3> Non-verified Host ID is two.3zuce.com (Using skipverify)
cf3> Non-verified User ID seems to be root (Using skipverify)
cf3> -> Public key identity of host "10.93.47.55" is
"MD5=717b796f5b0613151be3dd0b16c6c040"
cf3> -> Did not find new key format
/var/cfengine/ppkeys/root-MD5=717b796f5b0613151be3dd0b16c6c040.pub
cf3> -> Trying old style /var/cfengine/ppkeys/root-10.93.47.55.pub
cf3> No previous key found, and unable to accept this one on trust
I was under the assumption there was a way to automatically accept keys once.
It's possible I do not know how to properly remove a key from a server, I
simply delete the public half from the server.
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
