[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: where is the best moment to populate the keys
From: |
Brian Youngstrom |
Subject: |
Re: where is the best moment to populate the keys |
Date: |
Thu, 30 May 2002 10:15:52 -0700 |
Buddy,
I'm still experimenting with cfengine v2.0.x, but I have come up with
something that may work for you.
I distribute cfengine via rpm (we're a Redhat shop). As part of the
install, I create a file 'bootstrap' that contains:
control: actionsequence = ( resolve netconfig copy )
sysadm = ( my@email.addr )
resolve:
1.2.3.4
1.2.3.5
defaultroute:
1_2_3::
1.2.3.100
1_2_4::
1.2.4.100
copy:
/master/cf/
dest=/var/cfengine/inputs/
trustkey=true
server=cfmaster
recurse=1
owner=root
group=wheel
mode=400
backup=false
purge=true
inform=false
I call this script during rpm install (in the %post) as 'cfagent -f
bootstrap' (after calling cfkey). This contacts the master server,
trusting the key this time only. The server stores the new host key,
the client stores the server key and copies the most recent cfengine
scripts, purging the bootstrap file.
I have each potential client listed in the cfenvd.conf TrustKeysFrom
directive.
One of my scripts is cf.update. This file is:
control: actionsequence = ( copy )
access = ( root )
sysadm = ( my@email.addr )
copy:
/master/cf/
dest=/var/cfengine/inputs
server=cfmaster
recurse=1
owner=root
group=wheel
mode=400
type=mtime
backup=false
purge=true
inform=false
Very similar to bootstrap, but does not trust the server key. I call
this file by 'cfagent -f cf.update' before calling 'cfagent' to run the
body of my scripts. I have had problems with update.conf when there is
a syntax error in some other file. Seems that cfengine parses
update.conf and all other files before executing update.conf (at least
with v2.0.1).
So far, this scheme has worked well for me. Seems to avoid the implicit
trust while still providing the strong authentication that is desired.
-Brian
On Wed, May 29, 2002 at 06:23:22PM -0600, Lumpkin, Buddy wrote:
> Mark,
>
> How do you have cfengine generate and replicate keys? What would be a good
> (sane) practice that get's rid of the more manual burdon of generating the
> keys manually?
>
> I am about to setup our jumpstart server so that it copies over the cfengine
> binaries and a startup script under /etc/rc2.d. I would like it to do
> everything necessary to get keys in place and be properly bootstapped and
> ready to run from then on.
>
> My update.conf file makes sure that there is an entry in crontab that will
> run cfexecd so im covered there ...
>
> --Buddy
>
--
Brian Youngstrom
byoung@cs.washington.edu
University of Washington
Department of Computer Science & Engineering