Re: Has Anyone Used Cfengine With Dynamic IP Addresses?

help-cfengine

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Has Anyone Used Cfengine With Dynamic IP Addresses?

From:	Alec H. Peterson
Subject:	Re: Has Anyone Used Cfengine With Dynamic IP Addresses?
Date:	Tue, 30 Sep 2003 16:10:03 -0600

I modified cfservd to search all stored keys with a specific suffix andattempt to match the key that the client presented. You lose source IPsecurity, but the way I see it it is far easier to spoof the IP than it isto break the public key encryption (assuming the machine hasn't beencompromised, in which case all bets are off).

The tricky part is that you have to do the key exchange manually, but thatonly happens once. If there is general interest I'd be happy to share thechanges I made.


Alec

--On Tuesday, September 30, 2003 5:01 PM -0500 Chip Seraphine<chip@trdlnk.com> wrote:

Using cfservd in the normal manner may be more difficult with dynamic
addresses, but I don't see why cfagent would care (unless you told it to).

Just kick off your cfagent's via cron or ssh (or cfexecd?), and perhaps
do your file copies over NFS or via rsync shellcommands or something.
With a little creativity you can probably have a nicely-running cfengine
setup that generally ignores the cfengine-specific auth stuff.  It won't
be very boss, but it should basically work...

Obviously, this puts the onus of security on you, however :-)

Rasheda M Menzies wrote:


In the book, _Automating Unix and Linux Administration_, it says that,
"It is difficult, if not impossible, to use cfengine with dynamic
IPaddresses".  Has anyone actually had success with Red Hat clients, ie
laptops, which go on/off network at any time and loses their IP
addresses?  If so, please let me know how this
is done in cfengine.


Thanks,
Rasheda
____________________________________________________
Rasheda M. Menzies
Software Engineer
IBM Watson Research Center
1101 Kitchawan Road, Route 134
Yorktown Heights, NY 10598
Tel: 914-945-2401, Tie: 862-2401
E-mail: rasheda@us.ibm.com


------------------------------------------------------------------------

_______________________________________________
Help-cfengine mailing list
Help-cfengine@gnu.org
http://mail.gnu.org/mailman/listinfo/help-cfengine





_______________________________________________
Help-cfengine mailing list
Help-cfengine@gnu.org
http://mail.gnu.org/mailman/listinfo/help-cfengine

p7sW2jpOlt8ZY.p7s
Description: S/MIME cryptographic signature

[Prev in Thread]

Current Thread

[Next in Thread]

Has Anyone Used Cfengine With Dynamic IP Addresses?, Rasheda M Menzies, 2003/09/30
- Re: Has Anyone Used Cfengine With Dynamic IP Addresses?, Chip Seraphine, 2003/09/30
  - Re: Has Anyone Used Cfengine With Dynamic IP Addresses?, Alec H. Peterson <=

Prev by Date: Re: Has Anyone Used Cfengine With Dynamic IP Addresses?
Previous by thread: Re: Has Anyone Used Cfengine With Dynamic IP Addresses?
Index(es):
- Date
- Thread