[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: key exchange doc
From: |
David Douthitt |
Subject: |
Re: key exchange doc |
Date: |
Fri, 20 Sep 2002 16:30:52 -0500 |
User-agent: |
Mutt/1.4i |
On Fri, Sep 20, 2002 at 08:49:21AM -0700, Paul Heinlein wrote:
> I'm having trouble finding documentation concerning how to bootstrap a
> cfengine 2.x key infrastructure. To date, we've run cfengine/cfagent
> against nfs-exported configs, but we'd like to move to a cfservd/cfrun
> architecture.
>
> Is there an online doc that describes how to do the initial exchange
> of public keys between hosts?
To my knowledge, there isn't one. The general way I do it is to manually
do it with scp:
cfkey
export PPKEYS=/var/cfengine/ppkeys
scp there:$PPKEYS/localhost.pub $PPKEYS/root-99.99.99.99.pub
scp $PPKEYS/localhost.pub there:$PPKEYS/root-11.11.11.11.pub
You don't have to use PPKEYS, but it shortens lines in the example :-)
This assumes that there is 99.99.99.99 and here is 11.11.11.11 ...
You could use TrustKeysFrom to do this but I haven't tried it -
automatically trusting an unknown host scares me...
Then you should make sure that both the client and the master are in
the cfrun.hosts file
Then check the cfservd.conf file; it must have the following (in my
experience, anyway):
* The user listed in the key (<user>-<ip>.pub) - the one who is
to be allowed to use cfrun, must have an entry in AllowUsers
* AllowConnectionsFrom should have both the client and master
* cfrunCommand MUST be a valid cfagent binary (or link to it)
* The admit: section must contain an allowable directory for
the client and master hosts. The cfagent binary should be
in this directory
When this is all done, then you should be able to do two things:
1. Use cfrun from the master to run cfagent on the client on
demand
2. Use the remote copy feature on the client
Maybe I should write a document :-)
- key exchange doc, Paul Heinlein, 2002/09/20
- Re: key exchange doc,
David Douthitt <=