[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: key exchange doc
From: |
Mark . Burgess |
Subject: |
Re: key exchange doc |
Date: |
Fri, 20 Sep 2002 23:56:33 +0200 (MET DST) |
This is on the first page of the web site....
http://www.iu.hio.no/cfengine/confdir/checklist.html
M
On 20 Sep, David Douthitt wrote:
> On Fri, Sep 20, 2002 at 08:49:21AM -0700, Paul Heinlein wrote:
>
>> I'm having trouble finding documentation concerning how to bootstrap a
>> cfengine 2.x key infrastructure. To date, we've run cfengine/cfagent
>> against nfs-exported configs, but we'd like to move to a cfservd/cfrun
>> architecture.
>>
>> Is there an online doc that describes how to do the initial exchange
>> of public keys between hosts?
>
> To my knowledge, there isn't one. The general way I do it is to manually
> do it with scp:
>
http://www.iu.hio.no/cfengine/confdir/checklist.html> cfkey
> export PPKEYS=/var/cfengine/ppkeys
> scp there:$PPKEYS/localhost.pub $PPKEYS/root-99.99.99.99.pub
> scp $PPKEYS/localhost.pub there:$PPKEYS/root-11.11.11.11.pub
>
> You don't have to use PPKEYS, but it shortens lines in the example :-)
> This assumes that there is 99.99.99.99 and here is 11.11.11.11 ...
>
> You could use TrustKeysFrom to do this but I haven't tried it -
> automatically trusting an unknown host scares me...
>
> Then you should make sure that both the client and the master are in
> the cfrun.hosts file
>
> Then check the cfservd.conf file; it must have the following (in my
> experience, anyway):
>
> * The user listed in the key (<user>-<ip>.pub) - the one who is
> to be allowed to use cfrun, must have an entry in AllowUsers
>
> * AllowConnectionsFrom should have both the client and master
>
> * cfrunCommand MUST be a valid cfagent binary (or link to it)
>
> * The admit: section must contain an allowable directory for
> the client and master hosts. The cfagent binary should be
> in this directory
>
> When this is all done, then you should be able to do two things:
>
> 1. Use cfrun from the master to run cfagent on the client on
> demand
>
> 2. Use the remote copy feature on the client
>
> Maybe I should write a document :-)
>
>
>
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://mail.gnu.org/mailman/listinfo/help-cfengine
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272 Email: Mark.Burgess@iu.hio.no
Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~