Re: problems with trust

help-cfengine

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: problems with trust

From:	david . nelson
Subject:	Re: problems with trust
Date:	Mon, 19 Sep 2005 15:31:34 -0500

Hi Bill,

I run 'cfservd' on all systems - this allows me to do remote 'cfrun' commands. So, I have a single cfservd.conf that I distribute out to _all_ systems. In cfservd.conf, I basically have:

control:

any::

LogAllConnections = ( true )
domain = ( mydomain.com )
cfrunCommand = ( /var/cfengine/bin/cfagent )
ChecksumDatabase = ( /var/cfengine/checksum-server.db )
IfElapsed = ( 10 )
AllowUsers = ( root )
SyslogFacility = ( LOG_LOCAL3 )

any.!cfserver_mydomain_com:: # Clients should only accept and trust a connection from the FQDN CFserver

MaxConnections = ( 10 )
AllowConnectionsFrom = ( 10.0.7.165 ) # CFserver IP
TrustKeysFrom = ( 10.0.7.165 ) # CFserver IP

cfserver_mydomain_com:: # The CFserver should accept and trust any clients but only from our subnets

AllowConnectionsFrom = ( 10.0.0.0/16 192.168.0.0/16 ) # Our local subnets
AllowMultipleConnectionsFrom = ( 10.0.0.0/16 192.168.0.0/16 ) # Our local subnets

admit:

any::

$(cfrunCommand) *.mydomain.com

cfserver_mydomain_com::

/var/cfengine/master_inputs *.mydomain.com
/var/cfengine/master_modules *.mydomain.com
/var/cfengine/master_scripts *.mydomain.com

I also make it a habit to restart 'cfservd' jsut to be sure althought cfservd is supposed to detect cfservd.conf updates and re-read the config file.

Now, I personally use a bootstrap CF file and also define a 'TrustKeysFrom' entry - so I imagine that you'd put the following line in 'update.conf':

TrustKeysFrom = ( 10.0.7.165 ) # Clients should only trust the CFserver

Regards,
/\/elson

Bill Gunter <bgunter@arcsystems.com>
Sent by: help-cfengine-bounces+david.nelson=ni.com@gnu.org

09/19/2005 02:42 PM

To	help-cfengine@gnu.org
cc
Subject	Re: problems with trust

Sorry to re-post, but I'm afraid this has gotten lost in the din. I really need to get this resolved, so any help would be greatly appreciated. bg On Mon, 2005-09-12 at 12:51 -0500, Bill Gunter wrote: > The clients and server are on the same network, 66.162.222.0/24. Here's > the TrustKeys. The stuff on the 208.10.199.0/24 net works fine. > > TrustKeysFrom = ( > 208.10.199.0/24 > 66.162.222.0/24 > 216.54.235.0/24 > 192.168.199.0/24 > ) > > On Mon, 2005-09-12 at 01:29 -0500, Tim Nelson wrote: > > On Fri, 9 Sep 2005, Bill Gunter wrote: > > > > > I'm having trouble using trust to exchange keys. I got it working > > for > > > one server, but it's not working for another. I get this message on > > the > > > client while running 'cfagent -v' > > > > > > "cfengine:viper: BAD: key could not be accepted on trust" > > > > > > And similarly on the server from cfservd > > > > > > "No previous key found, and unable to accept this one on trust" > > > > > > I'm getting this when cfagent is parsing the update.conf file. > > cfservd > > > contains the correct TrustKeysFrom entries and update.conf has this: > > > > Are the server and client on different sides of a NAT? > > What's your TrustKeysFrom line? > > > > :) > > > > -- > > Kind Regards, > > > > Tim Nelson > > Server Administrator > > > > P: 03 9934 0888 > > F: 03 9934 0899 > > E: tim.nelson@webalive.biz > > W: www.webalive.biz > > > > WebAlive Technologies > > Level 1, Innovation Building > > Digital Harbour > > 1010 La Trobe Street > > Docklands Melbourne VIC 3008 > > > > This email (including all attachments) is intended solely for the > > named addressee. It is confidential and may contain legally privileged > > information. If > > > > you receive it in error, please let us know by reply email, delete it > > from your system and destroy any copies. This email is also subject to > > copyright. No > > > > part of it should be reproduced, adapted or transmitted without the > > written consent of the copyright owner. > > > > Emails may be interfered with, may contain computer viruses or other > > defects and may not be successfully replicated on other systems. We > > give no > > > > warranties in relation to these matters. If you have any doubts about > > the authenticity of an email purportedly sent by us, please contact us > > immediately. > > > > > _______________________________________________ > Help-cfengine mailing list > Help-cfengine@gnu.org > http://lists.gnu.org/mailman/listinfo/help-cfengine _______________________________________________ Help-cfengine mailing list Help-cfengine@gnu.org http://lists.gnu.org/mailman/listinfo/help-cfengine

[Prev in Thread]

Current Thread

[Next in Thread]

problems with trust, Bill Gunter, 2005/09/09
- Re: problems with trust, Tim Nelson, 2005/09/12
  - Re: problems with trust, Bill Gunter, 2005/09/12
    - Re: problems with trust, Bill Gunter, 2005/09/19
    - Re: problems with trust, david . nelson <=
    - Re: problems with trust, Ed Brown, 2005/09/19
    - Re: problems with trust, Bill Gunter, 2005/09/19
    - Re: problems with trust, Ed Brown, 2005/09/19
    - Re: problems with trust, Bill Gunter, 2005/09/20
    - Re: problems with trust, Ed Brown, 2005/09/20
    - Re: problems with trust, Bill Gunter, 2005/09/20

Prev by Date: Re: [Cfengine] shellcommands: 3: Bad file descriptor]
Next by Date: Re: problems with trust
Previous by thread: Re: problems with trust
Next by thread: Re: problems with trust
Index(es):
- Date
- Thread