[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cfkey help
|
From: |
Mark . Burgess |
|
Subject: |
Re: cfkey help |
|
Date: |
Sun, 1 Dec 2002 10:11:29 +0100 (MET) |
On 30 Nov, Nate Campi wrote:
> I don't like accepting cfengine keys on trust any more than I like
> accepting ssh host keys on trust - I'll do it if I have to but not if I
> can avoid it.
>
> I've been able to avoid having to trust cfengine keys by generating the
> keys on a central host and disting it to the client and servers via SSH
> priv key authentication. The only problem is that my script has to move
> the host's real key out of place while the client's key is being
> generated. I wish I could tell cfkey to generate a different filename.
>
> CFINPUTS doesn't affect this. Is there any way to do what I want without
> hacking at cfkey's source?
Nate, this could be added to cfkey I suppose, but I would recommend
a different strategy. MAke sure that you understand what the trust
issue is really about. Cfengine is more paranoid than ssh on this,
but using ssh to distrbute cfengine keys sounds a bit like using
a Jeep instead of a van because you don't like cars.
Take a look at this help file from the FAQ
http://www.cfengine.org/confdir/keys.html
I would recommend managing a time window for the key exchanges.
M
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272 Email: Mark.Burgess@iu.hio.no
Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- cfkey help, Nate Campi, 2002/12/01
- Re: cfkey help,
Mark . Burgess <=