[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cfservd 2.0.2, IP ranges and TrustKeysFrom
From: |
Mark . Burgess |
Subject: |
Re: cfservd 2.0.2, IP ranges and TrustKeysFrom |
Date: |
Wed, 12 Jun 2002 13:36:50 +0200 (MET DST) |
Should work. Try running cfservd -d2 and looking at the debugging
output to see why it's not working.
Mark
On 12 Jun, Juha Ylitalo wrote:
> cfservd: cfengine 2.0.2 on FreeBSD 4.5-RELEASE-p5
> cfanget: cfengine 2.0.2 on Solaris 8
>
> Summary:
> I haven't yet looked into code, but on quick experimentation it looks as
> TrustKeysFrom in cfservd.conf doesn't support IPranges.
>
> Description:
> I have following two lines in my cfservd.conf in cfservd host:
> TrustKeysFrom = ( 10.21.165.2 10.21.165.5-6 10.21.165.8 10.21.165.11 )
> DynamicAddresses = ( 10.21.165.2 10.21.165.5-6 10.21.165.8
> 10.21.165.11 )
>
> Whenever my JumpStarted Solaris box at 10.21.165.5 tried to contact
> cfservd, authentication failed. This problem disappeared as soon as I
> split TrustKeysFrom so that 10.21.165.5 and 10.21.165.6 were listed as
> separate IPs in list.
>
> In case someone wonders why Solaris box is in DynamicAddresses, the
> explanation is simply that those boxes are used for testing certain
> applications and as such boxes are reinstalled on regular basis. With
> DynamicAddresses and TrustKeysFrom combination, we can avoid the step,
> where we would have to go and delete old public key from cfservd host.
> Other option would have been to distribute keys during JumpStart, but
> that wouldn't be anymore secure than this solution.
>
> P.S. Yes, I know, my IPs are scattered in pretty awkward way, but I am
> trusting that time will take care of it as all new machines get IPs from
> separate IP range.
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272 Email: address@hidden
Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~