help-cfengine
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cfkey help

From: Mark . Burgess
Subject: Re: cfkey help
Date: Sun, 1 Dec 2002 21:31:20 +0100 (MET) 
On  1 Dec, Nate Campi wrote:
> On Sun, Dec 01, 2002 at 10:11:29AM +0100, Mark.Burgess@iu.hio.no wrote:
>> On 30 Nov, Nate Campi wrote:
>> > I don't like accepting cfengine keys on trust any more than I like
>> > accepting ssh host keys on trust - I'll do it if I have to but not if I
>> > can avoid it.
>> > 
>> > I've been able to avoid having to trust cfengine keys by generating the
>> > keys on a central host and disting it to the client and servers via SSH
>> > priv key authentication. The only problem is that my script has to move
>> > the host's real key out of place while the client's key is being
>> > generated. I wish I could tell cfkey to generate a different filename.
>> 
>> Nate, this could be added to cfkey I suppose, but I would recommend
>> a different strategy. Make sure that you understand what the trust
>> issue is really about. Cfengine is more paranoid than ssh on this,
>> but using ssh to distrbute cfengine keys sounds a bit like using
>> a Jeep instead of a van because you don't like cars.
> 
> I don't think this is true at all. I have strong authentication and
> integrity using my SSH distribution method. This is like using an
> armored car instead of carrying large wads of cash while walking alone
> on the street.

I am sorry, but you are completely fooled by hype.

> Wish SSH I have an in-place public-key trust, with cfengine I don't have
> this. I'm piggybacking cfengine key dist on an established trust
> mechanism that I have faith in. How is this bad?

Your ssh system might be in place now -- but how did it get there?
You had to play the trust game to begin with. Are you sure it is
still intact? Are you sure there were no races when you were setting
it up. These are all things that can go wrong with SSH that the SSH
folks don't talk about. Cfengine uses essentially the same trust
mechanism that SSH does -- neither one is better than the other.

> Oh well, the method I'm using works fine - I'll keep using it. I get
> around any forward/reverse DNS issues with automatic key trusts this way
> as well (though I only had trouble with that on my test network,
> production DNS *should* match ;).

Cfengine makes all of these trust issues "in your face" rather than
"under the rug". BY all means use the SSH mechanism, but it will just
be more work for you, and no better security.

M

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
reply via email to
[Prev in Thread] Current Thread [Next in Thread]