[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DynamicAddresses not working?

From: Jakub Turski
Subject: DynamicAddresses not working?
Date: Tue, 6 Dec 2005 12:21:19 +0100
User-agent: Mutt/1.5.11

Hi *,

 My setup: one policy host, quite a few clients, each with two sets of disks.
 Each client can be boot from either set of disks. To make key management
 easier, I've put the IPs of those clients to both DynamicAddresses and
 TrustKeysFrom variables in policyhost's cfservd.conf. But it looks like the
 DynamicAddresses stanza is ignored: once I've connected from the first set of
 disks to the server (and made the  key exchange), I cannot do cfrun when this
 client is booted from the second set of disks. What is funny: cfagent from the
 client to server works, cfrun from server to client does not:

cfrun(0):         .......... [ Hailing kajko.tb ] ..........
cfrun:dywersant.tb: BAD: Host authentication failed. Did you forget the domain 
name or IP/DNS address registration (for ipv4 or ipv6)?
cfrun:dywersant.tb: Key-authentication for dywersant.tb failed
 In the same time, when I run cfagent from the client:

cfservd on the policy host, dywersant:

cfservd: Accepting connection from
cfservd: Allowing to connect without (re)checking ID
Non-verified Host ID is kajko.tb (Using skipverify)
Non-verified User ID seems to be root (Using skipverify)
Updating last-seen time for kajko.tb
Loaded /var/lib/cfengine2/ppkeys/
A public key was already known from kajko.tb/ - no trust required
Adding IP to SkipVerify - no need to check this if we have a key
cfservd: Strong authentication of client kajko.tb/ achieved

 (I'm not using SkipVerify at all, I don't know why I get those messages...)

cfagent on the client, kajko:

Checking copy from to 
Connect to = on port cfengine
Updating last-seen time for
Loaded /var/cfengine/ppkeys/

cfengine:: Strong authentication of server= connection confirmed

 I've checked the md5sum of the keys:



 As you can see, the client pubkey on the server is different (from the other
diskset), but why on earth it's not updated during cfagent run? Of course, when
I delete the file from the server keys, it works, but
that's rather crude solution, as hosts can be rebooted (switching disksets) at
various times. I can also take care that both disksets have the same keys, but
I'd like to know WHY the behaviour of cfservd is different from documented :(



   __    __.---------------------------------------------------------------.__
  (oo)  |        And God said, "E=2mv^2+2P/r" and there was popcorn!          |
 / \/ \ |                                                                     |
 `V__V' `--.__penguin_#128720______________________________________________.--'

reply via email to

[Prev in Thread] Current Thread [Next in Thread]