[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

cfservd 2.0.2, IP ranges and TrustKeysFrom

From: Juha Ylitalo
Subject: cfservd 2.0.2, IP ranges and TrustKeysFrom
Date: 12 Jun 2002 09:25:00 +0300

cfservd: cfengine 2.0.2 on FreeBSD 4.5-RELEASE-p5
cfanget: cfengine 2.0.2 on Solaris 8

I haven't yet looked into code, but on quick experimentation it looks as
TrustKeysFrom in cfservd.conf doesn't support IPranges.

I have following two lines in my cfservd.conf in cfservd host:
  TrustKeysFrom = ( )
  DynamicAddresses = ( )

Whenever my JumpStarted Solaris box at tried to contact
cfservd, authentication failed. This problem disappeared as soon as I
split TrustKeysFrom so that and were listed as
separate IPs in list.

In case someone wonders why Solaris box is in DynamicAddresses, the
explanation is simply that those boxes are used for testing certain
applications and  as such boxes are reinstalled on regular basis. With
DynamicAddresses and TrustKeysFrom combination, we can avoid the step,
where we would have to go and delete old public key from cfservd host.
Other option would have been to distribute keys during JumpStart, but
that wouldn't be anymore secure than this solution.

P.S. Yes, I know, my IPs are scattered in pretty awkward way, but I am
trusting that time will take care of it as all new machines get IPs from
separate IP range.

Juha Ylitalo       address@hidden           <work e-mail>
+358 40 562 6152   http://linux.nokia.com/~jylitalo/  <work www>
"Some tools are used, because its policy, others because they are good."

reply via email to

[Prev in Thread] Current Thread [Next in Thread]