[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposed patch for default cfengine configuration



Patrice Neff wrote:

- The server IP is currently hardwired in the cfservd.conf file. I'll have to debug if it is really impossible to use host names for the TrustKeysFrom value (as it currently appears to me) or if I just made a mistake in my
  tests.

I find a reference to this in the documentation. http:// www.cfengine.org/docs/cfengine-reference.html#cfservd-HostnameKeys states, that by default only IP addresses are allowed for that configuration - but it's possible to enable hostnames using the configuration parameter HostnameKeys.

But the documentation states:
This method of storing keys is not recommended for sites with fixed IP addresses, since it removes one security barrier from a potential attacker by potentially allowing DNS spoofing.

What are your thoughts? There are different solutions:
- Use HostNameKeys = ( on ) and put cfservd into the TrustKeysFrom list
- Fix the server host to 10.0.2.2
- Lookup the server IP at installation time (using cfservd hostname) and put that IP into TrustKeysFrom

The easiest would be HostNameKeys. And I'm currently leaning towards using it. What are your thoughts?

PS: Just checked in an unrelated patch for a debian-edu-config problem. New Debian-Edu installations should work again now (cfengine execution on install failed for me at least).

Regards,
Patrice



Reply to: