Re: Proposed patch for default cfengine configuration
Patrice Neff wrote:
- The server IP is currently hardwired in the cfservd.conf file.
I'll have to
debug if it is really impossible to use host names for the
TrustKeysFrom
value (as it currently appears to me) or if I just made a mistake
in my
tests.
I find a reference to this in the documentation. http://
www.cfengine.org/docs/cfengine-reference.html#cfservd-HostnameKeys
states, that by default only IP addresses are allowed for that
configuration - but it's possible to enable hostnames using the
configuration parameter HostnameKeys.
But the documentation states:
This method of storing keys is not recommended for sites with fixed
IP addresses, since it removes one security barrier from a potential
attacker by potentially allowing DNS spoofing.
What are your thoughts? There are different solutions:
- Use HostNameKeys = ( on ) and put cfservd into the TrustKeysFrom list
- Fix the server host to 10.0.2.2
- Lookup the server IP at installation time (using cfservd hostname)
and put that IP into TrustKeysFrom
The easiest would be HostNameKeys. And I'm currently leaning towards
using it. What are your thoughts?
PS: Just checked in an unrelated patch for a debian-edu-config
problem. New Debian-Edu installations should work again now (cfengine
execution on install failed for me at least).
Regards,
Patrice
Reply to: