martin f krafft said on Sat, Oct 30, 2004 at 01:35:33AM +0200: > FWIW, there is no cfengine host (yet). I am still somewhat taken > aback by its complexity. Just reinstalling the machines with FAI > seems simpler and cleaner. Yeah, I haven't gotten around to using it in production either. :) > Well, this is what I was thinking too. Use an unprivileged account > on the master to drop a sentinel, which makes the master distribute > the keys via SSH. That would work, except now the attacker simply > has to disable a machine and take over its IP, drop said sentinel, > and wait for the master to push the SSH keys. Yep. At some point, you're trusting your network. Only trusting your network at install time is better than trusting your network all of the time, I think. > We used systemimager for years and it drove us crazy as new hardware > was added and multiple people made changes, causing the images to > get out of sync, and multiple images to be created without people > knowing what they were. Yes, it's a policy issue, really... Now we > have an NFS/LDAP solution managed by FAI, which looks very promising > and flexible. We solved that problem at my site by only having one image per OS/architecture, all of which are the same package set. As you said, policy. We also update (using a wrapper around updateclient and cvsup) every night from cron. We're moving towards adding LDAP and Kerberos for user accounts (instead of disting the /etc/passwd stuff), but haven't gotten there yet. I'd like to replace some of the homegrown stuff with cfengine, but as you noticed, it's very complex. M
Attachment:
pgpAuxqdjtm4P.pgp
Description: PGP signature