Re: Fwknop and the install process

To: Franck Joncourt <franck.mail@dthconnex.com>
Cc: debian-mentors@lists.debian.org, Michael Rash <mbr@cipherdyne.org>
Subject: Re: Fwknop and the install process
From: "Francesco P. Lovergine" <frankie@debian.org>
Date: Tue, 24 Jun 2008 11:31:22 +0200
Message-id: <20080624093122.GG4327@mithrandir>
Mail-followup-to: Franck Joncourt <franck.mail@dthconnex.com>, debian-mentors@lists.debian.org, Michael Rash <mbr@cipherdyne.org>
In-reply-to: <485E8F4A.2040404@dthconnex.com>
References: <485E8F4A.2040404@dthconnex.com>

On Sun, Jun 22, 2008 at 07:43:38PM +0200, Franck Joncourt wrote:
> Hi,
> 
> I have posted this message on debian-devel, but there is still no
> answer. So I give it a try on debian mentors in the hope I can get more
> audience :p!
> 
> To make it short first, I would say I do not know how to handle the
> install process of the fwknop server (fwknopd) and I am looking for some
> suggestions.
> 
> Here is a link to the fwknop description :
> 
> http://www.cipherdyne.org/fwknop/index.html
> 
> The context :
> 
> Fwknop has a daemon : fwknopd, and it depends on configuration files,
> and cannot be started without updating them.
> 
> The user can choose two setups :
> 
> - the simple one : three variables to change (the ethernet interface, a
> key, and the machine hostname)
> - the second one requires much more work, since he has to deal with gpg
> key (create, sign, export) on both the client and the server sides, in
> addition to the ethernet interface, the key and the machine hostname.
> These settings are recommended.
> 
> So, right now, I would choose to work this way :
> 
> - not ask for any questions and not start fwknopd during the install
> process ; a variable would be set to no in /etc/default/fwknop-server.
> - let the user have a quick setup (the three simple questions), and
> start the fwknopd daemon, by use of dpkg-reconfigure. Add a note about
> the recommended settings.
> 
> But what about starting the simple setup through the three questions, by
> default, and mentionning that the user might want to configure gpg and
> restart.
> 
> What would you suggest ? Any idea is welcome.
> 

Due to the nature of the fwknop protocol and goals I would avoid 
to activate the daemon at all. The best thing to do is leaving it inactive
and let user to configure as appropriate in his/her context.
You can easily use a script that pre-check for a configured
daemon and starts it up or terminates gently. You can eventually
also add a debconf-based easy-setup with an initial question (which defaults
to NO) about easy autoconfiguration. Consider that fwknop is also
a non-system wide service which could be used in different terms, so
auto-starting it in other way would be not appropriate. See for instance
fetchmail: it works in system-wide fashion or not.

-- 
Francesco P. Lovergine

Reply to:

Follow-Ups:
- Re: Fwknop and the install process
  - From: Franck Joncourt <franck.mail@dthconnex.com>

References:
- Fwknop and the install process
  - From: Franck Joncourt <franck.mail@dthconnex.com>

Prev by Date: RFS: bluemindo
Next by Date: ITR: bluemindo (was: Re: RFS: bluemindo)
Previous by thread: Fwknop and the install process
Next by thread: Re: Fwknop and the install process
Index(es):
- Date
- Thread