Manualshelf

Distributed Systems Administration Utilities User's Guide, Linux, March 2009

ManualsBrandsHP ManualsSoftwareHP Linux Caliper Software Electronic LTU
31323334353637383940
synchronization. For details on using cfexecd in daemon-mode, refer to the cfengine tutorial
located in /opt/dsau/doc/cfengine/.
2.4 Security Notes
cfengine has many security features that range from parameters that control denial-of-service
attacks to access control lists that prevent managed clients from accessing reference file directories
on the server. For details on cfengine security features, refer to the reference manual located in
/opt/dsau/doc/cfengine/. The security topics discussed below include:
Key exchange
Network port usage
Encryption
Checksum alerts
2.4.1 Key Exchange
All the key exchange examples shown thus far have used scp to securely transfer the master
server public key to the managed client and the managed client’s public key to the master server.
This scheme provides the highest level of security but can be inconvenient in certain situations.
Other key distribution alternatives include the following:
When connecting to a new client, cfrun has an interactive mode similar to ssh, where the
administrator is prompted to accept the remote system’s key. For example:
cfrun(0): .......... [ Hailing remote-host.abc.xyz.com ] ..........
WARNING - You do not have a public key from host remote-host.abc.xyz.com =
192.10.25.12
Do you want to accept one on trust? (yes/no)
-> yes
cfrun:<master server name>: Trusting server identity and willing to accept key
from remote-host.abc.xyz.com=192.10.25.12
For large numbers of new clients, interactive mode can be inefficient. cfrun supports a -T
option which tells cfengine to trust all new keys from the hosts listed in cfrun.hosts.
cfservd.conf supports a TrustKeysFrom control clause. For example:
control:
TrustKeysFrom = ( 128.39.89.76 ) # A trusted host
TrustKeysFrom = ( 128.39.89.76/24 ) # A trusted subnet
The enumerated host or subnet addresses will be implicitly trusted and their keys
automatically accepted.
All of these key exchange alternatives should be used with extreme caution and only in a secure
environment where the LAN is trusted and the remote hosts are trusted. Once a public key is
accepted it will not be updated unless it is deleted by hand from the master servers /var/opt/
dsau/cfengine/ppkeys directory, manually replaced with a new key, or the csync wizard is
run to update it.
2.4.2 csync Network Port Usage
cfservd uses TCP port 5308 by default. You can instruct cfagent to connect to cfservd using
a different port by specifying a port in the cfrun.hosts file. For example:
host1.abc.xyz.com # Use standard port
host2.abc.xyz.com # Use standard port
host3.abc.xyz.com:4444 # Use port 4444
Also, cfengine will honor a cfengine tcp port defined in /etc/services. There are corresponding
changes in /etc/services.
40 Configuration Synchronization