-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am trying to use cfengine in a configuration where all of the hosts have dynamic ips, and do not have dynamic dns so I need to authenticate to the server using only ssl keys and hostnames without dns lookups. This should be possible by using a combination of "HostnameKeys = ( on ) and SkipIdentify = ( true )" on the client side and "HostnameKeys = ( on ) and SkipVerify = ( <ip range> )" on the server side. My clients have their hostnames hardcoded, and the server has the clients public keys keys in /var/cfengine/ppkeys/root- <client hostname>.pub. Everything works correctly, EXCEPT the server looks for the wrong filename in the ppkeys folder. Here is the debug output from the server:
OptionIs(server,HostnameKeys,1) GetMacroValue(server,HostnameKeys) HavePublickey(-<client ip>) Did not have key -<client ip> No previous key found, and unable to accept this one on trust Note that it is looking for a filename "-<client ip>" instead of the hostname the client reported. Here is the output from the client showing that it reported it's real hostname: SkipIdent was requested, so we are trusting and annoucning the identity as (<client hostname>) for this host Loaded /var/cfengine/ppkeys/<client hostname>.pub cfengine:<client hostname>: BAD: key could not be accepted on trust cfengine:<client hostname>: Authentication dialogue with <server name> failed cfengine:<client hostname>: Unable to establish connection with <server name> (failover) Please note that I replaced the actual client ip, client hostname, server name, and ip range with <client ip> <client hostname> <server name> and <ip range> respectively. Is this a known bug? Is there some sort of workaround? I know this is an unusual configuration, but I do not administer the DNS server, and they do not provide dynamic dns services. Thanks, Tyler Backman Oregon State University College of Science http://science.oregonstate.edu/~backmant/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFPl8wYvYBgrXZ6y0RAsIEAJ9p6jOlt7rGYUKyULmb3EYxT5SJNACcC9dT AJ5pg4e2PpZyyIVPYl6c0wA= =3W1a -----END PGP SIGNATURE----- _______________________________________________ Bug-cfengine mailing list [email protected] http://cfengine.org/mailman/listinfo/bug-cfengine
