Trusting a server's public key

[Justin Lloyd]

Hi all,

I finally got an issue resolved regarding some of my systems not
trusting a particular server's Cfengine public key, but I wanted to see
if anyone has a better solution.

Currently we maintain our master sudoers file on a server whose
cf-serverd provides all systems with access to retrieve the master file.
Here's the promise (with some simplification for readability):

linux|(solaris.zone_global.!usr_local_is_nfs)::

    "$(local_sudoers_file)" # Linux=/etc/sudoers,
Solaris=/usr/local/etc/sudoers
 
        perms => mo("440", "root"),
        copy_from => remote_copy("/usr/local/etc/sudoers", "lum");

This is the only promise I have that retrieves a file from lum and thus
the only promise that would initiate key exchange with lum, meaning that
all Solaris non-global zones and the Solaris global zones that NFS mount
/usr/local would NEVER retrieve lum's public key and thus never get this
file.

To work around this, I created the following bundle:

bundle agent ensure_lum_is_trusted {

    classes:
        "have_lum_public_key" expression => fileexists(
            "$(sys.workdir)/ppkeys/root-10.148.44.121.pub"
        );

    files:

        !have_lum_public_key::

            "/tmp/lum.motd"

                copy_from => remote_copy("/etc/motd", "lum");
}

It just tries to copy a dummy file down from lum. Ironically the dummy
file will never actually be copied since the first attempt will fail but
key exchange will occur, and then there would never be another attempt
since the key would then exist on the "client".

So, can anyone see a better way of handling this kind of issue, or is
this dummy bundle probably the best solution?

Thanks,
Justin

-- 
Justin C. Lloyd 
Unix Infrastructure Engineer 
DigitalGlobe, An Imaging and Information Company



This electronic communication and any attachments may contain confidential and 
proprietary 
information of DigitalGlobe, Inc. If you are not the intended recipient, or an 
agent or employee 
responsible for delivering this communication to the intended recipient, or if 
you have received 
this communication in error, please do not print, copy, retransmit, disseminate 
or 
otherwise use the information. Please indicate to the sender that you have 
received this 
communication in error, and delete the copy you received. DigitalGlobe reserves 
the 
right to monitor any electronic communication sent or received by its 
employees, agents 
or representatives.

_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine