Seva, Interesting suggestion that may simplify what I'm doing. Always looking to simplify. :) I'll play around with this and let you know how it turns out.
Thanks, Justin -----Original Message----- From: Сева Глущенко [mailto:seva.glusche...@gmail.com] Sent: Thursday, May 13, 2010 3:13 PM To: Justin Lloyd Cc: help-cfengine@cfengine.org Subject: Re: Trusting a server's public key Justin, it seems like your task can be performed as follows: files: "$(root_homedir)/.ssh/lum.pub" copy_from => remote_copy_with_backup("/root/.ssh/id_rsa.pub", "lum"); "$(root_homedir)/.ssh/authorized_keys" edit_line => insert_file("$(root_homedir)/.ssh/lum.pub"); with the appropriate edit_line bundle: bundle edit_line insert_file(src) { insert_lines: "$(src)" insert_type => "file"; } 2010/5/14 Justin Lloyd <jll...@digitalglobe.com>: > Someone raised a couple of good questions in a private email to me, so I > thought I'd go ahead and send my response to the whole list. I didn't know if > they'd want me to forward their response to the list, so I've omitted their > response, just to be safe. :) My apologies if you prefer attribution, feel > free to reply to this if that is the case. > > First, I verified my trustkeysfrom and @(def.acl) settings were correct. As > for the second point, my remote_copy_with_backup body already has trust > enabled. > > body copy_from remote_copy_with_backup(filename, hostname) { > source => "$(filename)"; > servers => { "$(hostname)" }; > compare => "digest"; > copy_backup => "true"; > trustkey => "true"; > } > > As for my goal, I had shortened my original email to make it easier to > understand but the response made me realize that I took out an important > point. My goal is to have all systems trust lum so that they can retrieve the > sudoers file, though some systems don't need to fetch that sudoers file. > However, I do have an edit_line bundle (promiser is > "$(root_homedir)/.ssh/authorized_keys") that defines a variable by calling > remotescalar(), which is a function specific to Cfengine Nova and does not > include a key exchange mechanism. > > "remote_user_public_key" string => remotescalar( > "$(user)_public_ssh_key_access", "$(host)", "yes" > ); > > When $(host) is lum (which is the only way I'm calling this bundle right > now), it's not trusted by clients that don't retrieve sudoers and thus those > systems couldn't get lum's public ssh key. I had no other way of ensuring all > systems could successfully use the remotescalar call to get lum's public SSH > key. > > Justin > > > This electronic communication and any attachments may contain confidential > and proprietary > information of DigitalGlobe, Inc. If you are not the intended recipient, or > an agent or employee > responsible for delivering this communication to the intended recipient, or > if you have received > this communication in error, please do not print, copy, retransmit, > disseminate or > otherwise use the information. Please indicate to the sender that you have > received this > communication in error, and delete the copy you received. DigitalGlobe > reserves the > right to monitor any electronic communication sent or received by its > employees, agents > or representatives. > > _______________________________________________ > Help-cfengine mailing list > Help-cfengine@cfengine.org > https://cfengine.org/mailman/listinfo/help-cfengine > -- SY, Seva Gluschenko. This electronic communication and any attachments may contain confidential and proprietary information of DigitalGlobe, Inc. If you are not the intended recipient, or an agent or employee responsible for delivering this communication to the intended recipient, or if you have received this communication in error, please do not print, copy, retransmit, disseminate or otherwise use the information. Please indicate to the sender that you have received this communication in error, and delete the copy you received. DigitalGlobe reserves the right to monitor any electronic communication sent or received by its employees, agents or representatives. _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
