Re: Proper way to identify machines

Mon, 14 Jun 2010 09:02:25 -0700 

But if we autorise hosts to connect, cfengine could host2ip each host to 
see if the client is allowed to connect, rather than having the user 
writing himself the host2ip in the promise
I'm a bit lazy sometimes :)


On 14/06/2010 17:58, Seva Gluschenko wrote:
> Well,
>
> Once a connection is established, your master server only knows
> client's IP. To establish a relation between an IP and a hostname, the
> reverse and then direct DNS query is used, so that an IP must resolve
> to a hostname which must resolve back to an IP. Otherwise a hostname
> is untrusted. This is how it works in general with most Internet
> services. Dunno if it is the same with Cfengine, but I believe it
> should be.
>
> 2010/6/14 Nicolas Charles<nicolas.char...@normation.com>:
>    
>> Nope, but why isn't host2ip used automatically ?
>>
>> On 14/06/2010 17:20, Seva Gluschenko wrote:
>>      
>>> Nicolas,
>>>
>>> just a quick thought: does the reverse DNS contain the record for
>>> 192.168.100.12?
>>>
>>> 2010/6/14 Nicolas Charles<nicolas.char...@normation.com>:
>>>
>>>        
>>>> Hello everyone,
>>>>
>>>> I'm wondering what is the proper way (== the most commonly used) to
>>>> identify the machines that are allowed to connect to a policy server.
>>>>
>>>> If I use the DNS name of the machines, they can't connect :
>>>> in the cf-served.cf
>>>> allowconnects =>    {
>>>> @(def.acl) , "debian-5-32.labo.normation.com"
>>>> };
>>>>
>>>> #ping debian-5-32.labo.normation.com
>>>> 64 bytes from 192.168.100.12: icmp_seq=1 ttl=64 time=0.252 ms
>>>>
>>>> Result :
>>>> "Not allowing connection from non-authorized IP ::ffff:192.168.100.12"
>>>>
>>>>
>>>> I could use the ip of the machine, but it's prone to change. host2ip is
>>>> the right solution (or so it seems), but then I'm wondering why it's not
>>>> used by default when we use the domain name of a machine ?
>>>>
>>>> Regards
>>>>
>>>> --
>>>> Nicolas CHARLES
>>>> Normation SAS - http://www.normation.com
>>>> 44 rue Cauchy – 94110 ARCUEIL
>>>> +33 (0)1 83 62 26 96  - +33 (0)6 14 63 25 18
>>>>
>>>> _______________________________________________
>>>> Help-cfengine mailing list
>>>> Help-cfengine@cfengine.org
>>>> https://cfengine.org/mailman/listinfo/help-cfengine
>>>>
>>>>
>>>>          
>>>
>>>
>>>        
>>
>> --
>> Nicolas CHARLES
>> Normation SAS - http://www.normation.com
>> 44 rue Cauchy – 94110 ARCUEIL
>> +33 (0)1 83 62 26 96  - +33 (0)6 14 63 25 18
>>
>>
>>      
>
>
>    


-- 
Nicolas CHARLES
Normation SAS - http://www.normation.com
44 rue Cauchy – 94110 ARCUEIL
+33 (0)1 83 62 26 96  - +33 (0)6 14 63 25 18

_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine

Reply via email to