As the past days here have shown, DNS is an extremeley unreliable service, and
it can be
spoofed. I would not base any access control on DNS.
Nicolas Charles wrote:
> But if we autorise hosts to connect, cfengine could host2ip each host to
> see if the client is allowed to connect, rather than having the user
> writing himself the host2ip in the promise
> I'm a bit lazy sometimes :)
>
>
> On 14/06/2010 17:58, Seva Gluschenko wrote:
>> Well,
>>
>> Once a connection is established, your master server only knows
>> client's IP. To establish a relation between an IP and a hostname, the
>> reverse and then direct DNS query is used, so that an IP must resolve
>> to a hostname which must resolve back to an IP. Otherwise a hostname
>> is untrusted. This is how it works in general with most Internet
>> services. Dunno if it is the same with Cfengine, but I believe it
>> should be.
>>
>> 2010/6/14 Nicolas Charles<nicolas.char...@normation.com>:
>>
>>> Nope, but why isn't host2ip used automatically ?
>>>
>>> On 14/06/2010 17:20, Seva Gluschenko wrote:
>>>
>>>> Nicolas,
>>>>
>>>> just a quick thought: does the reverse DNS contain the record for
>>>> 192.168.100.12?
>>>>
>>>> 2010/6/14 Nicolas Charles<nicolas.char...@normation.com>:
>>>>
>>>>
>>>>> Hello everyone,
>>>>>
>>>>> I'm wondering what is the proper way (== the most commonly used) to
>>>>> identify the machines that are allowed to connect to a policy server.
>>>>>
>>>>> If I use the DNS name of the machines, they can't connect :
>>>>> in the cf-served.cf
>>>>> allowconnects => {
>>>>> @(def.acl) , "debian-5-32.labo.normation.com"
>>>>> };
>>>>>
>>>>> #ping debian-5-32.labo.normation.com
>>>>> 64 bytes from 192.168.100.12: icmp_seq=1 ttl=64 time=0.252 ms
>>>>>
>>>>> Result :
>>>>> "Not allowing connection from non-authorized IP ::ffff:192.168.100.12"
>>>>>
>>>>>
>>>>> I could use the ip of the machine, but it's prone to change. host2ip is
>>>>> the right solution (or so it seems), but then I'm wondering why it's not
>>>>> used by default when we use the domain name of a machine ?
>>>>>
>>>>> Regards
>>>>>
>>>>> --
>>>>> Nicolas CHARLES
>>>>> Normation SAS - http://www.normation.com
>>>>> 44 rue Cauchy – 94110 ARCUEIL
>>>>> +33 (0)1 83 62 26 96 - +33 (0)6 14 63 25 18
>>>>>
>>>>> _______________________________________________
>>>>> Help-cfengine mailing list
>>>>> Help-cfengine@cfengine.org
>>>>> https://cfengine.org/mailman/listinfo/help-cfengine
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>> --
>>> Nicolas CHARLES
>>> Normation SAS - http://www.normation.com
>>> 44 rue Cauchy – 94110 ARCUEIL
>>> +33 (0)1 83 62 26 96 - +33 (0)6 14 63 25 18
>>>
>>>
>>>
>>
>>
>
>
--
Mark Burgess
-------------------------------------------------
Professor of Network and System Administration
Oslo University College, Norway
Personal Web: http://www.iu.hio.no/~mark
Office Telf : +47 22453272
-------------------------------------------------
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
