CFEngine Help: Re: cf-serverd seems to be allowing connects from system w/new keys

[no-reply]

Forum: CFEngine Help
Subject: Re: cf-serverd seems to be allowing connects from system w/new keys
Author: dhubler
Link to topic: https://cfengine.com/forum/read.php?3,26443,26449#msg-26449

I removed the public half from the server and regenerated a new public and 
private pair on the remote machine.

>From the help description, i do not see any remote capability to cf-key and 
>I'm not even sure what it could do in this case, it's the server's 
>configuration that has to decide it does not have the key, it never had the 
>key and therefore accept this key.

I dumbed down the server and client configs to bare minimum and I was able to 
reproduce this.

server
===========
bundle server nop {
  reports:
    linux::
      "here i am";
}

body common control {
  bundlesequence => {
    "nop"
  };
}

body server control {
  skipverify => { ".*" };
  allowconnects => { "10.91.7.15" };
  allowallconnects => { "10.91.7.15" };
  maxconnections => "5";
  #trustkeysfrom => { "10.91.7.15" };                                           
                                    
  logallconnections => "true";
  allowusers => { "root" };
}

body agent control {
  verbose => "true";
}

bundle server access_rules {
  vars:
    "export_dirs" slist => {
        "/var/cfengine/masterfiles"
     };
  access:
    "$(export_dirs)"
        admit => { "10.91.7.15" },
        maproot => { "10.91.7.15" };

    roles:
        ".*"
          authorize => { "root" };
}


remote
===========
bundle agent test {
  files:
    "/var/cfengine/masterfiles/msg"
      copy_from => remote_cp,
      depth_search => recurse("1");
}

body copy_from remote_cp {
  servers     => { "10.90.254.244" };
  source      => "/var/cfengine/masterfiles";
  compare     => "digest";
  trustkey    => "true";
}

body depth_search recurse(d) {
  depth => "$(d)";
  xdev  => "true";
}

body common control {
  bundlesequence => {
    "test"
  };
}

results
==============
cf3> Allowing 10.91.7.15 to connect without (re)checking ID
cf3> Non-verified Host ID is ip-10-91-7-15.ec2.internal (Using skipverify)
cf3> Non-verified User ID seems to be root (Using skipverify)
cf3>  -> Public key identity of host "10.91.7.15" is 
"MD5=35d8796d1361a0d9585290f434cf4ea3"
cf3>  -> Did not find new key format 
/var/cfengine/ppkeys/root-MD5=35d8796d1361a0d9585290f434cf4ea3.pub
cf3>  -> Trying old style /var/cfengine/ppkeys/root-10.91.7.15.pub
cf3> No previous key found, and unable to accept this one on trust


Does anyone rely on the feature that cf-serverd can be configured to always 
trusts a key from a foreign server if it's the first time it's seen that 
server?  If so, would they have configs to share?

_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine