Bug #1146
closed
User story #6363: Secure agent/server communication
Change the acceptation system of server / nodes
Added by Nicolas CHARLES over 13 years ago. Updated about 8 years ago.
Description
The Rudder servers should not accept a machine if the CFEngine key changes. Their info should not be duplicated (report, mount point).
Updated by Nicolas CHARLES over 13 years ago
- Status changed from In progress to Discussion
- Assignee changed from Nicolas CHARLES to Jonathan CLARKE
No problem in particular, except those referenced in #1151 that seem to be my fault.
Thus, since I have no item multiplication in inventory, what do I do ?
Updated by Jonathan CLARKE over 13 years ago
- Status changed from Discussion to 2
Nicolas CHARLES wrote:
No problem in particular, except those referenced in #1151 that seem to be my fault.
Thus, since I have no item multiplication in inventory, what do I do ?
I'll try to reproduce, I have a machine to reintegrate anyway.
Updated by Jonathan CLARKE over 13 years ago
Nicolas CHARLES wrote:
The Rudder servers should not accept a machine if the CFEngine key changes.
This works like a charm - even after changing the key, the machine is accepted. But it comes from the "trustkeys" from cf-serverd, I think. Bug or not ?
Their info should not be duplicated (report, mount point).
Cannot reproduce this.
Updated by Jonathan CLARKE over 13 years ago
- Status changed from 2 to Discussion
- Assignee changed from Jonathan CLARKE to Nicolas CHARLES
What do you think about this, nico ?
Updated by Nicolas CHARLES over 13 years ago
Looks like it is not a bug, but I'd like that we investigate in the end why the key is accepted
Updated by Jonathan CLARKE over 13 years ago
- Subject changed from Tester la suppression de /var/rudder et voir ce qui se passe to Investiguer pour un serveur qui change de clé Cfengine est toujours accepté
- Category changed from 11 to 14
- Status changed from Discussion to 2
- Priority changed from 1 (highest) to 3
- Target version changed from 7 to 9
OK, targetting this for the next 2.2
Updated by Nicolas CHARLES over 13 years ago
- Status changed from 2 to In progress
Updated by Nicolas CHARLES over 13 years ago
The new key has been accepted. A mail has been sent to the ML
Updated by Nicolas CHARLES over 13 years ago
- Target version changed from 9 to 17
- Estimated time set to 5.00 h
The clients come with a promise set, we can then have a minimal config that:
- Run an inventory
- Run cf-serverd, having the rudder server IP address in their trustkeysfrom
And when we accept the host on the Rudder server, the server runs a cf-runagent interactive to accept the key and update the promises.
Thus, we need to find a way to run an interactive command non interactively, and verify that it works.
The generated promises do NOT have the server trustkeyfrom nevertheless
Updated by Nicolas CHARLES over 13 years ago
- Subject changed from Investiguer pour un serveur qui change de clé Cfengine est toujours accepté to Changer le systeme d'acceptation des clefs des serveurs / nodes
Updated by Jonathan CLARKE over 13 years ago
- Target version changed from 17 to 10
Updated by Jonathan CLARKE about 13 years ago
- Target version changed from 10 to 18
Updated by François ARMAND about 13 years ago
- Target version changed from 18 to 24
Updated by Jonathan CLARKE over 12 years ago
- Target version changed from 24 to Ideas (not version specific)
Updated by Nicolas CHARLES almost 12 years ago
- Status changed from In progress to Discussion
This is clearly not in progress
Updated by Nicolas CHARLES about 11 years ago
- Assignee deleted (
Nicolas CHARLES)
Updated by Benoît PECCATTE over 9 years ago
- Category changed from 14 to Web - Config management
Updated by Matthieu CERDA over 9 years ago
- Subject changed from Changer le systeme d'acceptation des clefs des serveurs / nodes to Change the acceptation system of server / nodes
- Description updated (diff)
- Parent task set to #6363
- Reproduced set to No
Updated by François ARMAND over 9 years ago
Updated by Benoît PECCATTE about 8 years ago
- Status changed from Discussion to Rejected
This problem is not relevant anymore.
It is superseded by #6363. Now inventories are signed and there is a way to trust keys and to renew keys without loosing this trust.