HP Mini UX System Adstration 2.4.1Key Exchange, 2.4.2 csync Network Port Usage, 2.4.3 Encryption

•Encryption

•Checksum alerts

2.4.1Key Exchange

All the key exchange examples shown thus far have used scp to securely transfer the master server public key to the managed client and the managed client’s public key to the master server. This scheme provides the highest level of security but can be inconvenient in certain situations. Other key distribution alternatives include the following:

•When connecting to a new client, cfrun has an interactive mode similar to ssh, where the administrator is prompted to accept the remote system’s key. For example:

cfrun(0): .......... [ Hailing remote-host.abc.xyz.com ] ..........

WARNING - You do not have a public key from host remote-host.abc.xyz.com = 192.10.25.12

Do you want to accept one on trust? (yes/no) -> yes

cfrun:master-server-name: Trusting server identity and willing to accept key from remote-host.abc.xyz.com=192.10.25.12

•For large numbers of new clients, interactive mode can be inefficient. cfrun supports a -Toption which tells cfengine to trust all new keys from the hosts listed in cfrun.hosts.

•cfservd.conf supports a TrustKeysFrom control clause. For example:

control:

TrustKeysFrom = ( 128.39.89.76 ) # A trusted host TrustKeysFrom = ( 128.39.89.76/24 ) # A trusted subnet

The enumerated host or subnet addresses will be implicitly trusted and their keys automatically accepted.

All of these key exchange alternatives should be used with extreme caution and only in a secure environment where the LAN is trusted and the remote hosts are trusted. Once a public key is accepted it will not be updated unless it is deleted by hand from the master server’s /var/opt/ dsau/cfengine/ppkeys directory, manually replaced with a new key, or the csync wizard is run to update it.

2.4.2 csync Network Port Usage

cfservd uses TCP port 5308 by default. You can instruct cfagent to connect to cfservd using a different port by specifying a port in the cfrun.hosts file. For example:

host1.abc.xyz.com # Use standard port host2.abc.xyz.com # Use standard port host3.abc.xyz.com:4444 # Use port 4444

Also, cfengine will honor a cfengine tcp port defined in /etc/services. There are corresponding changes in /etc/services.

2.4.3 Encryption

In general, file transfer traffic between the master server and a managed client is not encrypted. For many system management related configuration files this is acceptable. For certain files, an encrypted file transfer is desirable. The copy action in cfagent.conf has an "encrypt = true" option to encrypt the specified file. For additional encryption options, refer to the cfengine reference manual located in /opt/dsau/doc/cfengine.