•Encryption
•Checksum alerts
2.4.1Key Exchange
All the key exchange examples shown thus far have used scp to securely transfer the master server public key to the managed client and the managed client’s public key to the master server. This scheme provides the highest level of security but can be inconvenient in certain situations. Other key distribution alternatives include the following:
•When connecting to a new client, cfrun has an interactive mode similar to ssh, where the administrator is prompted to accept the remote system’s key. For example:
cfrun(0): .......... [ Hailing
WARNING - You do not have a public key from host
Do you want to accept one on trust? (yes/no)
•For large numbers of new clients, interactive mode can be inefficient. cfrun supports a
•cfservd.conf supports a TrustKeysFrom control clause. For example:
control:
TrustKeysFrom = ( 128.39.89.76 ) # A trusted host TrustKeysFrom = ( 128.39.89.76/24 ) # A trusted subnet
The enumerated host or subnet addresses will be implicitly trusted and their keys automatically accepted.
All of these key exchange alternatives should be used with extreme caution and only in a secure environment where the LAN is trusted and the remote hosts are trusted. Once a public key is accepted it will not be updated unless it is deleted by hand from the master server’s /var/opt/ dsau/cfengine/ppkeys directory, manually replaced with a new key, or the csync wizard is run to update it.
2.4.2 csync Network Port Usage
cfservd uses TCP port 5308 by default. You can instruct cfagent to connect to cfservd using a different port by specifying a port in the cfrun.hosts file. For example:
host1.abc.xyz.com # Use standard port host2.abc.xyz.com # Use standard port host3.abc.xyz.com:4444 # Use port 4444
Also, cfengine will honor a cfengine tcp port defined in /etc/services. There are corresponding changes in /etc/services.
2.4.3 Encryption
In general, file transfer traffic between the master server and a managed client is not encrypted. For many system management related configuration files this is acceptable. For certain files, an encrypted file transfer is desirable. The copy action in cfagent.conf has an "encrypt = true" option to encrypt the specified file. For additional encryption options, refer to the cfengine reference manual located in /opt/dsau/doc/cfengine.
2.4 Security Notes | 37 |