[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: comment please: distributing config files over an insecure network
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: comment please: distributing config files over an insecure network
- From: "David S." <dgjs_(_at_)_acm_(_dot_)_org>
- Date: Sat, 3 Mar 2001 19:19:54 -0800
I think that the poster can do all of what he wants with 'cfengine'
(http://www.iu.hio.no/cfengine/). It's in the ports collection,
though not the most recent version, and there have been security
alerts on earlier versions. I don't have much experience with it
myself, but I know that the folks at the San Diego Supercomputing
Center have a very elaborate 'cfengine' set-up to control all of
their machines' configurations.
> -----Original Message-----
> From: owner-misc_(_at_)_openbsd_(_dot_)_org [mailto:owner-misc_(_at_)_openbsd_(_dot_)_org]On Behalf Of
> Andreas Schuldei
> Sent: Friday, March 02, 2001 4:53 AM
> To: misc
> Subject: comment please: distributing config files over an insecure
> I now have a network of vpn nodes whick needs to be upgraded
> and/or modified from time to time.
> When new nodes are added/removed to/from the network, firewall
> rules, named.boot and isakmpd.config files changes.
> On a regular basis the certificates are renewed on all machines.
> Now I want to do that 'automatically' from a central machine,
> which knows of the configuration of the nodes.
> Of cause it would not be robust to distribute the new config and
> certificate over the vpn itself. Other distribution channels like
> scp or mail (gpg encrypted and signd) would be preferable.
> -> are there other good ways?
> Of these tow mail is preferable since automatic ssh logins are
> more sensitive to bad network connections (package loss) and
> would provide immediate access to the whole network.
> -> Is there a good way to deal with the 'empty' passphrases in both
> (ssh and gnupg) cases to use them in shellscripts?
> On the remote machines I need some event driven way to
> reinitialize services (reread config files). With sendmail that could
> be done by the smrsh. But I have reservations against sendmails
> insecure design. (And I would prefer to install as little
> additional packages like postfix etc as possibel for managebility.)
> smtpd and friends would be a good alternativ (yes the friewalls
> should be mail gateways, too) if I found a way to catch the mail
> with the encrypted configuration data, which is directed to the
> firewall machine and not to the privat network behind it.
> -> is there such a way to catch these mails in an event driven
> If I had to use ssh as a way to distribute the configuration,
> -> what good way would there be to trigger the reinitialisation of
> services? can the sshd trigger events on end of connection?