[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comment please: distributing config files over an insecure network



I think that the poster can do all of what he wants with 'cfengine'
(http://www.iu.hio.no/cfengine/).  It's in the ports collection, 
though not the most recent version, and there have been security
alerts on earlier versions.  I don't have much experience with it
myself, but I know that the folks at the San Diego Supercomputing
Center have a very elaborate 'cfengine' set-up to control all of
their machines' configurations.

David S.

> 
> -----Original Message-----
> From: owner-misc_(_at_)_openbsd_(_dot_)_org [mailto:owner-misc_(_at_)_openbsd_(_dot_)_org]On Behalf Of
> Andreas Schuldei
> Sent: Friday, March 02, 2001 4:53 AM
> To: misc
> Subject: comment please: distributing config files over an insecure
> network
> 
> 
> 
> I now have a network of vpn nodes whick needs to be upgraded
> and/or modified from time to time.
> 
> When new nodes are added/removed to/from the network, firewall
> rules, named.boot and isakmpd.config files changes.
> 
> On a regular basis the certificates are renewed on all machines.
> 
> Now I want to do that 'automatically' from a central machine,
> which knows of the configuration of the nodes.
> 
> Of cause it would not be robust to distribute the new config and
> certificate over the vpn itself. Other distribution channels like
> scp or mail (gpg encrypted and signd) would be preferable.
> 
> -> are there other good ways?
> 
> Of these tow mail is preferable since automatic ssh logins are
> more sensitive to bad network connections (package loss) and
> would provide immediate access to the whole network.
> 
> -> Is there a good way to deal with the 'empty' passphrases in both
> (ssh and gnupg) cases to use them in shellscripts?
> 
> On the remote machines I need some event driven way to
> reinitialize services (reread config files). With sendmail that could
> be done by the smrsh. But I have reservations against sendmails
> insecure design. (And I would prefer to install as little
> additional packages like postfix etc as possibel for managebility.)
> 
> smtpd and friends would be a good alternativ (yes the friewalls
> should be mail gateways, too) if I found a way to catch the mail
> with the encrypted configuration data, which is directed to the
> firewall machine and not to the privat network behind it.
> 
> -> is there such a way to catch these mails in an event driven
> way?
> 
> 
> If I had to use ssh as a way to distribute the configuration,
> 
> -> what good way would there be to trigger the reinitialisation of
>    services? can the sshd trigger events on end of connection?
> 
> 
> 
>