4 security notes, 1 key exchange, 2 csync network port usage – HP Linux Server Management Software User Manual
Page 40: 1 key exchange 2.4.2 csync network port usage
synchronization. For details on using cfexecd in daemon-mode, refer to the cfengine tutorial
located in /opt/dsau/doc/cfengine/.
2.4 Security Notes
cfengine has many security features that range from parameters that control denial-of-service
attacks to access control lists that prevent managed clients from accessing reference file directories
on the server. For details on cfengine security features, refer to the reference manual located in
/opt/dsau/doc/cfengine/
. The security topics discussed below include:
•
Key exchange
•
Network port usage
•
Encryption
•
Checksum alerts
2.4.1 Key Exchange
All the key exchange examples shown thus far have used scp to securely transfer the master
server public key to the managed client and the managed client’s public key to the master server.
This scheme provides the highest level of security but can be inconvenient in certain situations.
Other key distribution alternatives include the following:
•
When connecting to a new client, cfrun has an interactive mode similar to ssh, where the
administrator is prompted to accept the remote system’s key. For example:
cfrun(0): .......... [ Hailing remote-host.abc.xyz.com ] ..........
WARNING - You do not have a public key from host remote-host.abc.xyz.com =
192.10.25.12
Do you want to accept one on trust? (yes/no)
-> yes
cfrun:
from remote-host.abc.xyz.com=192.10.25.12
•
For large numbers of new clients, interactive mode can be inefficient. cfrun supports a -T
option which tells cfengine to trust all new keys from the hosts listed in cfrun.hosts.
•
cfservd.conf
supports a TrustKeysFrom control clause. For example:
control:
TrustKeysFrom = ( 128.39.89.76 ) # A trusted host
TrustKeysFrom = ( 128.39.89.76/24 ) # A trusted subnet
The enumerated host or subnet addresses will be implicitly trusted and their keys
automatically accepted.
All of these key exchange alternatives should be used with extreme caution and only in a secure
environment where the LAN is trusted and the remote hosts are trusted. Once a public key is
accepted it will not be updated unless it is deleted by hand from the master server’s /var/opt/
dsau/cfengine/ppkeys
directory, manually replaced with a new key, or the csync wizard is
run to update it.
2.4.2 csync Network Port Usage
cfservd
uses TCP port 5308 by default. You can instruct cfagent to connect to cfservd using
a different port by specifying a port in the cfrun.hosts file. For example:
host1.abc.xyz.com # Use standard port
host2.abc.xyz.com # Use standard port
host3.abc.xyz.com:4444 # Use port 4444
Also, cfengine will honor a cfengine tcp port defined in /etc/services. There are corresponding
changes in /etc/services.
40
Configuration Synchronization