4 security notes, 1 key exchange, 2 csync network port usage – HP Linux Server Management Software User Manual

synchronization. For details on using cfexecd in daemon-mode, refer to the cfengine tutorial
located in /opt/dsau/doc/cfengine/.

2.4 Security Notes

cfengine has many security features that range from parameters that control denial-of-service
attacks to access control lists that prevent managed clients from accessing reference file directories
on the server. For details on cfengine security features, refer to the reference manual located in
/opt/dsau/doc/cfengine/

. The security topics discussed below include:

•

Key exchange

•

Network port usage

•

Encryption

•

Checksum alerts

2.4.1 Key Exchange

All the key exchange examples shown thus far have used scp to securely transfer the master
server public key to the managed client and the managed client’s public key to the master server.
This scheme provides the highest level of security but can be inconvenient in certain situations.
Other key distribution alternatives include the following:
•

When connecting to a new client, cfrun has an interactive mode similar to ssh, where the
administrator is prompted to accept the remote system’s key. For example:

cfrun(0): .......... [ Hailing remote-host.abc.xyz.com ] ..........
WARNING - You do not have a public key from host remote-host.abc.xyz.com =
192.10.25.12
Do you want to accept one on trust? (yes/no)
-> yes
cfrun:<master server name>: Trusting server identity and willing to accept key
from remote-host.abc.xyz.com=192.10.25.12

•

For large numbers of new clients, interactive mode can be inefficient. cfrun supports a -T
option which tells cfengine to trust all new keys from the hosts listed in cfrun.hosts.

•

cfservd.conf

supports a TrustKeysFrom control clause. For example:

control:
TrustKeysFrom = ( 128.39.89.76 ) # A trusted host
TrustKeysFrom = ( 128.39.89.76/24 ) # A trusted subnet

The enumerated host or subnet addresses will be implicitly trusted and their keys
automatically accepted.

All of these key exchange alternatives should be used with extreme caution and only in a secure
environment where the LAN is trusted and the remote hosts are trusted. Once a public key is
accepted it will not be updated unless it is deleted by hand from the master server’s /var/opt/
dsau/cfengine/ppkeys

directory, manually replaced with a new key, or the csync wizard is

run to update it.

2.4.2 csync Network Port Usage

cfservd

uses TCP port 5308 by default. You can instruct cfagent to connect to cfservd using

a different port by specifying a port in the cfrun.hosts file. For example:

host1.abc.xyz.com # Use standard port
host2.abc.xyz.com # Use standard port
host3.abc.xyz.com:4444 # Use port 4444

Also, cfengine will honor a cfengine tcp port defined in /etc/services. There are corresponding
changes in /etc/services.

40

Configuration Synchronization