Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-1594

cf-agent running as user messes up trust when connecting from hub to agent



    • Type: Bug
    • Status: Open
    • Priority: Medium
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: cf-key
    • Labels:


      There should be no problem to have CFEngine installed and run by different users on the client side.

      Unfortunately today there are some architectural issues regarding trust. In particular, when user's cf-agent (lets assume user @jimis@) connects to the hub to bootstrap, it starts trusting Hub's key, and it stores it like:
      The reason is that the one initiating the connection has no clue about what user is on the other side.

      Later on, lets assume that the policy hub connects to the user's agent to fetch some files or fetch reports. The client-side is now the server, and accepts a connection from somebody who declares himself as "root" (assuming that the policy server always runs as root). The result is that client refuses the connection because of trust failure because it searches to find the following inexistant key:

      This is an architectural issue, and is closely related to CFEngine's tying hosts key identity, to a username. I've expressed many times the opinion that host key has nothing to do with username, and should be decoupled from it.

      Workaround is to keep ACL open in all hosts until the first connection happens from the hub, so that the "root" key is automatically trusted like that. A bit dangerous but works.




            • Assignee:
              a10038 jimis (Dimitrios Apostolou)
              a10038 jimis (Dimitrios Apostolou)
            • Votes:
              0 Vote for this issue
              1 Start watching this issue


              • Created:

                Summary Panel