www.delorie.com/gnu/docs/cfengine/cfengine-Reference_128.html   search  
Buy GNU books!

GNU cfengine

[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

4.1.4 AllowUsers

This list determines which users are to be allowed to connect to the daemon. Note that there is no way of identifying users except by their public keys. If a malicious asserts their identity, when no public key for the named user is known to the server, then they could spoof the identity of that user. All users who should be allowed to connect need to be here. This applies to use of cfrun.

AllowUsers = ( mark root )

In other words, this is a "security by obscurity" first defence against picking up bad keys, when the server is in trust mode, with respect to a host. The attacker must know a valid user name in order to even try their luck entering into a key dialogue.

This reduces the probability that spoofing can be successful. The only real defence against spoofing is to make sure that all required public keys are installed in advance, and to switch off trust.

  webmaster     delorie software   privacy  
  Copyright 2003   by The Free Software Foundation     Updated Jun 2003