diff options
| author | Sol Jerome <solj@ices.utexas.edu> | 2010-01-24 18:47:00 +0000 |
|---|---|---|
| committer | Sol Jerome <solj@ices.utexas.edu> | 2010-01-24 18:47:00 +0000 |
| commit | 7c6c1e10f3cc62acc919123d0067a8a9720aeffa (patch) | |
| tree | a6f6cb0cc17d41e6ccbc27c2e9f986df2e37c67d /doc/client/agent.txt | |
| parent | e3bd887d601dad1be9352768206cbb45a91a8cc7 (diff) | |
| download | bcfg2-7c6c1e10f3cc62acc919123d0067a8a9720aeffa.tar.gz bcfg2-7c6c1e10f3cc62acc919123d0067a8a9720aeffa.tar.bz2 bcfg2-7c6c1e10f3cc62acc919123d0067a8a9720aeffa.zip | |
doc: Add a lot more unsorted stuff from the wiki
Signed-off-by: Sol Jerome <solj@ices.utexas.edu>
git-svn-id: https://svn.mcs.anl.gov/repos/bcfg/trunk/bcfg2@5703 ce84e21b-d406-0410-9b95-82705330c041
Diffstat (limited to 'doc/client/agent.txt')
| -rw-r--r-- | doc/client/agent.txt | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/doc/client/agent.txt b/doc/client/agent.txt new file mode 100644 index 000000000..1a3b4b2eb --- /dev/null +++ b/doc/client/agent.txt @@ -0,0 +1,39 @@ +.. -*- mode: rst -*- + +.. _client-agent: + +============================= +Agent Functionality using SSH +============================= + +The Bcfg2 agent code provides the ability to trigger a client update from the server using a secure mechanism that is restricted to running the bcfg2 client with the options the agent was started with. This same capability is provided by SSH keypairs, if properly configured. Setup is pretty easy: + +#. Create an ssh keypair that is to be used solely for triggering bcfg2 client runs. This key may or may not have a password associated with it; a keyphrase will make things more secure, but will require a person to enter the key passphrase, so it will not be usable automatically.:: + + $ ssh-keygen -t dsa -b 1024 -f /path/to/key -N "" + Generating public/private dsa key pair. + Your identification has been saved in /path/to/key. + Your public key has been saved in /path/to/key.pub. + The key fingerprint is: + aa:25:9b:a7:10:60:f3:eb:2b:ae:4b:1a:42:1b:63:5d desai@ubik + +#. Add this this public key to root's authorized_keys file, with several commands prepended to it:: + + command="/usr/sbin/bcfg2 -q <other options>",no-port-forwarding,no-X11-forwarding,no-pty,no-agent-forwarding,from="<bcfg2-server ipaddr>" <pub key> + + This key is now only useful to call the bcfg2 client, from the bcfg2-server's ip address. If PermitRootLogin was set to no in sshd_config, you will need to set it to forced-commands-only. Adding a & to the end of the command will cause the command to immediately return. + +#. Now, to cause a client to reconfigure, call:: + + $ ssh -i /path/to/key root@client /usr/sbin/bcfg2 + + Note that you will not be able to alter the command line options from the ones specified in authorized_keys in any way. Also, it is not needed that the invocation of bcfg2 in the ssh command match. The following will have the same result.:: + + $ ssh -i /path/to/key root@client /bin/true + + If a passphrase was used to create the keypair, then it will need to be entered here. + +See Also +======== + +`SSH "triggers" <http://blog.ganneff.de/blog/2007/12/29/ssh-triggers.html>`_ (from Ganneff's Little Blog) |