[Fusioninventory-devel] Dropping the authentication token
Guillaume Rousse
guillomovitch at gmail.com
Fri Mar 1 12:57:22 UTC 2013
Le 01/03/2013 10:46, Tomás Abad a écrit :
> How does the agent know whether it must answer a request?. I suppose
> that the agent just would answer (or it will answer) to requests which
> origin be a server machine included in the option 'server' of the
> agent. I would like confirming this fact.
Hello Tabad.
Just some clarification: I'm only talking of server 'run now!' requests
to the agent, used to force the agent to immediatly reschedule its
execution, and not of server 'do task X and task Y' answers to agent
'what shall I do ?' requests, which are always executed.
Those requests are currently honoured if they match either of those two
criterias:
- they comes from a trusted address (the ones you explicitely pass
with --http-trust parameter), mainly used to control agent execution
from local host (the 'run now' link on agent web interface)
- it contains a shared secret, the famous token, which is a 8
characters string generated by the agent and exchanged with the
servers during the server-agent dialog.
So technically, as long as initial exchange did not concluded (between
30 mn and 1 hour per default), or if the token was changed by another
server since last communication with the agent, such a request from a
server won't be honoured.
Hence my proposal to only use the adress as trust model, for sake
simplicity and efficiency.
--
BOFH excuse #358:
struck by the Good Times virus
More information about the Fusioninventory-devel
mailing list