Fwd: Use glpi-project plugin to manage tinc keys...

Thu Apr 22 00:16:47 CEST 2010

Comments at bottom:

--------- Forwarded message ----------
From: Guus Sliepen <guus at tinc-vpn.org>
Date: Wed, Apr 21, 2010 at 2:17 PM
Subject: Re: Use glpi-project plugin to manage tinc keys...
To: tinc at tinc-vpn.org

On Wed, Apr 21, 2010 at 08:12:49AM -0500, Rob Townley wrote:

> Anyone found a way to use glpi-project.org, ocsinventory-ng.org, or
> FusionInventory.org to manage tinc keys?

I hope you mean only the public keys? I have not heard about these projects
before today.

> These LinMacWin projects are used to manage an enterprise of machines.  So
> all the machine info is already there and  a plugin or api call could be used
> to handle tinc specifics. GLPI can store files pertaining to a particular
> machine.  The drawback would be that tinc would have to be modified to lookup
> keys from glpi.  Alternatively, use an ocs tinc installation package to pull
> down keys for a particular group and push a key back to the repository upon
> creation by tinc.

Someone who works with such projects would have to write such an installer.
Alternatively, have a look at ChaosVPN, which is a wrapper around tinc which
pulls keys and config files from a central repository:

https://wiki.hamburg.ccc.de/index.php/ChaosVPN

--
Met vriendelijke groet / with kind regards,
    Guus Sliepen <guus at tinc-vpn.org>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkvPTzwACgkQAxLow12M2nvrqACfYncLhJYRJV24GneoWsEbrHF6
NVUAn1UkBoxBXqSQ5HDPfp+iG/84cX6R
=M0X4
-----END PGP SIGNATURE-----

_______________________________________________
tinc mailing list
tinc at tinc-vpn.org
http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc

Yes, Guus, private keys should never leave a machine.  This would be a
repository for public keys, dynamic port numbers and dynamic
addresses.  Network grouping is sorta already done.  The specific
architecture mode could be kept in this inventory as well, but the 3
main management items are the public key, dynamic port number, and
dynamic ip address.   Key management being the priority.

i had not heard of ChaosVPN.  i will look at that right now.  i would
think the dynamic dns route would still be the ideal way, but other
ways may not need any development.

One use for ocsinventory-ng / fusion / glpi would be to have a fleet
of disparate machines scattered across the internet that you maintain
for your family or business.  tinc would provide a way to push
packages to its virtual ips in a more secure manner.  Nobody has to
login to a vpn.  AV monitoring.  Patch revision for Adobe Flash and
Adobe Reader ....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20100421/2b8badff/attachment.pgp>