tinc - Sep 2018 - keeping someone out / daemon keys

Is it possible for daemonA and daemonB to communicate without having
exchanged public keys?

If daemonA and daemonB have exchanged keys, and daemonA and daemonC
have exchanged keys, can daemonA and daemonC communicate with each
other?

To ask it another way, how do I prevent an unauthorized daemon from
joining the VPN?

On Fri, Aug 31, 2018 at 6:17 PM, Corey Boyle <coreybrett at gmail.com>
wrote:
> Is it possible for daemonA and daemonB to communicate without having
> exchanged public keys?
If only A and B are nodes, then I believe the answer is no.
> If daemonA and daemonB have exchanged keys, and daemonA and daemonC
> have exchanged keys, can daemonA and daemonC communicate with each
> other?
I take it you mean to ask if B and C can communicate.

Yes.  Any single trusted node can add any number of additional trusted
nodes to the network.  Any single node can introduce a new node, and
all nodes will trust the new node.

There are some experimental settings that might reduce the level of
trust somewhat.  I am aware that these experimental features exist,
but I am unfamiliar with the specifics.
> To ask it another way, how do I prevent an unauthorized daemon from
> joining the VPN?
Trust all your nodes.  Don't let any single node become compromised.

Cheers,

Parke

Interesting!

So if I have 5 nodes; A B C D E F...

I can just configure each node with A's public key (and A with
theirs), and that will allow all of them to communicate directly?