Installation: Control Machine Requirements, retrieved May 12, 2015 Can manage any machine with Python 2.4 or later and sshd. Control machine can be any non-Windows machine with Python 2.6 or 2.7 installed. This includes Red Hat, Debian, CentOS, OS X, any of the BSDs, and so on.
Improved security which would include an encrypted, mutually authenticated, peer-to-peer message bus is tracked here "#39 (Implement TCP mesh) - ISconf - Trac". Archived from the original on 2012-07-16. Retrieved 2007-04-17.
"Client to server authentication and vice versa: on one hand, this allows to enforce access policies
to sensitive data according to the client "name", on the other hand, clients are guaranteed to talk to
the original server." - from Quattor Installation and User Guide: Version 1.1.xArchived 2013-04-06 at the Wayback Machine, page 70
LCFG does not provide its own transport mechanism; it relies on an external program, most often Apache. Using Apache it should be possible to do mutual authentication in several ways; however the documentation at The Complete Guide to LCFG, Section 9.4: Authorization and Security, shows access control based on IP address ranges, implying that the client does not authenticate itself to the server via an SSL certificate; it also does not mention if the LCFG client checks the validity of the server's SSL certificate (such as via a per-site fingerprint distributed with the client, or a chain of trust to an accredited CA). It mentions that there can be a per-client password in the profile, but also states that "The contents of the LCFG profile should be considered public".
LCFG supports encrypted communications channels (SSL via Apache); however the documentation at The Complete Guide to LCFG, Section 9.4: Authorization and Security, states that "The contents of the LCFG profile should be considered public".
Robert Osterlund (2014-01-04). "PIKT Licensing". Pikt.org. Retrieved 2014-02-10.
PIKT uses shared secret keys for mutual authentication. "As an option, you can use secret key authentication to prove the master's identity to the slave. [...] If one managed to crack any system in the PIKT domain, one would have access to all common secrets. To solve this problem, you may use per-slave uid, gid, and private_key settings." - from Security Considerations.
"For file installs, file fetches (to diff against the central configuration), and command executions, you can optionally encrypt all such data traffic between master and slave." - from Security Considerations.
Salt is an open source tool to manage your infrastructure. Easy enough to get running in minutes and fast enough to manage tens of thousands of servers
There is a feature request for a Secure TCP/IP Connection Provider, and one of the developers stated on 2007-04-05 that "You will need to download the source code for OpenSSL and point the build files at it. Other than that, it should just work.", so it looks like there may be working encryption if you build from scratch instead of using the prebuilt binaries. It is unclear what if any authentication building against OpenSSL would give STAF.
Improved security which would include an encrypted, mutually authenticated, peer-to-peer message bus is tracked here "#39 (Implement TCP mesh) - ISconf - Trac". Archived from the original on 2012-07-16. Retrieved 2007-04-17.
"Client to server authentication and vice versa: on one hand, this allows to enforce access policies
to sensitive data according to the client "name", on the other hand, clients are guaranteed to talk to
the original server." - from Quattor Installation and User Guide: Version 1.1.xArchived 2013-04-06 at the Wayback Machine, page 70
