hung cfservd

[Wipf, Stefan]

We observed that when cfengine connects to cfservd to
copy files using an old or incorrect public key for the
cfservd server, cfservd freezes and all further cfengine
processes connecting to this cfservd instance hang
indefinitely even if they use the correct public key.

has anybody come across this before?

platform: solaris 2.6

cfservd.conf:
  control:  
       domain                = ( htc.com )
       AllowConnectionsFrom  = ( 139.172.0.0/16 )
       AllowUsers            = ( root )

  admit:
      /some_directory   *.htc.com

output from cfagent (on macbeth) using an old public key:
 BAD: Host authentication failed. Did you forget the domain name?
 Authentication dialogue with neutron.htc.com failed
 Unable to establish connection with neutron.htc.com

from cfservd --debug:
 ...
 Canonical name matched host's assertion - id confirmed as
macbeth.htc.com
 Checking address number 0 for non-canonical names (aliases)
 Reverse lookup succeeded
 Host ID is macbeth.htc.com
 User ID seems to be root
 RecvSocketStream(8)
    (Concatenated 8 from stream)
 Transaction Receive [t 280][]
 RecvSocketStream(280)
    (Concatenated 280 from stream)
 Received: [SAUTH y 256 37] on socket 6
 Challenge encryption = y, nonce = 37, buf = 256
 neutron.htc.com: Private decrypt failed = block type is not 02
 neutron.htc.com: Host authorization/authentication failed or access
denied
 Transaction Send[t 64][Packed text]
 SendSocketStream, sent 72
 neutron.htc.com: From (host=macbeth.htc.com,user=root,ip=139.172.44.10)
 Terminating thread...
 ***Closing socket 6 from 139.172.44.10
 Deleted item 139.172.44.10
# here comes the next client
 IPV4 address
 sockaddr_ntop(139.172.44.3)
 Obtained IP address of 139.172.44.3 on socket 6 from accept
 FuzzyItemIn(139.172.44.3)
 Purging Old Connections...
 Done purging
 FuzzyItemIn(139.172.44.3)
 Prepending 139.172.44.3
# never to return again



-- 
Stefan Wipf
swipf@htc.com
voice: (312) 697-2540
fax:   (312) 697-2785