Re: hung cfservd

[Wipf, Stefan]

Sorry, client and server are both compiled with openssl-0.9.6g

As Brian pointed out, we can update the public key
and bounce the cfservd.  In my case I know that the public
key is wrong.

It is not the encryption failure itself that worries me
or even that cfservd becomes unresponsive,  but that I can so
easily cause cfagent processes to hang on every single host
of my network.



Mark.Burgess@iu.hio.no wrote:
> 
> ok, this is something I haven't seen, but here's atip.
> I have seen encryption failures between versions of cfengine
> compiled with different versions of the OpenSSL library.
> Something to check out....
> 
> M
> 
> On 29 Jan, Wipf, Stefan wrote:
> > sorry I should know better:
> >
> > version 2.0.5pre2
> >
> > Mark.Burgess@iu.hio.no wrote:
> >>
> >> Version, version, version????
> >>
> >> Upgrade, upgrade, upgrade...!!
> >>
> >> :)
> >>
> >> M
> >>
> >> On 29 Jan, Wipf, Stefan wrote:
> >> > We observed that when cfengine connects to cfservd to
> >> > copy files using an old or incorrect public key for the
> >> > cfservd server, cfservd freezes and all further cfengine
> >> > processes connecting to this cfservd instance hang
> >> > indefinitely even if they use the correct public key.
> >> >
> >> > has anybody come across this before?
> >> >
> >> > platform: solaris 2.6
> >> >
> >> > cfservd.conf:
> >> >   control:
> >> >        domain                = ( htc.com )
> >> >        AllowConnectionsFrom  = ( 139.172.0.0/16 )
> >> >        AllowUsers            = ( root )
> >> >
> >> >   admit:
> >> >       /some_directory   *.htc.com
> >> >
> >> > output from cfagent (on macbeth) using an old public key:
> >> >  BAD: Host authentication failed. Did you forget the domain name?
> >> >  Authentication dialogue with neutron.htc.com failed
> >> >  Unable to establish connection with neutron.htc.com
> >> >
> >> > from cfservd --debug:
> >> >  ...
> >> >  Canonical name matched host's assertion - id confirmed as
> >> > macbeth.htc.com
> >> >  Checking address number 0 for non-canonical names (aliases)
> >> >  Reverse lookup succeeded
> >> >  Host ID is macbeth.htc.com
> >> >  User ID seems to be root
> >> >  RecvSocketStream(8)
> >> >     (Concatenated 8 from stream)
> >> >  Transaction Receive [t 280][]
> >> >  RecvSocketStream(280)
> >> >     (Concatenated 280 from stream)
> >> >  Received: [SAUTH y 256 37] on socket 6
> >> >  Challenge encryption = y, nonce = 37, buf = 256
> >> >  neutron.htc.com: Private decrypt failed = block type is not 02
> >> >  neutron.htc.com: Host authorization/authentication failed or access
> >> > denied
> >> >  Transaction Send[t 64][Packed text]
> >> >  SendSocketStream, sent 72
> >> >  neutron.htc.com: From (host=macbeth.htc.com,user=root,ip=139.172.44.10)
> >> >  Terminating thread...
> >> >  ***Closing socket 6 from 139.172.44.10
> >> >  Deleted item 139.172.44.10
> >> > # here comes the next client
> >> >  IPV4 address
> >> >  sockaddr_ntop(139.172.44.3)
> >> >  Obtained IP address of 139.172.44.3 on socket 6 from accept
> >> >  FuzzyItemIn(139.172.44.3)
> >> >  Purging Old Connections...
> >> >  Done purging
> >> >  FuzzyItemIn(139.172.44.3)
> >> >  Prepending 139.172.44.3
> >> > # never to return again
> >> >
> >> >
> >> >
> >>
> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >> Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
> >> Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
> Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-- 
Stefan Wipf
swipf@htc.com