[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: hung cfservd
From: |
Wipf, Stefan |
Subject: |
Re: hung cfservd |
Date: |
Wed, 29 Jan 2003 14:19:25 -0600 |
Sorry, client and server are both compiled with openssl-0.9.6g
As Brian pointed out, we can update the public key
and bounce the cfservd. In my case I know that the public
key is wrong.
It is not the encryption failure itself that worries me
or even that cfservd becomes unresponsive, but that I can so
easily cause cfagent processes to hang on every single host
of my network.
Mark.Burgess@iu.hio.no wrote:
>
> ok, this is something I haven't seen, but here's atip.
> I have seen encryption failures between versions of cfengine
> compiled with different versions of the OpenSSL library.
> Something to check out....
>
> M
>
> On 29 Jan, Wipf, Stefan wrote:
> > sorry I should know better:
> >
> > version 2.0.5pre2
> >
> > Mark.Burgess@iu.hio.no wrote:
> >>
> >> Version, version, version????
> >>
> >> Upgrade, upgrade, upgrade...!!
> >>
> >> :)
> >>
> >> M
> >>
> >> On 29 Jan, Wipf, Stefan wrote:
> >> > We observed that when cfengine connects to cfservd to
> >> > copy files using an old or incorrect public key for the
> >> > cfservd server, cfservd freezes and all further cfengine
> >> > processes connecting to this cfservd instance hang
> >> > indefinitely even if they use the correct public key.
> >> >
> >> > has anybody come across this before?
> >> >
> >> > platform: solaris 2.6
> >> >
> >> > cfservd.conf:
> >> > control:
> >> > domain = ( htc.com )
> >> > AllowConnectionsFrom = ( 139.172.0.0/16 )
> >> > AllowUsers = ( root )
> >> >
> >> > admit:
> >> > /some_directory *.htc.com
> >> >
> >> > output from cfagent (on macbeth) using an old public key:
> >> > BAD: Host authentication failed. Did you forget the domain name?
> >> > Authentication dialogue with neutron.htc.com failed
> >> > Unable to establish connection with neutron.htc.com
> >> >
> >> > from cfservd --debug:
> >> > ...
> >> > Canonical name matched host's assertion - id confirmed as
> >> > macbeth.htc.com
> >> > Checking address number 0 for non-canonical names (aliases)
> >> > Reverse lookup succeeded
> >> > Host ID is macbeth.htc.com
> >> > User ID seems to be root
> >> > RecvSocketStream(8)
> >> > (Concatenated 8 from stream)
> >> > Transaction Receive [t 280][]
> >> > RecvSocketStream(280)
> >> > (Concatenated 280 from stream)
> >> > Received: [SAUTH y 256 37] on socket 6
> >> > Challenge encryption = y, nonce = 37, buf = 256
> >> > neutron.htc.com: Private decrypt failed = block type is not 02
> >> > neutron.htc.com: Host authorization/authentication failed or access
> >> > denied
> >> > Transaction Send[t 64][Packed text]
> >> > SendSocketStream, sent 72
> >> > neutron.htc.com: From (host=macbeth.htc.com,user=root,ip=139.172.44.10)
> >> > Terminating thread...
> >> > ***Closing socket 6 from 139.172.44.10
> >> > Deleted item 139.172.44.10
> >> > # here comes the next client
> >> > IPV4 address
> >> > sockaddr_ntop(139.172.44.3)
> >> > Obtained IP address of 139.172.44.3 on socket 6 from accept
> >> > FuzzyItemIn(139.172.44.3)
> >> > Purging Old Connections...
> >> > Done purging
> >> > FuzzyItemIn(139.172.44.3)
> >> > Prepending 139.172.44.3
> >> > # never to return again
> >> >
> >> >
> >> >
> >>
> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >> Work: +47 22453272 Email: Mark.Burgess@iu.hio.no
> >> Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Work: +47 22453272 Email: Mark.Burgess@iu.hio.no
> Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
Stefan Wipf
swipf@htc.com
- hung cfservd, Wipf, Stefan, 2003/01/29
- Re: hung cfservd, Mark . Burgess, 2003/01/29
- Re: hung cfservd, Wipf, Stefan, 2003/01/29
- Re: hung cfservd, Mark . Burgess, 2003/01/29
- Re: hung cfservd,
Wipf, Stefan <=
- Re: hung cfservd, Mark . Burgess, 2003/01/29
- Re: hung cfservd, Wipf, Stefan, 2003/01/29
- Re: hung cfservd, Mark . Burgess, 2003/01/29
- Re: hung cfservd, Wipf, Stefan, 2003/01/29
- Re: hung cfservd, Mark Burgess, 2003/01/30
Re: hung cfservd, Brian E. Seppanen, 2003/01/29