Re: cfservd: Private decrypt failed = block type is not 02

[Christian Pearce]

I think this is a result of an old public key of the cfservd server on
the cfagent client attempting to connect.  We tear down and rebuild
servers constantly.  But leave our clients alone since we can just
re-bootstrap them.  Now we remove that key.  At this point I want to
have bootstrapping force the downloading of the keys.  But I have to
work through the details of it.

The output sort of makes sense.  If the sender signed it with a public
key that the receiver no longer uses.  This is here the decrypt failed.
But the error message could be improved.  I had a bug open about this.
But I think it got closed.  I will update the bug.

On Wed, 2005-05-18 at 09:47 -0600, Erik Williamson wrote:
> I've found that this fixes it:
> 
> root@server -> rm /var/cfengine/ppkeys/root-*
> 
> root@client -> rm /var/cfengine/ppkeys/*
> root@client -> /usr/sbin/cfkey
> root@client -> cfagent -q -K; cfagent -q -K
> 
> Does anyone know why this happened?  This is a new cfengine server that 
> I'm migrating all of our hosts over to - doing this now with 15 hosts 
> isn't too bad - soon with 300, it could be a nag.
> 
> Interestingly, I have to run cfagent twice as the first time it 
> segfaults.  I've got an strace dump if anyone wants to take a look.
> 
> Best,
> Erik.
> 
> Erik Williamson wrote:
> > Hi All,
> > 
> > Server & clients are i386 running RHEL 4 / running Dag Wieers' cfengine 
> > 2.1.14.  All machines are at the same patchlevel.
> > 
> > I brought the server down yesterday to add more memory, and upgrade the 
> > kernel (2.6.9-5.0.3 -> 2.6.9-5.0.5)
> > 
> > Now clients are getting this error (we all know this one!):
> > cfengine:gx280test: Authentication dialogue with asa.cpsc.ucalgary.ca 
> > failed
> > cfengine:gx280test: Unable to establish connection with 
> > asa.cpsc.ucalgary.ca (failover)
> > cfengine:gx280test: BAD: Host authentication failed. Did you forget the 
> > domain name or IP/DNS address registration (for ipv4 or ipv6)?
> > 
> > (Everything was working so well beforehand)
> > 
> > Server logs show:
> > May 18 08:33:36 asa cfservd[5547]: Host authorization/authentication 
> > failed or access denied
> > May 18 08:33:36 asa cfservd[5547]: From 
> > (host=gx280test.cpsc.ucalgary.ca,user=root,ip=10.1.2.20)
> > May 18 08:33:36 asa cfservd[5547]:  ID from connecting host: (SAUTH y 
> > 256 37)
> > May 18 08:33:36 asa cfservd[5547]:  Private decrypt failed = block type 
> > is not 02
> > 
> > When running the server with -d2, this is all I can see that is 
> > 'Interesting':
> > 
> > RecvSocketStream(280)
> >     (Concatenated 280 from stream)
> > Received: [SAUTH y 256 37] on socket 5
> > Challenge encryption = y, nonce = 37, buf = 256
> > cfservd: Private decrypt failed = padding check failed
> > Transaction Send[t 114][Packed text]
> > Attempting to send 122 bytes
> > 
> > I saw there was an earlier thread on this some time ago 
> > (http://lists.gnu.org/archive/html/help-cfengine/2003-01/msg00125.html), 
> > but the problem was fixed.
> > 
> > If it's any help, when the server first rebooted it reverted to using 
> > the tg3 driver for it's nic, and is now back using bcm5700 (You never 
> > know if that will help)
> > 
> > Has anyone seen this?  If there's more information I can provide, please 
> > let me know.
> > 
> > Thanks for the help!
> > Erik.
> > 
> 
-- 
Christian Pearce
Perfect Order, Inc.
http://www.sysnav.com
http://www.perfectorder.com

signature.asc
Description: This is a digitally signed message part