[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ANNOYING Key Trust Issue. help.
|
From: |
Adam M. Dunn |
|
Subject: |
ANNOYING Key Trust Issue. help. |
|
Date: |
Wed, 23 Nov 2005 17:51:16 -0600 (CST) |
Hi all. Don't you hate it when you get hung up on the most basic
basic problem... I've been using cfengine for quite a while, and am in
the process of setting all back up on a new network with new servers and
everything, so I've done this before. I know pretty well all about how
the copies and key exhanging works, but am running into a REALLY annoying
problem. I've spent way more time that I feel I should be on a problem
like this so I'm wondering if it's not a bug or something. I've imported
some of my old cfengine policies to test, and even rewritten very basic
ones to try and get it to work. Here's my problem:
I can't get my new policy host to trust keys or copy files around. I've
tried importing some of my old cfengine policies that work for testing,
I've rewritten very basic ones to try and get it to work without using
variables. I've also tried manually copying keys around and no luck. All
clients are in DNS, and I've also tried binding cfservd to interfaces. I
even tried the nasty SkipVerify option.
I'll list config files and debug output. If someone can help I'd really
appreciate it! Server is lucy.mydomain.com (10.10.13.12), client is
snake.mydomain.com (10.10.13.99). All are running version 2.1.17 and
compiled against the same versions of db-4.2.52 and openssl-0.9.7d with
the same settings.
cfservd.conf on lucy:
--------------------
control:
domain = ( mydomain.com )
#AllowConnectionsFrom = ( 10.10.13 )
TrustKeysFrom = ( 10.10.13 )
AllowUsers = ( root ) # Needed for cfrun to work
#SkipVerify = ( 10.10.13 )
BindToInterface = ( 10.10.13.12 )
cfrunCommand = ( "/usr/local/sbin/cfagent" )
any::
#ChecksumDatabase = ( /tmp/testDATABASEcache )
IfElapsed = ( 1 )
MaxConnections = ( 50 )
#########################################################
admit: # or grant:
/var/cfengine/distrib *.mydomain.com
/var/cfengine/masterfiles/inputs *.mydomain.com
# Needed for cfrun to work
/usr/local/sbin/cfagent *.mydomain.com
/usr/local/sbin *.mydomain.com
/etc *.mydomain.com
/export *.mydomain.com
update.conf on snake:
--------------------
control:
actionsequence = ( copy editfiles processes tidy )
domain = ( mydomain.com ) # Needed for remote copy
policyhost = ( lucy.mydomain.com )
any::
master_cfinput = ( /var/cfengine/masterfiles/inputs )
AddInstallable = ( new_cfenvd new_cfservd )
editfilesize = ( 100000 )
workdir = ( /var/cfengine )
solaris::
cf_install_dir = ( /usr/local/sbin )
linux::
cf_install_dir = ( /usr/local/sbin )
!AllBinaryServers::
SplayTime = ( 1 )
filters:
{ ignoredir
Type: "dir"
Result: "!Type"
}
copy:
$(master_cfinput) dest=$(workdir)/inputs
r=1
#filter=ignoredir
mode=700
type=binary
exclude=*.lst
exclude=*~
exclude=#*
# include=*.cfsaved
# exclude=examples
server=$(policyhost)
trustkey=true
ifelapsed=0
purge=true
editfiles:
{ /etc/services
SetLine "cfengine 5308/tcp # Cfengine"
AppendIfNoLineMatching ".*cfengine.*5308/tcp.*"
SetLine "cfengine 5308/udp # Cfengine"
AppendIfNoLineMatching ".*cfengine.*5308/udp.*"
}
tidy:
#
# Cfexecd stores output in this directory.
# Make sure we don't build up files and choke on our own words!
#
$(workdir)/outputs pattern=* age=7
Here is some relavent cfrun debug output:
-----------------------------------------
cfrun(0): .......... [ Hailing snake.mydomain.com ] ..........
pid = 15786 i = 0
New server connection...
Connecting to server snake.mydomain.com to port 0 with options
Using v6 compatible lookup...
IPV4 address
sockaddr_ntop(10.10.13.99)
Havekey(root-snake.mydomain.com)
Did not have key root-snake.mydomain.com
Havekey(root-10.10.13.99)
Did not have key root-10.10.13.99
WARNING - You do not have a public key from host snake.mydomain.com =
10.10.13.99
Do you want to accept one on trust? (yes/no)
--> yes
IPV4 address
sockaddr_ntop(10.10.13.99)
Connect to snake.mydomain.com = 10.10.13.99 on port 5308
IPV4 address
sockaddr_ntop(10.10.13.99)
IPV4 address
sockaddr_ntop(10.10.13.99)
Found address (10.10.13.99) for host snake.mydomain.com
Updating last-seen time for snake.mydomain.com
IPV4 address
sockaddr_ntop(10.10.13.12)
Identifying this agent as 10.10.13.12 i.e. lucy.mydomain.com, with
signature 0
IsIPV6Address(lucy.mydomain.com)
SENT:::CAUTH 10.10.13.12 lucy.mydomain.com root 0
Transaction Send[t 42][Packed text]
Attempting to send 50 bytes
SendSocketStream, sent 50
ChecksumString(m)
OptionIs(cfrun,HostnameKeys,1)
GetMacroValue(cfrun,HostnameKeys)
KeyAuthentication(with IP keyname root-10.10.13.99)
Havekey(root-10.10.13.99)
Did not have key root-10.10.13.99
Transaction Send[t 61][Packed text]
Attempting to send 69 bytes
SendSocketStream, sent 69
Modulus (2048 bit):
00:ca:0e:ba:9d:4a:ce:b4:eb:01:05:39:1b:9f:e5:
75:46:cd:e5:51:f8:f9:95:53:ea:55:9a:2c:0f:35:
d9:96:36:cb:7a:49:8f:8f:51:ff:df:91:41:96:e1:
06:b2:2d:40:61:24:b9:6d:3d:7b:4f:67:e9:10:86:
27:54:33:d9:25:fe:f3:26:8e:28:8d:ea:f8:05:33:
c3:bd:f5:a0:bc:d5:49:9d:64:8e:63:7d:dd:ce:e9:
7b:1b:d3:5c:7e:94:a1:09:ed:de:0c:1d:76:79:0c:
ba:af:25:67:0b:05:b6:4b:90:0a:b6:48:1f:e9:92:
9d:d8:a7:0b:dc:97:6d:3b:f2:f0:f2:3d:51:bb:2d:
5d:6f:88:81:a3:b9:d2:19:da:b0:cb:4e:ac:a7:fd:
6f:38:13:73:bc:25:62:15:d7:41:53:d8:81:d2:7a:
25:94:e1:68:8f:a2:38:1f:11:50:1c:52:5f:b3:17:
eb:84:26:04:16:ea:90:87:5f:66:8c:13:cc:e0:a9:
19:3d:a5:4d:1c:e3:1f:f8:eb:4c:7c:e2:97:04:9f:
c5:6a:12:62:f1:d0:35:93:36:d8:11:37:88:f9:db:
ec:66:25:fd:76:91:2f:12:64:fd:c7:73:9c:2b:a8:
c8:a3:03:08:1c:2a:88:cc:35:a3:2b:1a:56:d6:27:
dd:ad
Exponent: 35 (0x23)
Transaction Send[t 261][Packed text]
Attempting to send 269 bytes
SendSocketStream, sent 269
Transaction Send[t 5][Packed text]
Attempting to send 13 bytes
SendSocketStream, sent 13
RecvSocketStream(8)
(Concatenated 8 from stream)
Transaction Receive [t 114][]
RecvSocketStream(114)
(Concatenated 114 from stream)
cfrun:lucy.mydomain.com: BAD: Host authentication failed. Did you forget
the domain name or IP/DNS address registration (for ipv4 or ipv6)?
cfrun:lucy.mydomain.com: Key-authentication for lucy.mydomain.com failed
Connection refused...
wait result pid = 15786 number 1
Here is some relavent cfservd debug mode output:
-----------------------------------------------
Installable classes = ( )
ACCESS GRANTED ----------------------:
Path: /var/cfengine/distrib (encrypt=0)
Admit: *.mydomain.com root=
Path: /var/cfengine/masterfiles/inputs (encrypt=0)
Admit: *.mydomain.com root=
Path: /usr/local/sbin/cfagent (encrypt=0)
Admit: *.mydomain.com root=
Path: /usr/local/sbin (encrypt=0)
Admit: *.mydomain.com root=
Path: /etc (encrypt=0)
Admit: *.mydomain.com root=
ACCESS DENIAL ------------------------ :
Host IPs allowed connection access :
Host IPs denied connection access :
Host IPs allowed multiple connection access :
Host IPs from whom we shall accept public keys on trust :
IP: 10.10.13
Host IPs from NAT which we don't verify :
IP: 10.10.13
Dynamical Host IPs (e.g. DHCP) whose bindings could vary over time :
IPV6 address
sockaddr_ntop(::)
Bound to address :: on linux=6
Listening for connections ...
Checking file updates on /var/cfengine/inputs/./cfservd.conf
(4384f6bd/4384fe6d)
15740Checking file updates on /var/cfengine/inputs/./cfservd.conf
(4384f6bd/4384fe6d)
Checking file updates on /var/cfengine/inputs/./cfservd.conf
(4384f6bd/4384fe6d)
Checking file updates on /var/cfengine/inputs/./cfservd.conf
(4384f6bd/4384fe6d)
Checking file updates on /var/cfengine/inputs/./cfservd.conf
(4384f6bd/4384fe6d)
IPV6 address
sockaddr_ntop(::ffff:10.10.13.99)
Obtained IP address of ::ffff:10.10.13.99 on socket 5 from accept
FuzzyItemIn(LIST,10.10.13.99)
Purging Old Connections...
Done purging
FuzzyItemIn(LIST,10.10.13.99)
Prepending [10.10.13.99]
*** New socket [5]
New connection...(from ::ffff:10.10.13.99/5)
Spawning new thread...
Checking file updates on /var/cfengine/inputs/./cfservd.conf
(4384f6bd/4384fe6d)
RecvSocketStream(8)
(Concatenated 8 from stream)
Transaction Receive [t 43][]
RecvSocketStream(43)
(Concatenated 43 from stream)
Received: [CAUTH 10.10.13.99 snake.mydomain.com root 0] on socket 5
Connecting host identifies itself as 10.10.13.99 snake.mydomain.com root 0
(ipstring=[10.10.13.99],fqname=[snake.mydomain.com],username=[root],socket=[::ffff:10.10.13.99])
cfservd: Allowing 10.10.13.99 to connect without (re)checking ID
Non-verified Host ID is snake.mydomain.com (Using skipverify)
Non-verified User ID seems to be root (Using skipverify)
IPV4 address
sockaddr_ntop(10.10.13.99)
Found address (10.10.13.99) for host snake.mydomain.com
Updating last-seen time for snake.mydomain.com
RecvSocketStream(8)
Transmission empty or timed out...
Transaction Receive [][]
RecvSocketStream(0)
cfservd terminating NULL transmission!
Terminating thread...
***Closing socket 5 from ::ffff:10.10.13.99
Deleted item 10.10.13.99
Checking file updates on /var/cfengine/inputs/./cfservd.conf
(4384f6bd/4384fe6d)
Checking file updates on /var/cfengine/inputs/./cfservd.conf
(4384f6bd/4384fe6d)
cfservd: Received signal 2 (SIGINT) while doing [cfservd]
cfservd: Logical start time Wed Nov 23 17:42:37 2005
cfservd: This sub-task started really at Wed Nov 23 17:42:37 2005
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Adam Dunn
Systems Administrator II
Human Genome Sequencing Center
Baylor College of Medicine
N1419 One Baylor Plaza
Houston, TX 77030
Voice: 713.798.3124
Fax : 713.798.6977
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-