Jason Kim wrote:
> There is a bug in cfagent when using SkipIdentify.
>
> Background:
> I am using a fairly odd setup where a client machine's unique identifying ip
> (which matches its hostname) is bound to loopback as an alias. The ips bound
> to the physical interfaces are used merely for transit and don't have
> meaningful dns names. All outgoing connections from this box are source nat'd
> to originate from the unique ip. I wanted to use SkipIdentify in order to
> make the master's cfservd allow connections from this box using it's unique
> ip.
>
> Results:
> Without SkipIdentify I get the following, which is expected:
>> Identifying this agent as 172.27.60.40 i.e. pod0.hq.moli.com, with signature
> 0
>> IsIPV6Address(pod0-hq-em0.xit.moli.com)
>> SENT:::CAUTH 172.27.60.40 pod0-hq-em0.xit.moli.com root 0
> So even though the cfservd sees a connection from a 'real' ip (due to the
> source nating) and the key exchange works fine, it still thinks the client
> has the private ip and name.
>
> With SkipIdentify I get the following broken behavior:
>> SkipIdent was requested, so we are trusting and annoucning the identity as
> (pod0.hq.moli.com) for this host
>> IsIPV6Address(pod0.hq.moli.com)
>> SENT:::CAUTH root 0
> Here cfservd gets very confused, and thinks the client's ip is 'root' and the
> host name is '0'.
>
> Problem:
> The problem lies in src/proto.c in the IdentifyForVerification function. If
> SkipIdentify is turned on, dnsname is set to VFQNAME (line 152) and localip
> is never set (because the local socket address is never examined). Later on,
> a sanity check (line 178) compares dnsname to localip for strlen(localip)
> chars. Since localip is 0 length, the compare succeeds, subsequently dnsname
> is set to localip, ie nothing.
>
> Fix:
> The fix for this depends greatly on what Mr Burgess wanted this option to do
> in the first place. For my needs, I simply set localip to the ip address of
> VFQNAME, which is what I _think_ was the intention (patch attached). However
> this is not a perfect solution since a) it doesn't deal with ipv6, b) it
> reverts to the same broken behavior if VFQNAME doesn't resolve, and c) only
> takes into account the first returned ip.
>
> That's it. As a side note, it would seem that this feature has been broken
> since around revision 110 in subversion, ~14 months ago... Is it just not
> used often, or am I missing a scenario where it works fine?
>
> -JayKim
>
>
>
> ------------------------------------------------------------------------
>
> --- proto.c.orig Mon Sep 25 11:31:12 2006
> +++ proto.c Mon Sep 25 12:27:24 2006
> @@ -150,6 +150,12 @@
> {
> Verbose("SkipIdent was requested, so we are trusting and annoucning
> the identity as (%s) for this host\n",VFQNAME);
> strcat(dnsname,VFQNAME);
> +
> + hp = gethostbyname(VFQNAME);
> + if ((hp != NULL) || (hp->h_addr_list[0] != NULL))
> + {
> + snprintf(localip,CF_MAX_IP_LEN-1,"%s",inet_ntoa(*((struct in_addr
> *)hp->h_addr_list[0])));
> + }
> }
> else
> {
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Bug-cfengine mailing list
> [email protected]
> http://cfengine.org/mailman/listinfo/bug-cfengine
Many thanks for the patch. I shall look into this.
--
Mark Burgess
Professor of Network and System Administration
Oslo University College
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272 Email: [EMAIL PROTECTED]
Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_______________________________________________
Bug-cfengine mailing list
[email protected]
http://cfengine.org/mailman/listinfo/bug-cfengine
