There is a bug in cfagent when using SkipIdentify.
Background:
I am using a fairly odd setup where a client machine's unique identifying ip
(which matches its hostname) is bound to loopback as an alias. The ips bound
to the physical interfaces are used merely for transit and don't have
meaningful dns names. All outgoing connections from this box are source nat'd
to originate from the unique ip. I wanted to use SkipIdentify in order to
make the master's cfservd allow connections from this box using it's unique
ip.
Results:
Without SkipIdentify I get the following, which is expected:
>Identifying this agent as 172.27.60.40 i.e. pod0.hq.moli.com, with signature
0
>IsIPV6Address(pod0-hq-em0.xit.moli.com)
>SENT:::CAUTH 172.27.60.40 pod0-hq-em0.xit.moli.com root 0
So even though the cfservd sees a connection from a 'real' ip (due to the
source nating) and the key exchange works fine, it still thinks the client
has the private ip and name.
With SkipIdentify I get the following broken behavior:
>SkipIdent was requested, so we are trusting and annoucning the identity as
(pod0.hq.moli.com) for this host
>IsIPV6Address(pod0.hq.moli.com)
>SENT:::CAUTH root 0
Here cfservd gets very confused, and thinks the client's ip is 'root' and the
host name is '0'.
Problem:
The problem lies in src/proto.c in the IdentifyForVerification function. If
SkipIdentify is turned on, dnsname is set to VFQNAME (line 152) and localip
is never set (because the local socket address is never examined). Later on,
a sanity check (line 178) compares dnsname to localip for strlen(localip)
chars. Since localip is 0 length, the compare succeeds, subsequently dnsname
is set to localip, ie nothing.
Fix:
The fix for this depends greatly on what Mr Burgess wanted this option to do
in the first place. For my needs, I simply set localip to the ip address of
VFQNAME, which is what I _think_ was the intention (patch attached). However
this is not a perfect solution since a) it doesn't deal with ipv6, b) it
reverts to the same broken behavior if VFQNAME doesn't resolve, and c) only
takes into account the first returned ip.
That's it. As a side note, it would seem that this feature has been broken
since around revision 110 in subversion, ~14 months ago... Is it just not
used often, or am I missing a scenario where it works fine?
-JayKim
--
GO MOLI
Jason Kim
Senior Network Systems Engineer
CoVibe TECH
580 Village Boulevard, Suite 110
West Palm Beach, Florida 33409
tel: 561.459.1673
fax: 561.616.5509
[EMAIL PROTECTED]
THE INFORMATION CONTAINED IN THIS TRANSMISSION MAY CONTAIN PRIVILEGED OR
CONFIDENTIAL INFORMATION INTENDED ONLY FOR USE OF THE INDIVIDUAL OR ENTITY
NAMED ABOVE. IF THE READER OF THIS MESSAGE IS NOT THE INTENDED RECIPIENT,
YOU ARE HEREBY NOTIFIED THAT ANY DISSEMINATION, DISTRIBUTION, OR COPYING OF
THIS COMMUNICATION IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS
TRANSMISSION IN ERROR, DO NOT READ IT. PLEASE IMMEDIATELY REPLY TO THE
SENDER THAT YOU HAVE RECEIVED THIS COMMUNICATION IN ERROR. THEN DELETE IT.
THANK YOU.
--- proto.c.orig Mon Sep 25 11:31:12 2006
+++ proto.c Mon Sep 25 12:27:24 2006
@@ -150,6 +150,12 @@
{
Verbose("SkipIdent was requested, so we are trusting and annoucning the identity as (%s) for this host\n",VFQNAME);
strcat(dnsname,VFQNAME);
+
+ hp = gethostbyname(VFQNAME);
+ if ((hp != NULL) || (hp->h_addr_list[0] != NULL))
+ {
+ snprintf(localip,CF_MAX_IP_LEN-1,"%s",inet_ntoa(*((struct in_addr *)hp->h_addr_list[0])));
+ }
}
else
{
_______________________________________________
Bug-cfengine mailing list
[email protected]
http://cfengine.org/mailman/listinfo/bug-cfengine
