[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
cfrun wont't talk to cfservd
From: |
Chip Seraphine |
Subject: |
cfrun wont't talk to cfservd |
Date: |
Tue, 22 Apr 2003 10:15:30 -0500 |
User-agent: |
Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.2.1) Gecko/20030121 |
I am running cfrun from a server named cuffs (10.10.1.165 in the log
snippet below) and trying to connect to a machine named minglewood
(10.10.1.79), which is running cfservd. I've tried just about
everything I can think of, but I always fail at the challenge response.
Everything is running 2.0.6. I've seen several threads in the list
archives with similar issues, but it always seemed to come down to
something like not having an AllowUser line. Any help or advice would
be much appreciated!
This is from minglewood (the client's) cfservd running in verbose mode:
--
cfservd: Allowing 10.10.1.165 to connect without (re)checking ID
Non-verified Host ID is cuffs.trdlnk.com (Using skipverify)
Non-verified User ID seems to be root (Using skipverify)
Loaded /var/cfengine/ppkeys/root-10.10.1.165.pub
A public key was already known from cuffs.trdlnk.com/::ffff:10.10.1.165
- no trust required
Adding IP ::ffff:10.10.1.165 to SkipVerify - no need to check this if we
have a key
The public key identity was confirmed as root@cuffs.trdlnk.com
cfservd: Challenge response from client ::ffff:10.10.1.165 was incorrect
- ID false?
cfservd: Host authorization/authentication failed or access denied
cfservd: From (host=cuffs.trdlnk.com,user=root,ip=::ffff:10.10.1.165)
Apr 22 10:00:07 minglewood cfservd[25985]: [ID 702911 daemon.notice]
Challenge response from client ::ffff:10.10.1.165 was incorrect - ID false?
Apr 22 10:00:07 minglewood cfservd[25985]: [ID 702911 daemon.notice]
Host authorization/authentication failed or access denied
Apr 22 10:00:07 minglewood cfservd[25985]: [ID 702911 daemon.notice]
From (host=cuffs.trdlnk.com,user=root,ip=::ffff:10.10.1.165)
--
This is the -v output from cfrun on the server (cuffs):
[usual header stuff snipped]
Address given by nameserver: 10.10.1.165
Loaded /var/cfengine/ppkeys/localhost.priv
Loaded /var/cfengine/ppkeys/localhost.pub
Looking for a source of entropy in /var/cfengine/randseed
cfrun(0): .......... [ Hailing minglewood.trdlnk.com:5308 ]
..........
WARNING - You do not have a public key from host
minglewood.trdlnk.com:5308 = 10.10.1.79
Do you want to accept one on trust? (yes/no)
--> yes
Connect to minglewood.trdlnk.com = 10.10.1.79 on port cfengine
cfrun:cuffs.trdlnk.com : Trusting server identity and
willing to accept key from minglewood.trdlnk.com=10.10.1.79
cfrun:cuffs.trdlnk.com : Private decrypt failed =
block type is not 02, abandoning
cfrun:cuffs.trdlnk.com : Key-authentication for
cuffs.trdlnk.com failed
Connection refused...
--
Here is what minglewood's syslogs say:
--
Apr 22 10:00:07 minglewood cfservd[25985]: [ID 702911 daemon.notice]
Challenge response from client ::ffff:10.10.1.165 was incorrect - ID false?
Apr 22 10:00:07 minglewood cfservd[25985]: [ID 702911 daemon.notice]
Host authorization/authentication failed or access denied
Apr 22 10:00:07 minglewood cfservd[25985]: [ID 702911 daemon.notice]
From (host=cuffs.trdlnk.com,user=root,ip=::ffff:10.10.1.165)
--
Here's the relevant portion of my cfservd.conf:
control:
#basics
domain = ( trdlnk.com )
cfrunCommand = ( "/var/cfengine/bin/cfagent" )
#auth & trust
AllowConnectionsFrom = ( 10.10.1.165 )
AllowUsers = ( root chip )
TrustKeysFrom = ( 10.10.1.165 )
#DenyBadClocks = ( true )
SkipVerify = ( 10.10.1. ) #Tried this on and off, no dice either way
#misc
IfElapsed = ( 1 )
ExpireAfter = ( 15 )
MaxConnections = ( 5 )
MultipleConnections = ( true )
LogAllConnections = ( true )
ChecksumDatabase = ( "/var/cfengine/chksum-srvr.db" )
#########################################################
admit:
/var/cfengine/inputs *
/var/cfengine/bin/cfagent *
/var/cfengine/bin/cfrun *
/var/cfengine/bin/cfservd *
--
And my cfrun:
--
### Configuration
domain = trdlnk.com
maxchild = 1 #also tried 0, no dice
outputdir = /var/cfengine/cfrunlogs
access = root
### Host List
minglewood.trdlnk.com:5308
--
The /etc/services files have the appropriate entries, I have generated
the cfkeys (and deleted/regenerated many times), everything is running
as root, the ppkeys directories look fine, etc. The end result is that
I get a root key for cuffs in minglewoods ppkeys area, but no key file
in cuffs' ppkeys directory, and cfagent does not run remotely.
So my questions are:
1) What is this ::ffff: business before the IP addresses? Looks like a
netmask (which is 16 bit, so if it is the netmask then it is correct).
Is ::<netmask in hex>:<ip address> what one should have here?
2) Given the above situation, is there anything I am doing obviously
wrong? I got these two machines to speak to each other a while ago
using 2.0.5, and I wasn't doing anything different that I recall.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- cfrun wont't talk to cfservd,
Chip Seraphine <=