Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-1714

cf_lastseen can end up in an inconsistent state

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.7.0
    • Component/s: Internal Databases
    • Labels:
      None

      Description

      Somehow (probably related to our internal multi-route setup) our AIX test server host got to the point of having the following in the lastseen database:
      <pre>

      1. bin/lmdump -a cf_lastseen.lmdb
        key: 3000ae02[16] a10.100.1.2, data: 3000ae12[69] SHA=177b221a7c66c10c970c7f40cb3be74e39ad25062ca03d9a4f2a82d9e4a8cd4a
        key: 3000aebe[12] a10.2.0.2, data: 3000aeca[69] SHA=177b221a7c66c10c970c7f40cb3be74e39ad25062ca03d9a4f2a82d9e4a8cd4a
        key: 3000ae60[70] kSHA=177b221a7c66c10c970c7f40cb3be74e39ad25062ca03d9a4f2a82d9e4a8cd4a, data: 3000aea6[15] 10.100.1.2
        key: 3000af18[71] qiSHA=177b221a7c66c10c970c7f40cb3be74e39ad25062ca03d9a4f2a82d9e4a8cd4a, data: 3000af5f[40] T2ֵ
        key: 3000af90[71] qoSHA=177b221a7c66c10c970c7f40cb3be74e39ad25062ca03d9a4f2a82d9e4a8cd4a, data: 3000afd7[40] T2�@
        </pre>

      Furthermore the duplicate key entries are completely invisible to cf-key, everything seems normal when running, and the bogus IP is hidden:
      <pre>

      1. /var/cfengine/bin/cf-key -s
        Direction IP Name Last connection Key
        Incoming 10.100.1.2 - Mon Oct 6 13:06:48 2014 SHA=177b221a7c66c10c970c7f40cb3be74e39ad25062ca03d9a4f2a82d9e4a8cd4a
        Outgoing 10.100.1.2 - Mon Oct 6 13:09:20 2014 SHA=177b221a7c66c10c970c7f40cb3be74e39ad25062ca03d9a4f2a82d9e4a8cd4a
        Total Entries: 2

      </pre>

      This causes @Address2HostKeyInDB()@ to return false and silently manipulate lastseen. As a result trust fails:

      <pre>
      Connected to host 10.100.1.2 address 10.100.1.2 port 5308
      skipidentify was promised, so we are trusting and simply announcing the identity as 'aixbuild53-2' for this host
      SendTransaction header: t 39
      SendTransaction data: CAUTH 10.100.230.44 aixbuild53-2 root 0
      Selecting FIPS compliant encryption option
      Key for host '10.100.1.2' not found in lastseen db
      Did not find new key format '/var/cfengine/ppkeys/root-.pub'
      Trying old style '/var/cfengine/ppkeys/root-10.100.1.2.pub'
      Did not have old-style key '/var/cfengine/ppkeys/root-10.100.1.2.pub'
      </pre>

      TODO @log()@ whatever manipulation of lastseen, and figure out a way to retain trust to the proper IP address.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              a10038 jimis (Dimitrios Apostolou)
              Reporter:
              a10038 jimis (Dimitrios Apostolou)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: