[Csync2] csync2 and recent gnutls
'Lars Ellenberg'
lars.ellenberg at linbit.com
Tue Sep 22 10:44:36 CEST 2009
On Tue, Sep 22, 2009 at 10:14:03AM +0200, Giampaolo Tomassoni wrote:
> >
> > ...omissis...
> >
> > > My idea is that most csync2 ssl users just used the default values in
> > > each node OR used the same certificate in each node. This would allow
> > > the server to announce the DN of its own certificate and then obtain
> > > the client one, since the client certificate would have the same DN.
> > >
> > > Am I right?
> >
> > Probably ;)
>
> Good, because this way the patch works. Not the one you got, Lars: I posted
> a new one, which is actually "awaiting operator approval"...
>
> I can send it to you off-list, if you want.
Since I can simply put on the operator hat as well, there is no need ;)
>
>
> > ...omissis...
> >
> > > - It doesn't make sense to me because you may use ssh with csync2
> > already:
> > > just put a "nossl * *" line in your csync2.cfg and invoke the server
> > with
> > > the -i option.
> >
> > Well, no.
> > Did you try that?
> > It won't work.
>
> This is the very first line in my csync2.cfg files:
>
> nossl * *;
>
> Please note it is outside of any "group". It works in disabling ssl with my
> xinetd-invoked csync2 servers.
>
> Since xinetd basically do an accept() and runs csync2 with stdin, stdout and
> stderr redirected to the stream returned by accept(), invoking "csync2 -i"
> from ssh should work too...
no, it won't,
for reasons and pieces of code I pointed to in that other mail.
in your xinetd setup,
do:
nc $othernode csync2 <<___
CONFIG
HELLO $HOSTNAME
BYE
___
That works just fine.
then do
ssh $othernode csync2 -i -vvv <<___
CONFIG
HELLO $HOSTNAME
BYE
___
here you get:
Can't run getpeername on fd 0: Socket operation on non-socket
because commands run from ssh get their stdin/out/err connected to unix
sockets on the remote end, and csync2 tries to verify the peer address
via getpeername on stdin, assuming stdin to be an ipv4 tcp socket.
(which, btw, is also the reason why csync2 currently does not work with
ipv6 sockets)
Its not difficult to change that. One could simply patch that peername
check away, or add a "--pipe-mode" mode
(similar to imapd pre-authenticated mode, e.g.).
but I'd like to keep at least some plausibility check to avoid
accidental stray connections.
That is why I suggested to do the plausibility check for the via HELLO
presented peer name based on the SSH_CLIENT environment variable.
--
: Lars Ellenberg
: LINBIT | Your Way to High Availability
: DRBD/HA support and consulting http://www.linbit.com
DRBD® and LINBIT® are registered trademarks of LINBIT, Austria.
More information about the Csync2
mailing list