[Csync2] csync2 and recent gnutls

Giampaolo Tomassoni g.tomassoni at libero.it
Tue Sep 22 11:20:55 CEST 2009 

> > Since xinetd basically do an accept() and runs csync2 with stdin,
> stdout and
> > stderr redirected to the stream returned by accept(), invoking
> "csync2 -i"
> > from ssh should work too...
> 
> no, it won't,
> for reasons and pieces of code I pointed to in that other mail.
> 
> in your xinetd setup,
> do:
> 
> nc $othernode csync2 <<___
> CONFIG
> HELLO $HOSTNAME
> BYE
> ___
> 
> That works just fine.
> 
> 
> then do
> ssh $othernode csync2 -i -vvv <<___
> CONFIG
> HELLO $HOSTNAME
> BYE
> ___
> 
> here you get:
> Can't run getpeername on fd 0: Socket operation on non-socket

You're right.


> because commands run from ssh get their stdin/out/err connected to unix
> sockets on the remote end, and csync2 tries to verify the peer address
> via getpeername on stdin, assuming stdin to be an ipv4 tcp socket.

No, here you're not ;) It is not unix sockets, but pty devices.

One may attempt to use ssh -T ..., but I gets pipes on my Linux.

This is of course because ssh have to do all that auth and crypto work on
data. Sorry, I didn't mind it.


> (which, btw, is also the reason why csync2 currently does not work with
> ipv6 sockets)
> 
> Its not difficult to change that. One could simply patch that peername
> check away, or add a "--pipe-mode" mode
> (similar to imapd pre-authenticated mode, e.g.).
> 
> but I'd like to keep at least some plausibility check to avoid
> accidental stray connections.
> 
> That is why I suggested to do the plausibility check for the via HELLO
> presented peer name based on the SSH_CLIENT environment variable.

I now understand the problem, Lars.

However, the patch proposed in this thread is not going to solve it: it is
only meant as a fix.

Giampaolo


> 
> --
> : Lars Ellenberg
> : LINBIT | Your Way to High Availability
> : DRBD/HA support and consulting http://www.linbit.com
> 
> DRBDR and LINBITR are registered trademarks of LINBIT, Austria.
> _______________________________________________
> Csync2 mailing list
> Csync2 at lists.linbit.com
> http://lists.linbit.com/mailman/listinfo/csync2

More information about the Csync2 mailing list