[Csync2] csync2 and recent gnutls
Giampaolo Tomassoni
g.tomassoni at libero.it
Tue Sep 22 11:20:55 CEST 2009
> > Since xinetd basically do an accept() and runs csync2 with stdin,
> stdout and
> > stderr redirected to the stream returned by accept(), invoking
> "csync2 -i"
> > from ssh should work too...
>
> no, it won't,
> for reasons and pieces of code I pointed to in that other mail.
>
> in your xinetd setup,
> do:
>
> nc $othernode csync2 <<___
> CONFIG
> HELLO $HOSTNAME
> BYE
> ___
>
> That works just fine.
>
>
> then do
> ssh $othernode csync2 -i -vvv <<___
> CONFIG
> HELLO $HOSTNAME
> BYE
> ___
>
> here you get:
> Can't run getpeername on fd 0: Socket operation on non-socket
You're right.
> because commands run from ssh get their stdin/out/err connected to unix
> sockets on the remote end, and csync2 tries to verify the peer address
> via getpeername on stdin, assuming stdin to be an ipv4 tcp socket.
No, here you're not ;) It is not unix sockets, but pty devices.
One may attempt to use ssh -T ..., but I gets pipes on my Linux.
This is of course because ssh have to do all that auth and crypto work on
data. Sorry, I didn't mind it.
> (which, btw, is also the reason why csync2 currently does not work with
> ipv6 sockets)
>
> Its not difficult to change that. One could simply patch that peername
> check away, or add a "--pipe-mode" mode
> (similar to imapd pre-authenticated mode, e.g.).
>
> but I'd like to keep at least some plausibility check to avoid
> accidental stray connections.
>
> That is why I suggested to do the plausibility check for the via HELLO
> presented peer name based on the SSH_CLIENT environment variable.
I now understand the problem, Lars.
However, the patch proposed in this thread is not going to solve it: it is
only meant as a fix.
Giampaolo
>
> --
> : Lars Ellenberg
> : LINBIT | Your Way to High Availability
> : DRBD/HA support and consulting http://www.linbit.com
>
> DRBDR and LINBITR are registered trademarks of LINBIT, Austria.
> _______________________________________________
> Csync2 mailing list
> Csync2 at lists.linbit.com
> http://lists.linbit.com/mailman/listinfo/csync2
More information about the Csync2
mailing list