Hi Robert,
I reinstalled salt_master with Your patch and it solves the issue.
Reinstalled salt 3006.3 from 7.4 on some hosts and reconnected to the
master without any issues.
Thanks!
Best regards
Uwe
On 06 Mar 08:56, Robert Nagy wrote:
> On 06/03/24 08:43 +0100, Robert Nagy wrote:
> > I think we can backport this until there is a new release out.
>
> Please try the following diff:
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/sysutils/salt/Makefile,v
> diff -u -p -u -r1.183 Makefile
> --- Makefile 1 Mar 2024 12:02:55 -0000 1.183
> +++ Makefile 6 Mar 2024 07:56:07 -0000
> @@ -18,6 +18,8 @@ COMMENT = remote execution and configur
> MODPY_EGG_VERSION = 3006.7
> DISTNAME = salt-${MODPY_EGG_VERSION}
>
> +REVISION = 0
> +
> CATEGORIES = sysutils net devel
>
> HOMEPAGE = https://saltproject.io/
> Index: patches/patch-salt_channel_server_py
> ===================================================================
> RCS file: patches/patch-salt_channel_server_py
> diff -N patches/patch-salt_channel_server_py
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-salt_channel_server_py 6 Mar 2024 07:56:07 -0000
> @@ -0,0 +1,52 @@
> +52d98866200384dbaf3dbdecf66de00ff6d2195c fix: Older keys end with a newline,
> this breaks minion auth.
> +4e72e2f0a57b594c3f7e14cc385a066097a268b2 fix: typo's
> +0f4c022fdaabb41962e7fde1baca7bf73122f534 Simply check against cleaned key
> from disk.
> +ecc39aa994c55b22c10320380abf6bd24529496d Refactor and add some tests
> +
> +Index: salt/channel/server.py
> +--- salt/channel/server.py.orig
> ++++ salt/channel/server.py
> +@@ -52,6 +52,16 @@ class ReqServerChannel:
> + transport = salt.transport.request_server(opts, **kwargs)
> + return cls(opts, transport)
> +
> ++ @classmethod
> ++ def compare_keys(cls, key1, key2):
> ++ """
> ++ Normalize and compare two keys
> ++
> ++ Returns:
> ++ bool: ``True`` if the keys match, otherwise ``False``
> ++ """
> ++ return salt.crypt.clean_key(key1) == salt.crypt.clean_key(key2)
> ++
> + def __init__(self, opts, transport):
> + self.opts = opts
> + self.transport = transport
> +@@ -371,7 +381,7 @@ class ReqServerChannel:
> + elif os.path.isfile(pubfn):
> + # The key has been accepted, check it
> + with salt.utils.files.fopen(pubfn, "r") as pubfn_handle:
> +- if salt.crypt.clean_key(pubfn_handle.read()) != load["pub"]:
> ++ if not self.compare_keys(pubfn_handle.read(), load["pub"]):
> + log.error(
> + "Authentication attempt from %s failed, the public "
> + "keys did not match. This may be an attempt to
> compromise "
> +@@ -480,7 +490,7 @@ class ReqServerChannel:
> + # case. Otherwise log the fact that the minion is still
> + # pending.
> + with salt.utils.files.fopen(pubfn_pend, "r") as
> pubfn_handle:
> +- if salt.crypt.clean_key(pubfn_handle.read()) !=
> load["pub"]:
> ++ if not self.compare_keys(pubfn_handle.read(),
> load["pub"]):
> + log.error(
> + "Authentication attempt from %s failed, the
> public "
> + "key in pending did not match. This may be an "
> +@@ -536,7 +546,7 @@ class ReqServerChannel:
> + # so, pass on doing anything here, and let it get
> automatically
> + # accepted below.
> + with salt.utils.files.fopen(pubfn_pend, "r") as
> pubfn_handle:
> +- if salt.crypt.clean_key(pubfn_handle.read()) !=
> load["pub"]:
> ++ if not self.compare_keys(pubfn_handle.read(),
> load["pub"]):
> + log.error(
> + "Authentication attempt from %s failed, the
> public "
> + "keys in pending did not match. This may be an "
> Index: patches/patch-salt_grains_core_py
> ===================================================================
> RCS file: /cvs/ports/sysutils/salt/patches/patch-salt_grains_core_py,v
> diff -u -p -u -r1.12 patch-salt_grains_core_py
> --- patches/patch-salt_grains_core_py 28 Apr 2023 18:30:40 -0000 1.12
> +++ patches/patch-salt_grains_core_py 6 Mar 2024 07:56:07 -0000
> @@ -24,7 +24,7 @@ Index: salt/grains/core.py
> return grains
>
>
> -@@ -2652,10 +2654,12 @@ def os_data():
> +@@ -2744,10 +2746,12 @@ def os_data():
> # derive osrelease from kernelversion prior to that
> grains["osrelease"] = grains["kernelrelease"].split("-")[0]
> grains.update(_bsd_cpudata(grains))
--
wq: ~uw
