Re: Salt master on -stable and communication with minions on -current 3006.7 version

Wed, 06 Mar 2024 05:17:03 -0800 

add: I have now connected minions (Alpine/Linux and OpenBSD 7.4 and current) 
with version 3006.3, 3006.6 and 3006.7
to master with 3006.7.

On 06 Mar 15:11, Uwe Werler wrote:
> Hi Robert,
> 
> I reinstalled salt_master with Your patch and it solves the issue.
> Reinstalled salt 3006.3 from 7.4 on some hosts and reconnected to the
> master without any issues.
> 
> Thanks!
> 
> Best regards
> 
> Uwe
> 
> On 06 Mar 08:56, Robert Nagy wrote:
> > On 06/03/24 08:43 +0100, Robert Nagy wrote:
> > > I think we can backport this until there is a new release out.
> > 
> > Please try the following diff:
> > 
> > Index: Makefile
> > ===================================================================
> > RCS file: /cvs/ports/sysutils/salt/Makefile,v
> > diff -u -p -u -r1.183 Makefile
> > --- Makefile        1 Mar 2024 12:02:55 -0000       1.183
> > +++ Makefile        6 Mar 2024 07:56:07 -0000
> > @@ -18,6 +18,8 @@ COMMENT =         remote execution and configur
> >  MODPY_EGG_VERSION =        3006.7
> >  DISTNAME =         salt-${MODPY_EGG_VERSION}
> >  
> > +REVISION =         0
> > +
> >  CATEGORIES =               sysutils net devel
> >  
> >  HOMEPAGE =         https://saltproject.io/
> > Index: patches/patch-salt_channel_server_py
> > ===================================================================
> > RCS file: patches/patch-salt_channel_server_py
> > diff -N patches/patch-salt_channel_server_py
> > --- /dev/null       1 Jan 1970 00:00:00 -0000
> > +++ patches/patch-salt_channel_server_py    6 Mar 2024 07:56:07 -0000
> > @@ -0,0 +1,52 @@
> > +52d98866200384dbaf3dbdecf66de00ff6d2195c fix: Older keys end with a 
> > newline, this breaks minion auth.
> > +4e72e2f0a57b594c3f7e14cc385a066097a268b2 fix: typo's
> > +0f4c022fdaabb41962e7fde1baca7bf73122f534 Simply check against cleaned key 
> > from disk.
> > +ecc39aa994c55b22c10320380abf6bd24529496d Refactor and add some tests
> > +
> > +Index: salt/channel/server.py
> > +--- salt/channel/server.py.orig
> > ++++ salt/channel/server.py
> > +@@ -52,6 +52,16 @@ class ReqServerChannel:
> > +         transport = salt.transport.request_server(opts, **kwargs)
> > +         return cls(opts, transport)
> > + 
> > ++    @classmethod
> > ++    def compare_keys(cls, key1, key2):
> > ++        """
> > ++        Normalize and compare two keys
> > ++
> > ++        Returns:
> > ++            bool: ``True`` if the keys match, otherwise ``False``
> > ++        """
> > ++        return salt.crypt.clean_key(key1) == salt.crypt.clean_key(key2)
> > ++
> > +     def __init__(self, opts, transport):
> > +         self.opts = opts
> > +         self.transport = transport
> > +@@ -371,7 +381,7 @@ class ReqServerChannel:
> > +         elif os.path.isfile(pubfn):
> > +             # The key has been accepted, check it
> > +             with salt.utils.files.fopen(pubfn, "r") as pubfn_handle:
> > +-                if salt.crypt.clean_key(pubfn_handle.read()) != 
> > load["pub"]:
> > ++                if not self.compare_keys(pubfn_handle.read(), 
> > load["pub"]):
> > +                     log.error(
> > +                         "Authentication attempt from %s failed, the 
> > public "
> > +                         "keys did not match. This may be an attempt to 
> > compromise "
> > +@@ -480,7 +490,7 @@ class ReqServerChannel:
> > +                 # case. Otherwise log the fact that the minion is still
> > +                 # pending.
> > +                 with salt.utils.files.fopen(pubfn_pend, "r") as 
> > pubfn_handle:
> > +-                    if salt.crypt.clean_key(pubfn_handle.read()) != 
> > load["pub"]:
> > ++                    if not self.compare_keys(pubfn_handle.read(), 
> > load["pub"]):
> > +                         log.error(
> > +                             "Authentication attempt from %s failed, the 
> > public "
> > +                             "key in pending did not match. This may be an 
> > "
> > +@@ -536,7 +546,7 @@ class ReqServerChannel:
> > +                 # so, pass on doing anything here, and let it get 
> > automatically
> > +                 # accepted below.
> > +                 with salt.utils.files.fopen(pubfn_pend, "r") as 
> > pubfn_handle:
> > +-                    if salt.crypt.clean_key(pubfn_handle.read()) != 
> > load["pub"]:
> > ++                    if not self.compare_keys(pubfn_handle.read(), 
> > load["pub"]):
> > +                         log.error(
> > +                             "Authentication attempt from %s failed, the 
> > public "
> > +                             "keys in pending did not match. This may be 
> > an "
> > Index: patches/patch-salt_grains_core_py
> > ===================================================================
> > RCS file: /cvs/ports/sysutils/salt/patches/patch-salt_grains_core_py,v
> > diff -u -p -u -r1.12 patch-salt_grains_core_py
> > --- patches/patch-salt_grains_core_py       28 Apr 2023 18:30:40 -0000      
> > 1.12
> > +++ patches/patch-salt_grains_core_py       6 Mar 2024 07:56:07 -0000
> > @@ -24,7 +24,7 @@ Index: salt/grains/core.py
> >       return grains
> >   
> >   
> > -@@ -2652,10 +2654,12 @@ def os_data():
> > +@@ -2744,10 +2746,12 @@ def os_data():
> >               # derive osrelease from kernelversion prior to that
> >               grains["osrelease"] = grains["kernelrelease"].split("-")[0]
> >           grains.update(_bsd_cpudata(grains))
> 
> -- 
> wq: ~uw

-- 
wq: ~uw

Reply via email to