Index | Thread | Search

From:
Robert Nagy <robert@openbsd.org>
Subject:
Re: Salt master on -stable and communication with minions on -current 3006.7 version
To:
Uwe Werler <uwe@werler.is>
Cc:
ports@openbsd.org, Mikolaj Kucharski <mikolaj@kucharski.name>
Date:
Wed, 6 Mar 2024 08:56:18 +0100

Download raw body.

Thread 
On 06/03/24 08:43 +0100, Robert Nagy wrote:
> I think we can backport this until there is a new release out.

Please try the following diff:

Index: Makefile
===================================================================
RCS file: /cvs/ports/sysutils/salt/Makefile,v
diff -u -p -u -r1.183 Makefile
--- Makefile	1 Mar 2024 12:02:55 -0000	1.183
+++ Makefile	6 Mar 2024 07:56:07 -0000
@@ -18,6 +18,8 @@ COMMENT =		remote execution and configur
 MODPY_EGG_VERSION =	3006.7
 DISTNAME =		salt-${MODPY_EGG_VERSION}
 
+REVISION =		0
+
 CATEGORIES =		sysutils net devel
 
 HOMEPAGE =		https://saltproject.io/
Index: patches/patch-salt_channel_server_py
===================================================================
RCS file: patches/patch-salt_channel_server_py
diff -N patches/patch-salt_channel_server_py
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ patches/patch-salt_channel_server_py	6 Mar 2024 07:56:07 -0000
@@ -0,0 +1,52 @@
+52d98866200384dbaf3dbdecf66de00ff6d2195c fix: Older keys end with a newline, this breaks minion auth.
+4e72e2f0a57b594c3f7e14cc385a066097a268b2 fix: typo's
+0f4c022fdaabb41962e7fde1baca7bf73122f534 Simply check against cleaned key from disk.
+ecc39aa994c55b22c10320380abf6bd24529496d Refactor and add some tests
+
+Index: salt/channel/server.py
+--- salt/channel/server.py.orig
++++ salt/channel/server.py
+@@ -52,6 +52,16 @@ class ReqServerChannel:
+         transport = salt.transport.request_server(opts, **kwargs)
+         return cls(opts, transport)
+ 
++    @classmethod
++    def compare_keys(cls, key1, key2):
++        """
++        Normalize and compare two keys
++
++        Returns:
++            bool: ``True`` if the keys match, otherwise ``False``
++        """
++        return salt.crypt.clean_key(key1) == salt.crypt.clean_key(key2)
++
+     def __init__(self, opts, transport):
+         self.opts = opts
+         self.transport = transport
+@@ -371,7 +381,7 @@ class ReqServerChannel:
+         elif os.path.isfile(pubfn):
+             # The key has been accepted, check it
+             with salt.utils.files.fopen(pubfn, "r") as pubfn_handle:
+-                if salt.crypt.clean_key(pubfn_handle.read()) != load["pub"]:
++                if not self.compare_keys(pubfn_handle.read(), load["pub"]):
+                     log.error(
+                         "Authentication attempt from %s failed, the public "
+                         "keys did not match. This may be an attempt to compromise "
+@@ -480,7 +490,7 @@ class ReqServerChannel:
+                 # case. Otherwise log the fact that the minion is still
+                 # pending.
+                 with salt.utils.files.fopen(pubfn_pend, "r") as pubfn_handle:
+-                    if salt.crypt.clean_key(pubfn_handle.read()) != load["pub"]:
++                    if not self.compare_keys(pubfn_handle.read(), load["pub"]):
+                         log.error(
+                             "Authentication attempt from %s failed, the public "
+                             "key in pending did not match. This may be an "
+@@ -536,7 +546,7 @@ class ReqServerChannel:
+                 # so, pass on doing anything here, and let it get automatically
+                 # accepted below.
+                 with salt.utils.files.fopen(pubfn_pend, "r") as pubfn_handle:
+-                    if salt.crypt.clean_key(pubfn_handle.read()) != load["pub"]:
++                    if not self.compare_keys(pubfn_handle.read(), load["pub"]):
+                         log.error(
+                             "Authentication attempt from %s failed, the public "
+                             "keys in pending did not match. This may be an "
Index: patches/patch-salt_grains_core_py
===================================================================
RCS file: /cvs/ports/sysutils/salt/patches/patch-salt_grains_core_py,v
diff -u -p -u -r1.12 patch-salt_grains_core_py
--- patches/patch-salt_grains_core_py	28 Apr 2023 18:30:40 -0000	1.12
+++ patches/patch-salt_grains_core_py	6 Mar 2024 07:56:07 -0000
@@ -24,7 +24,7 @@ Index: salt/grains/core.py
      return grains
  
  
-@@ -2652,10 +2654,12 @@ def os_data():
+@@ -2744,10 +2746,12 @@ def os_data():
              # derive osrelease from kernelversion prior to that
              grains["osrelease"] = grains["kernelrelease"].split("-")[0]
          grains.update(_bsd_cpudata(grains))