Menu
▾
▴
webadmin-devel
|
From: paddy <pa...@pa...> - 2005-02-02 16:33:39
|
Hi,
I'm just looking at the heartbeat module in webmin 1.80.
The rest of the box is debian sarge with heartbeat_1.2.3-5.
I'm new to heartbeat, and have no idea yet whether the
authkeys file format has changed.
The authkeys interface doesn't seem to map to the underlying
config file. As I read it the format is something like:
auth <indexi-to-use>
<index> <cipher> <pass>
<index> <cipher> <pass>
<index> <cipher> <pass>
such that <index-to-use> specifies which line to actually use.
examples from the documentation include:
auth 1
1 crc
2 sha1 HI!
3 md5 Hello!
and
auth 1
1 sha1 key-for-sha1-any-text-you-want
A simple hack would start something like:
--- edit_auth.cgi.dist 2005-01-27 18:32:54.000000000 +0000
+++ edit_auth.cgi 2005-02-01 18:50:10.000000000 +0000
@@ -16,11 +16,12 @@
$i = 1;
foreach $k ('crc', 'sha1', 'md5') {
printf "<input type=radio name=auth value=%d %s> %s\n",
- $i, $conf->{'auth'}->[0] == $i ? "checked" : "",
+ $i, $conf->{"$conf->{'auth'}->[0]"}->[0] eq $k ? "checked" : "",
$text{"auth_$k"};
if ($k ne 'crc') {
printf "<input name=%s size=20 value='%s'>\n",
- $k, $conf->{$i}->[1];
+ $k, $conf->{"$conf->{'auth'}->[0]"}->[0] eq $k ?
+ $conf->{"$conf->{'auth'}->[0]"}->[1] : "";
}
print "<br>\n";
$i++;
But as I understand it, having multiple <index,cipher,pass> lines is a
feature.
It may be a little while before I get around to implementing support for
this (assuming that I've read this rightly and that such would be welcome),
and I certainly wouldn't be upset if anyone beat me to it :)
Regards,
Paddy
--
Perl 6 will give you the big knob. -- Larry Wall
|
|
From: Jamie C. <jca...@we...> - 2005-02-02 22:49:46
|
paddy wrote ..
> Hi,
>
> I'm just looking at the heartbeat module in webmin 1.80.
> The rest of the box is debian sarge with heartbeat_1.2.3-5.
>
> I'm new to heartbeat, and have no idea yet whether the
> authkeys file format has changed.
>
> The authkeys interface doesn't seem to map to the underlying
> config file. As I read it the format is something like:
>
> auth <indexi-to-use>
> <index> <cipher> <pass>
> <index> <cipher> <pass>
> <index> <cipher> <pass>
>
> such that <index-to-use> specifies which line to actually use.
>
> examples from the documentation include:
>
> auth 1
> 1 crc
> 2 sha1 HI!
> 3 md5 Hello!
>
> and
>
> auth 1
> 1 sha1 key-for-sha1-any-text-you-want
>
> A simple hack would start something like:
>
> --- edit_auth.cgi.dist 2005-01-27 18:32:54.000000000 +0000
> +++ edit_auth.cgi 2005-02-01 18:50:10.000000000 +0000
> @@ -16,11 +16,12 @@
> $i = 1;
> foreach $k ('crc', 'sha1', 'md5') {
> printf "<input type=radio name=auth value=%d %s> %s\n",
> - $i, $conf->{'auth'}->[0] == $i ? "checked" : "",
> + $i, $conf->{"$conf->{'auth'}->[0]"}->[0] eq $k ? "checked"
> : "",
> $text{"auth_$k"};
> if ($k ne 'crc') {
> printf "<input name=%s size=20 value='%s'>\n",
> - $k, $conf->{$i}->[1];
> + $k, $conf->{"$conf->{'auth'}->[0]"}->[0] eq $k
> ?
> + $conf->{"$conf->{'auth'}->[0]"}->[1] : "";
> }
> print "<br>\n";
> $i++;
>
> But as I understand it, having multiple <index,cipher,pass> lines is a
> feature.
>
> It may be a little while before I get around to implementing support for
> this (assuming that I've read this rightly and that such would be welcome),
> and I certainly wouldn't be upset if anyone beat me to it :)
The current interface is supposed to handle that auth.cf format .. Basically, it will
allow you to select one of the three modes, and comment out the ones that are not being
used. Do you see any problem with this?
- Jamie
|
|
From: paddy <pa...@pa...> - 2005-02-03 14:19:48
|
On Thu, Feb 03, 2005 at 09:49:24AM +1100, Jamie Cameron wrote: > > The current interface is supposed to handle that auth.cf format .. The problem I had is as follows: I setup an authkeys file according to the heartbeat documentation (GettingStarted.txt lines 350-390 in the version I have), thus: auth 1 1 sha1 foo When I went to edit_auth, it did not reflect the underlying configuration, because it does not understand the format - It told me I was using crc. To reiterate: edit_auth reads "auth 1" as meaning "auth crc". This works fine if you only use the numbers thus: 1 crc 2 sha1 pass 3 md5 pass But will break with other legal authkeys files. > Basically, it will > allow you to select one of the three modes, and comment out the ones that are not being > used. Do you see any problem with this? I don't pretend to see into the value of having multiple <index,cipher,pass> lines, as I am not yet familiar with hearbeat, but the note in the sample authkeys file reads: # You normally only have one authentication method-id listed in this file # # Put more than one to make a smooth transition when changing auth # methods and/or keys. I also found this message: http://lists.community.tummy.com/pipermail/linux-ha-dev/1999-October/000219.html which includes the following: The purpose of allowing several keys in the authkeys file is to make it possible to smoothly switch to a new key in a continuously running system. Assume you initially are authenticating on key 1: You distribute out a new authkeys file to each machine which has key 1 and a new key 2 both in it. The auth statement at the top still says auth 1. Go to next step when this one is done on all nodes. You can now distribute a new authkeys file which has the same keys in it, but says "auth 2" at the top. Go to next step when this one is done on all nodes. Distribute a new authkeys file which has only key 2 in it. The first key is now repudiated, and is no longer valid. None of this disrupts the cluster at all. Modify the authkeys file, and send heartbeat a SIGHUP. New authkeys are in now in effect. This makes sense to me, but a gui rendering of this mechanism could offer a "change authkeys" that abstracts away the underlying mechanism. Perhaps Webmin already does this bit, I didn't look yet. I imagine the diehard admin might still be able find uses for access to the undelying guts, but then the diehard admin knows where to find ed. Regards, Paddy -- Perl 6 will give you the big knob. -- Larry Wall |
|
From: Jamie C. <jca...@we...> - 2005-02-03 23:24:39
|
Ah, I see what you mean now - ny code was assuming a certain ordering for the options. The next release of Webmin will fix this .. - Jamie paddy wrote .. > On Thu, Feb 03, 2005 at 09:49:24AM +1100, Jamie Cameron wrote: > > > > The current interface is supposed to handle that auth.cf format .. > > The problem I had is as follows: > > I setup an authkeys file according to the heartbeat documentation > (GettingStarted.txt lines 350-390 in the version I have), thus: > > auth 1 > 1 sha1 foo > > When I went to edit_auth, it did not reflect the underlying configuration, > because it does not understand the format - It told me I was using crc. > > To reiterate: > > edit_auth reads "auth 1" as meaning "auth crc". This works fine if you > only use the > numbers thus: > > 1 crc > 2 sha1 pass > 3 md5 pass > > But will break with other legal authkeys files. > > > Basically, it will > > allow you to select one of the three modes, and comment out the ones > that are not being > > used. Do you see any problem with this? > > I don't pretend to see into the value of having multiple <index,cipher,pass> > lines, as > I am not yet familiar with hearbeat, but the note in the sample authkeys > file reads: > > # You normally only have one authentication method-id listed in this > file > # > # Put more than one to make a smooth transition when changing auth > # methods and/or keys. > > I also found this message: > > http://lists.community.tummy.com/pipermail/linux-ha-dev/1999-October/000219.html > > which includes the following: > > The purpose of allowing several keys in the authkeys file is to make > it possible > to smoothly switch to a new key in a continuously running system. > > Assume you initially are authenticating on key 1: > > You distribute out a new authkeys file to each machine which has key > 1 and > a new key 2 both in it. The auth statement at the top still says > auth 1. Go to next step when this one is done on all nodes. > > You can now distribute a new authkeys file which has the same keys in > it, > but says "auth 2" at the top. > Go to next step when this one is done on all nodes. > > Distribute a new authkeys file which has only key 2 in it. > The first key is now repudiated, and is no longer valid. > > None of this disrupts the cluster at all. Modify the authkeys file, > and send > heartbeat a SIGHUP. New authkeys are in now in effect. > > This makes sense to me, but a gui rendering of this mechanism could offer > a > "change authkeys" that abstracts away the underlying mechanism. Perhaps > Webmin > already does this bit, I didn't look yet. > > I imagine the diehard admin might still be able find uses for access to > the > undelying guts, but then the diehard admin knows where to find ed. > > Regards, > Paddy > -- > Perl 6 will give you the big knob. -- Larry Wall > > > ------------------------------------------------------- > This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting > Tool for open source databases. Create drag-&-drop reports. Save time > by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. > Download a FREE copy at http://www.intelliview.com/go/osdn_nl > - > Forwarded by the Webmin development list at web...@we... > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-devel |
|
From: paddy <pa...@pa...> - 2005-02-04 09:59:27
|
On Fri, Feb 04, 2005 at 10:24:28AM +1100, Jamie Cameron wrote: > Ah, I see what you mean now - ny code was assuming a certain ordering > for the options. Yes. > The next release of Webmin will fix this .. Great! Regards, Paddy -- Perl 6 will give you the big knob. -- Larry Wall |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X