authserv issueshttps://git.autistici.org/ai/authserv/-/issues2019-05-12T14:39:18Zhttps://git.autistici.org/ai/authserv/-/issues/3authserv memcache exception2019-05-12T14:39:18Zgodogauthserv memcache exceptionDoes not cause the server to exit! Last exception just keeps repeating
```
May 12 12:11:31 confino ai-auth-server[16069]: [2019-05-12 12:11:31,622] ERROR in app_nginx: Unexpected exception in authenticate()
May 12 12:11:31 confino ai-au...Does not cause the server to exit! Last exception just keeps repeating
```
May 12 12:11:31 confino ai-auth-server[16069]: [2019-05-12 12:11:31,622] ERROR in app_nginx: Unexpected exception in authenticate()
May 12 12:11:31 confino ai-auth-server[16069]: Traceback (most recent call last):
May 12 12:11:31 confino ai-auth-server[16069]: File "/usr/lib/python2.7/dist-packages/authserv/app_nginx.py", line 38, in do_nginx_http_auth
May 12 12:11:31 confino ai-auth-server[16069]: username, service, None, password, None, source_ip)
May 12 12:11:31 confino ai-auth-server[16069]: File "/usr/lib/python2.7/dist-packages/authserv/app_common.py", line 56, in do_auth
May 12 12:11:31 confino ai-auth-server[16069]: source_ip, password_only)
May 12 12:11:31 confino ai-auth-server[16069]: File "/usr/lib/python2.7/dist-packages/authserv/app_common.py", line 95, in _do_auth
May 12 12:11:31 confino ai-auth-server[16069]: if bl.auth_failure('u', username):
May 12 12:11:31 confino ai-auth-server[16069]: File "/usr/lib/python2.7/dist-packages/authserv/ratelimit.py", line 124, in auth_failure
May 12 12:11:31 confino ai-auth-server[16069]: return self.blacklist.incr(self.mc, key)
May 12 12:11:31 confino ai-auth-server[16069]: File "/usr/lib/python2.7/dist-packages/authserv/ratelimit.py", line 101, in incr
May 12 12:11:31 confino ai-auth-server[16069]: if not self.rl.check(mc, key):
May 12 12:11:31 confino ai-auth-server[16069]: File "/usr/lib/python2.7/dist-packages/authserv/ratelimit.py", line 61, in check
May 12 12:11:31 confino ai-auth-server[16069]: if not mc.add(key, result, time=self.period):
May 12 12:11:31 confino ai-auth-server[16069]: Error: error 31 from memcached_add: (0x55f571427270) A TIMEOUT OCCURRED, No active_fd were found, host: 127.0.0.1:11211 -> libmemcached/io.cc:259
May 12 12:13:33 confino ai-auth-server[16069]: Traceback (most recent call last):
May 12 12:13:33 confino ai-auth-server[16069]: File "/usr/lib/python2.7/dist-packages/gevent/greenlet.py", line 534, in run
May 12 12:13:33 confino ai-auth-server[16069]: result = self._run(*self.args, **self.kwargs)
May 12 12:13:33 confino ai-auth-server[16069]: File "/usr/lib/python2.7/dist-packages/gevent/baseserver.py", line 25, in _handle_and_close_when_done
May 12 12:13:33 confino ai-auth-server[16069]: return handle(*args_tuple)
May 12 12:13:33 confino ai-auth-server[16069]: File "/usr/lib/python2.7/dist-packages/gevent/server.py", line 126, in wrap_socket_and_handle
May 12 12:13:33 confino ai-auth-server[16069]: ssl_socket = self.wrap_socket(client_socket, **self.ssl_args)
May 12 12:13:33 confino ai-auth-server[16069]: File "/usr/lib/python2.7/dist-packages/gevent/_sslgte279.py", line 691, in wrap_socket
May 12 12:13:33 confino ai-auth-server[16069]: ciphers=ciphers)
May 12 12:13:33 confino ai-auth-server[16069]: File "/usr/lib/python2.7/dist-packages/gevent/_sslgte279.py", line 271, in __init__
May 12 12:13:33 confino ai-auth-server[16069]: raise x
May 12 12:13:33 confino ai-auth-server[16069]: error: [Errno 0] Error
May 12 12:13:33 confino ai-auth-server[16069]: <Greenlet at 0x7f272d2e6eb0: _handle_and_close_when_done(<bound method WSGIServer.wrap_socket_and_handle of, <bound method WSGIServer.do_close of <WSGIServer a, (<soc
May 12 12:13:33 confino ai-auth-server[16069]: Traceback (most recent call last):
May 12 12:13:33 confino ai-auth-server[16069]: File "/usr/lib/python2.7/dist-packages/gevent/greenlet.py", line 534, in run
May 12 12:13:33 confino ai-auth-server[16069]: result = self._run(*self.args, **self.kwargs)
May 12 12:13:33 confino ai-auth-server[16069]: File "/usr/lib/python2.7/dist-packages/gevent/baseserver.py", line 25, in _handle_and_close_when_done
May 12 12:13:33 confino ai-auth-server[16069]: return handle(*args_tuple)
May 12 12:13:33 confino ai-auth-server[16069]: File "/usr/lib/python2.7/dist-packages/gevent/server.py", line 126, in wrap_socket_and_handle
May 12 12:13:33 confino ai-auth-server[16069]: ssl_socket = self.wrap_socket(client_socket, **self.ssl_args)
May 12 12:13:33 confino ai-auth-server[16069]: File "/usr/lib/python2.7/dist-packages/gevent/_sslgte279.py", line 691, in wrap_socket
May 12 12:13:33 confino ai-auth-server[16069]: ciphers=ciphers)
May 12 12:13:33 confino ai-auth-server[16069]: File "/usr/lib/python2.7/dist-packages/gevent/_sslgte279.py", line 271, in __init__
May 12 12:13:33 confino ai-auth-server[16069]: raise x
May 12 12:13:33 confino ai-auth-server[16069]: error: [Errno 0] Error
```https://git.autistici.org/ai/authserv/-/issues/2authserver spamming memcache with connections2018-11-17T19:03:30Zgodogauthserver spamming memcache with connectionsIt looks like authserver DoSes memcached with connections, memcached runs out of file descriptors and authserver never recovers/timeout.
lsof / pystack (https://github.com/wooparadog/pystack) output:
* [memcache-lsof](/uploads/4830099...It looks like authserver DoSes memcached with connections, memcached runs out of file descriptors and authserver never recovers/timeout.
lsof / pystack (https://github.com/wooparadog/pystack) output:
* [memcache-lsof](/uploads/48300997a81323ed401814a069f7612a/memcache-lsof)
* [ai-auth-server-pystack](/uploads/8abf219ee71902989c28393d05420187/ai-auth-server-pystack)
* [ai-auth-server-lsof](/uploads/c585679fc11db9537a500d211a5ac5ad/ai-auth-server-lsof)https://git.autistici.org/ai/authserv/-/issues/1auth_client connection fails with libcurl/GnuTLS2017-11-19T17:44:03Zaleauth_client connection fails with libcurl/GnuTLSIt seems that it's just not sending the client certificate. Running the pam checks against the test_integration.py server:
```
FAIL: auth_client_test
======================
[==========] Running 4 tests from 2 test cases.
[------...It seems that it's just not sending the client certificate. Running the pam checks against the test_integration.py server:
```
FAIL: auth_client_test
======================
[==========] Running 4 tests from 2 test cases.
[----------] Global test environment set-up.
[----------] 1 test from AuthClientCurlInterface
[ RUN ] AuthClientCurlInterface.ErrorConversion
[ OK ] AuthClientCurlInterface.ErrorConversion (0 ms)
[----------] 1 test from AuthClientCurlInterface (0 ms total)
[----------] 3 tests from AuthClient
[ RUN ] AuthClient.NewAndFree
|<2>| p11: loaded provider 'p11-kit-trust' with 1 slots
|<2>| p11: loaded provider 'gnome-keyring' with 0 slots
[ OK ] AuthClient.NewAndFree (2 ms)
[ RUN ] AuthClient.CertSetupFailsWithoutCA
[ OK ] AuthClient.CertSetupFailsWithoutCA (0 ms)
[ RUN ] AuthClient.AuthOK
* Adding handle: conn: 0x22ae140
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x22ae140) send_pipe: 1, recv_pipe: 0
* About to connect() to localhost port 63127 (#0)
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 63127 (#0)
* found 1 certificates in ../authserv/test/testca/ca.pem
|<2>| ASSERT: x509_b64.c:453
|<2>| Could not find '-----BEGIN RSA PRIVATE KEY'
|<2>| ASSERT: x509_b64.c:453
|<2>| Could not find '-----BEGIN DSA PRIVATE KEY'
|<2>| ASSERT: privkey.c:387
|<2>| Falling back to PKCS #8 key decoding
|<2>| ASSERT: gnutls_constate.c:695
|<2>| EXT[0x22b0ed0]: Sending extension SERVER NAME (14 bytes)
|<2>| EXT[0x22b0ed0]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<2>| EXT[SIGA]: sent signature algo (4.2) DSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (4.1) RSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (2.1) RSA-SHA1
|<2>| EXT[SIGA]: sent signature algo (2.2) DSA-SHA1
|<2>| EXT[0x22b0ed0]: Sending extension SIGNATURE ALGORITHMS (10 bytes)
|<2>| EXT[0x22b0ed0]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes)
|<2>| ASSERT: ext_signature.c:393
|<2>| ASSERT: ext_signature.c:393
|<2>| ASSERT: auth_cert.c:237
|<2>| errno: 104
|<2>| ASSERT: gnutls_buffers.c:431
|<2>| ASSERT: gnutls_buffers.c:755
|<2>| ASSERT: gnutls_handshake.c:2902
|<2>| ASSERT: gnutls_handshake.c:3122
* gnutls_handshake() failed: Error in the push function.
* Closing connection 0
|<2>| ASSERT: gnutls_record.c:276
auth_client_test.cc:69: Failure
Value of: result
Actual: -135
Expected: 0
authenticate() error: SSL connect error, server=localhost:63127
[ FAILED ] AuthClient.AuthOK (36 ms)
[----------] 3 tests from AuthClient (38 ms total)
[----------] Global test environment tear-down
[==========] 4 tests from 2 test cases ran. (38 ms total)
[ PASSED ] 3 tests.
[ FAILED ] 1 test, listed below:
[ FAILED ] AuthClient.AuthOK
1 FAILED TEST
```