[one-users] Sunstone login failure - bad decrypt
Carlos Jiménez
cjimenez at eneotecnologia.com
Mon Apr 9 07:48:12 PDT 2012
Hi Carlos,
According to the part of the update of the serveradmin password, I
thought it was enough using 'oneuser passwd' command. It seems I was
wrong. Therefore, I've tried this:
1. 'oneuser passwd 1 password'
2. Editing sunstone_auth and modifying the password field (from
"32e5b0cdcc08c836dfac6a598695fd2e84acebc0" to "password").
3. Log in to the Sunstone Web Interface with oneadmin credentials
I think that matches the procedure explained in the documentation.
However, the result has been the same as previously (failure), but in
this case, oned.log showed a message related to the use of a key length
too short. This is the output:
Mon Apr 9 16:28:17 2012 [ReM][D]: UserPoolInfo method invoked
Mon Apr 9 16:28:17 2012 [AuM][D]: Message received: LOG I 0 Command
execution fail: /var/lib/one/remotes/auth/server_cipher/authenticate
'serveradmin' 'password'
JiInGlGUMB3IBo5GK9w3q9POxvRC8z/NdZLtEQpuno4jkwpY1kQDn0gO4ao3hol/
Mon Apr 9 16:28:17 2012 [AuM][I]: Command execution fail:
/var/lib/one/remotes/auth/server_cipher/authenticate 'serveradmin'
'password' JiInGlGUMB3IBo5GK9w3q9POxvRC8z/NdZLtEQpuno4jkwpY1kQDn0gO4ao3hol/
Mon Apr 9 16:28:17 2012 [AuM][D]: Message received: LOG E 0 key length
too short
Mon Apr 9 16:28:17 2012 [AuM][I]: key length too short
Mon Apr 9 16:28:17 2012 [AuM][D]: Message received: LOG I 0 ExitCode: 255
Mon Apr 9 16:28:17 2012 [AuM][I]: ExitCode: 255
Mon Apr 9 16:28:17 2012 [AuM][D]: Message received: AUTHENTICATE
FAILURE 0 key length too short
Mon Apr 9 16:28:17 2012 [AuM][E]: Auth Error: key length too short
Mon Apr 9 16:28:17 2012 [ReM][E]: [UserPoolInfo] User couldn't be
authenticated, aborting call.
Additional information:
### sunstone_auth ###
serveradmin:password
### 'oneuser list -x' ###
<USER_POOL>
<USER>
<ID>0</ID>
<GID>0</GID>
<GNAME>oneadmin</GNAME>
<NAME>oneadmin</NAME>
<PASSWORD>b29f6e6fed87fb100ae2e5921d66eb76d5670af7</PASSWORD>
<AUTH_DRIVER>core</AUTH_DRIVER>
<ENABLED>1</ENABLED>
<TEMPLATE/>
</USER>
<USER>
<ID>1</ID>
<GID>0</GID>
<GNAME>oneadmin</GNAME>
<NAME>serveradmin</NAME>
<PASSWORD>password</PASSWORD>
<AUTH_DRIVER>server_cipher</AUTH_DRIVER>
<ENABLED>1</ENABLED>
<TEMPLATE/>
</USER>
</USER_POOL>
I thought it was enough using oneuser and editing sunstone-auth. Does it
require additional actions?
Thanks,
Carlos.
On 04/09/2012 10:51 AM, Carlos Martín Sánchez wrote:
> Hi,
>
> serveradmin is a special user that the servers, like sunstone, use to
> forward user requests to the core. You can't login with that user.
>
> You have more information about the opennebula authentication here
> [1], and what is the serveradmin account here [2]. In that second link
> you will also find how to configure the servers to use the updated
> serveradmin password you set.
>
> Regards
>
> [1] http://www.opennebula.org/documentation:rel3.2:external_auth
> [2] http://www.opennebula.org/documentation:rel3.2:cloud_auth
>
> --
> Carlos Martín, MSc
> Project Engineer
> OpenNebula - The Open-source Solution for Data Center Virtualization
> www.OpenNebula.org <http://www.OpenNebula.org> |
> cmartin at opennebula.org <mailto:cmartin at opennebula.org> | @OpenNebula
> <http://twitter.com/opennebula>
>
>
>
> 2012/4/8 Carlos Jiménez <cjimenez at eneotecnologia.com
> <mailto:cjimenez at eneotecnologia.com>>
>
> Hello everybody,
>
> I have four computers with CentOS 6.2: 1 running as a NFS Server,
> 2 as Host with KVM hypervisor installed and 1 as a Front-End with
> OpenNebula 3.2.1 installed.
> According to the documentation, ssh, oneadmin uid/gid, user
> profile (shared between all the computers by using NFS)... all of
> them have been set up.
> Additionally, I've installed and configured the front-end server
> to use MySQL instead of SQLite. After granting the right
> permissions to the opennebula table for the oneadmin user and once
> I've modified /etc/one/oned.conf DB options, this part is running
> fine too.
>
> I've used oneuser to modify the password of serveradmin and it
> seems that it was successful.
> This is the output of 'oneuser list':
>
> ID GROUP NAME AUTH
> PASSWORD
> 0 oneadmin oneadmin core
> b29f6e6fed87fb100ae2e5921d66eb76d5670af7
> 1 oneadmin serveradmin server_c
> a7d66b6799d29142042316cc8cee0f3c81eac33e
>
>
> I've launched oned, oneacctd and sunstone-server as oneadmin and
> all of them are running:
>
> oneadmin 11364 0.0 0.1 1460920 10476 ? Sl Apr04 0:20
> /usr/bin/oned -f
> oneadmin 11389 0.0 0.0 43764 7020 ? SNl Apr04 3:29
> \_ ruby /usr/lib/one/mads/one_vmm_exec.rb -t 15 -r 0 kvm
> oneadmin 11400 0.0 0.0 39304 3984 ? SNl Apr04 3:28
> \_ ruby /usr/lib/one/mads/one_im_exec.rb -r 0 -t 15 kvm
> oneadmin 11410 0.0 0.0 39248 3932 ? SNl Apr04 3:27
> \_ ruby /usr/lib/one/mads/one_tm.rb tm_shared/tm_shared.conf
> oneadmin 11424 0.0 0.0 39212 3864 ? SNl Apr04 3:28
> \_ ruby /usr/lib/one/mads/one_hm.rb
> oneadmin 11435 0.0 0.0 39308 3988 ? SNl Apr04 3:36
> \_ ruby /usr/lib/one/mads/one_image.rb fs -t 15
> oneadmin 11445 0.2 0.0 39388 4104 ? SNl Apr04 13:16
> \_ ruby /usr/lib/one/mads/one_auth_mad.rb --authn
> ssh,x509,ldap,server_cipher,server_x509
> oneadmin 11365 0.0 0.0 192196 5424 ? Sl Apr04 0:19
> /usr/bin/mm_sched
> oneadmin 11461 0.0 0.4 113828 32700 ? S Apr04 0:13
> ruby /usr/lib/one/ruby/acct/acctd.rb
> oneadmin 11471 0.0 0.5 163548 43708 ? Sl Apr04 5:29
> ruby /usr/lib/one/sunstone/sunstone-server.rb
>
>
> However, when I try to log in to Sunstone web interface using
> serveradmin or oneadmin credentials (or whatever else) it always
> fails. In the web it states that "OpenNebula is not running".
> I've checked oned.log and this is the output of both attempts:
>
>
> ### serveradmin login attempt ###
>
> Sun Apr 8 15:02:05 2012 [ReM][D]: UserPoolInfo method invoked
> Sun Apr 8 15:02:05 2012 [AuM][D]: Message received: LOG I 9
> Command execution fail:
> /var/lib/one/remotes/auth/server_cipher/authenticate 'serveradmin'
> 'a7d66b6799d29142042316cc8cee0f3c81eac33e'
> gmxtq1n6pxBEwnyjP94dU1EihSzqOU3bQgVxVpIEizqsxonauO8PP/sNTclxWciE
> Sun Apr 8 15:02:05 2012 [AuM][I]: Command execution fail:
> /var/lib/one/remotes/auth/server_cipher/authenticate 'serveradmin'
> 'a7d66b6799d29142042316cc8cee0f3c81eac33e'
> gmxtq1n6pxBEwnyjP94dU1EihSzqOU3bQgVxVpIEizqsxonauO8PP/sNTclxWciE
> Sun Apr 8 15:02:05 2012 [AuM][D]: Message received: LOG E 9 bad
> decrypt
> Sun Apr 8 15:02:05 2012 [AuM][I]: bad decrypt
> Sun Apr 8 15:02:05 2012 [AuM][D]: Message received: LOG I 9
> ExitCode: 255
> Sun Apr 8 15:02:05 2012 [AuM][I]: ExitCode: 255
> Sun Apr 8 15:02:05 2012 [AuM][D]: Message received: AUTHENTICATE
> FAILURE 9 bad decrypt
> Sun Apr 8 15:02:05 2012 [AuM][E]: Auth Error: bad decrypt
> Sun Apr 8 15:02:05 2012 [ReM][E]: [UserPoolInfo] User couldn't be
> authenticated, aborting call.
>
>
> ### oneadmin login attempt ###
>
> Sun Apr 8 15:02:18 2012 [ReM][D]: UserPoolInfo method invoked
> Sun Apr 8 15:02:18 2012 [AuM][D]: Message received: LOG I 10
> Command execution fail:
> /var/lib/one/remotes/auth/server_cipher/authenticate 'serveradmin'
> 'a7d66b6799d29142042316cc8cee0f3c81eac33e'
> gmxtq1n6pxBEwnyjP94dU1EihSzqOU3bQgVxVpIEizqsxonauO8PP/sNTclxWciE
> Sun Apr 8 15:02:18 2012 [AuM][I]: Command execution fail:
> /var/lib/one/remotes/auth/server_cipher/authenticate 'serveradmin'
> 'a7d66b6799d29142042316cc8cee0f3c81eac33e'
> gmxtq1n6pxBEwnyjP94dU1EihSzqOU3bQgVxVpIEizqsxonauO8PP/sNTclxWciE
> Sun Apr 8 15:02:18 2012 [AuM][D]: Message received: LOG E 10 bad
> decrypt
> Sun Apr 8 15:02:18 2012 [AuM][I]: bad decrypt
> Sun Apr 8 15:02:18 2012 [AuM][D]: Message received: LOG I 10
> ExitCode: 255
> Sun Apr 8 15:02:18 2012 [AuM][I]: ExitCode: 255
> Sun Apr 8 15:02:18 2012 [AuM][D]: Message received: AUTHENTICATE
> FAILURE 10 bad decrypt
> Sun Apr 8 15:02:18 2012 [AuM][E]: Auth Error: bad decrypt
> Sun Apr 8 15:02:18 2012 [ReM][E]: [UserPoolInfo] User couldn't be
> authenticated, aborting call.
> Sun Apr 8 15:02:22 2012 [ReM][D]: HostPoolInfo method invoked
> Sun Apr 8 15:02:22 2012 [ReM][D]: VirtualMachinePoolInfo method
> invoked
> Sun Apr 8 15:02:22 2012 [ReM][D]: AclInfo method invoked
>
> I think that cipher_server is the right auth option in this case.
> Notice that authenticate script in both cases receive
> 'serveradmin' credentials regardless of the use of oneadmin
> credentials in the second attempt.
>
> Please, could anybody help me with this login failure issue?
>
> Let me know if you need anything else.
>
>
> Thanks in advance.
>
> Carlos.
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org <mailto:Users at lists.opennebula.org>
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20120409/d30d0478/attachment-0002.htm>
More information about the Users
mailing list