[one-users] Sunstone login failure - bad decrypt
Carlos Jiménez
cjimenez at eneotecnologia.com
Mon Apr 9 09:03:49 PDT 2012
Hi,
Thank you Hector.
"serveradmin" password was successfully changed and then, I modified
"oneadmin" password by executing 'oneuser passwd 0 password' and
modified the same password in one_auth file. After restarting one
service I managed to log in to Sunstone Web interface.
Regards,
Carlos.
On 04/09/2012 05:27 PM, Hector Sanjuan wrote:
> Hello,
>
> the server admin password in opennebula is sha1 hashed. Try
>
> oneuser passwd 1 password --sha1
>
> Hope it helps,
>
> Hector
>
>
> En Mon, 09 Apr 2012 16:48:12 +0200, Carlos Jiménez
> <cjimenez at eneotecnologia.com> escribió:
>
>> Hi Carlos,
>>
>> According to the part of the update of the serveradmin password, I
>> thought it was enough using 'oneuser passwd' command. It seems I was
>> wrong. Therefore, I've tried this:
>> 1. 'oneuser passwd 1 password'
>> 2. Editing sunstone_auth and modifying the password field (from
>> "32e5b0cdcc08c836dfac6a598695fd2e84acebc0" to "password").
>> 3. Log in to the Sunstone Web Interface with oneadmin credentials
>>
>> I think that matches the procedure explained in the documentation.
>> However, the result has been the same as previously (failure), but in
>> this case, oned.log showed a message related to the use of a key length
>> too short. This is the output:
>>
>> Mon Apr 9 16:28:17 2012 [ReM][D]: UserPoolInfo method invoked
>> Mon Apr 9 16:28:17 2012 [AuM][D]: Message received: LOG I 0 Command
>> execution fail: /var/lib/one/remotes/auth/server_cipher/authenticate
>> 'serveradmin' 'password'
>> JiInGlGUMB3IBo5GK9w3q9POxvRC8z/NdZLtEQpuno4jkwpY1kQDn0gO4ao3hol/
>> Mon Apr 9 16:28:17 2012 [AuM][I]: Command execution fail:
>> /var/lib/one/remotes/auth/server_cipher/authenticate 'serveradmin'
>> 'password'
>> JiInGlGUMB3IBo5GK9w3q9POxvRC8z/NdZLtEQpuno4jkwpY1kQDn0gO4ao3hol/
>> Mon Apr 9 16:28:17 2012 [AuM][D]: Message received: LOG E 0 key length
>> too short
>> Mon Apr 9 16:28:17 2012 [AuM][I]: key length too short
>> Mon Apr 9 16:28:17 2012 [AuM][D]: Message received: LOG I 0
>> ExitCode: 255
>> Mon Apr 9 16:28:17 2012 [AuM][I]: ExitCode: 255
>> Mon Apr 9 16:28:17 2012 [AuM][D]: Message received: AUTHENTICATE
>> FAILURE 0 key length too short
>> Mon Apr 9 16:28:17 2012 [AuM][E]: Auth Error: key length too short
>> Mon Apr 9 16:28:17 2012 [ReM][E]: [UserPoolInfo] User couldn't be
>> authenticated, aborting call.
>>
>>
>> Additional information:
>>
>> ### sunstone_auth ###
>> serveradmin:password
>>
>> ### 'oneuser list -x' ###
>> <USER_POOL>
>> <USER>
>> <ID>0</ID>
>> <GID>0</GID>
>> <GNAME>oneadmin</GNAME>
>> <NAME>oneadmin</NAME>
>> <PASSWORD>b29f6e6fed87fb100ae2e5921d66eb76d5670af7</PASSWORD>
>> <AUTH_DRIVER>core</AUTH_DRIVER>
>> <ENABLED>1</ENABLED>
>> <TEMPLATE/>
>> </USER>
>> <USER>
>> <ID>1</ID>
>> <GID>0</GID>
>> <GNAME>oneadmin</GNAME>
>> <NAME>serveradmin</NAME>
>> <PASSWORD>password</PASSWORD>
>> <AUTH_DRIVER>server_cipher</AUTH_DRIVER>
>> <ENABLED>1</ENABLED>
>> <TEMPLATE/>
>> </USER>
>> </USER_POOL>
>>
>> I thought it was enough using oneuser and editing sunstone-auth. Does it
>> require additional actions?
>>
>>
>> Thanks,
>>
>> Carlos.
>>
>>
>>
>>
>>
>>
>>
>> On 04/09/2012 10:51 AM, Carlos Martín Sánchez wrote:
>>> Hi,
>>>
>>> serveradmin is a special user that the servers, like sunstone, use to
>>> forward user requests to the core. You can't login with that user.
>>>
>>> You have more information about the opennebula authentication here
>>> [1], and what is the serveradmin account here [2]. In that second link
>>> you will also find how to configure the servers to use the updated
>>> serveradmin password you set.
>>>
>>> Regards
>>>
>>> [1] http://www.opennebula.org/documentation:rel3.2:external_auth
>>> [2] http://www.opennebula.org/documentation:rel3.2:cloud_auth
>>>
>>> --
>>> Carlos Martín, MSc
>>> Project Engineer
>>> OpenNebula - The Open-source Solution for Data Center Virtualization
>>> www.OpenNebula.org <http://www.OpenNebula.org> |
>>> cmartin at opennebula.org <mailto:cmartin at opennebula.org> | @OpenNebula
>>> <http://twitter.com/opennebula>
>>>
>>>
>>>
>>> 2012/4/8 Carlos Jiménez <cjimenez at eneotecnologia.com
>>> <mailto:cjimenez at eneotecnologia.com>>
>>>
>>> Hello everybody,
>>>
>>> I have four computers with CentOS 6.2: 1 running as a NFS Server,
>>> 2 as Host with KVM hypervisor installed and 1 as a Front-End with
>>> OpenNebula 3.2.1 installed.
>>> According to the documentation, ssh, oneadmin uid/gid, user
>>> profile (shared between all the computers by using NFS)... all of
>>> them have been set up.
>>> Additionally, I've installed and configured the front-end server
>>> to use MySQL instead of SQLite. After granting the right
>>> permissions to the opennebula table for the oneadmin user and once
>>> I've modified /etc/one/oned.conf DB options, this part is running
>>> fine too.
>>>
>>> I've used oneuser to modify the password of serveradmin and it
>>> seems that it was successful.
>>> This is the output of 'oneuser list':
>>>
>>> ID GROUP NAME AUTH
>>> PASSWORD
>>> 0 oneadmin oneadmin core
>>> b29f6e6fed87fb100ae2e5921d66eb76d5670af7
>>> 1 oneadmin serveradmin server_c
>>> a7d66b6799d29142042316cc8cee0f3c81eac33e
>>>
>>>
>>> I've launched oned, oneacctd and sunstone-server as oneadmin and
>>> all of them are running:
>>>
>>> oneadmin 11364 0.0 0.1 1460920 10476 ? Sl Apr04 0:20
>>> /usr/bin/oned -f
>>> oneadmin 11389 0.0 0.0 43764 7020 ? SNl Apr04 3:29
>>> \_ ruby /usr/lib/one/mads/one_vmm_exec.rb -t 15 -r 0 kvm
>>> oneadmin 11400 0.0 0.0 39304 3984 ? SNl Apr04 3:28
>>> \_ ruby /usr/lib/one/mads/one_im_exec.rb -r 0 -t 15 kvm
>>> oneadmin 11410 0.0 0.0 39248 3932 ? SNl Apr04 3:27
>>> \_ ruby /usr/lib/one/mads/one_tm.rb tm_shared/tm_shared.conf
>>> oneadmin 11424 0.0 0.0 39212 3864 ? SNl Apr04 3:28
>>> \_ ruby /usr/lib/one/mads/one_hm.rb
>>> oneadmin 11435 0.0 0.0 39308 3988 ? SNl Apr04 3:36
>>> \_ ruby /usr/lib/one/mads/one_image.rb fs -t 15
>>> oneadmin 11445 0.2 0.0 39388 4104 ? SNl Apr04 13:16
>>> \_ ruby /usr/lib/one/mads/one_auth_mad.rb --authn
>>> ssh,x509,ldap,server_cipher,server_x509
>>> oneadmin 11365 0.0 0.0 192196 5424 ? Sl Apr04 0:19
>>> /usr/bin/mm_sched
>>> oneadmin 11461 0.0 0.4 113828 32700 ? S Apr04 0:13
>>> ruby /usr/lib/one/ruby/acct/acctd.rb
>>> oneadmin 11471 0.0 0.5 163548 43708 ? Sl Apr04 5:29
>>> ruby /usr/lib/one/sunstone/sunstone-server.rb
>>>
>>>
>>> However, when I try to log in to Sunstone web interface using
>>> serveradmin or oneadmin credentials (or whatever else) it always
>>> fails. In the web it states that "OpenNebula is not running".
>>> I've checked oned.log and this is the output of both attempts:
>>>
>>>
>>> ### serveradmin login attempt ###
>>>
>>> Sun Apr 8 15:02:05 2012 [ReM][D]: UserPoolInfo method invoked
>>> Sun Apr 8 15:02:05 2012 [AuM][D]: Message received: LOG I 9
>>> Command execution fail:
>>> /var/lib/one/remotes/auth/server_cipher/authenticate 'serveradmin'
>>> 'a7d66b6799d29142042316cc8cee0f3c81eac33e'
>>> gmxtq1n6pxBEwnyjP94dU1EihSzqOU3bQgVxVpIEizqsxonauO8PP/sNTclxWciE
>>> Sun Apr 8 15:02:05 2012 [AuM][I]: Command execution fail:
>>> /var/lib/one/remotes/auth/server_cipher/authenticate 'serveradmin'
>>> 'a7d66b6799d29142042316cc8cee0f3c81eac33e'
>>> gmxtq1n6pxBEwnyjP94dU1EihSzqOU3bQgVxVpIEizqsxonauO8PP/sNTclxWciE
>>> Sun Apr 8 15:02:05 2012 [AuM][D]: Message received: LOG E 9 bad
>>> decrypt
>>> Sun Apr 8 15:02:05 2012 [AuM][I]: bad decrypt
>>> Sun Apr 8 15:02:05 2012 [AuM][D]: Message received: LOG I 9
>>> ExitCode: 255
>>> Sun Apr 8 15:02:05 2012 [AuM][I]: ExitCode: 255
>>> Sun Apr 8 15:02:05 2012 [AuM][D]: Message received: AUTHENTICATE
>>> FAILURE 9 bad decrypt
>>> Sun Apr 8 15:02:05 2012 [AuM][E]: Auth Error: bad decrypt
>>> Sun Apr 8 15:02:05 2012 [ReM][E]: [UserPoolInfo] User couldn't be
>>> authenticated, aborting call.
>>>
>>>
>>> ### oneadmin login attempt ###
>>>
>>> Sun Apr 8 15:02:18 2012 [ReM][D]: UserPoolInfo method invoked
>>> Sun Apr 8 15:02:18 2012 [AuM][D]: Message received: LOG I 10
>>> Command execution fail:
>>> /var/lib/one/remotes/auth/server_cipher/authenticate 'serveradmin'
>>> 'a7d66b6799d29142042316cc8cee0f3c81eac33e'
>>> gmxtq1n6pxBEwnyjP94dU1EihSzqOU3bQgVxVpIEizqsxonauO8PP/sNTclxWciE
>>> Sun Apr 8 15:02:18 2012 [AuM][I]: Command execution fail:
>>> /var/lib/one/remotes/auth/server_cipher/authenticate 'serveradmin'
>>> 'a7d66b6799d29142042316cc8cee0f3c81eac33e'
>>> gmxtq1n6pxBEwnyjP94dU1EihSzqOU3bQgVxVpIEizqsxonauO8PP/sNTclxWciE
>>> Sun Apr 8 15:02:18 2012 [AuM][D]: Message received: LOG E 10 bad
>>> decrypt
>>> Sun Apr 8 15:02:18 2012 [AuM][I]: bad decrypt
>>> Sun Apr 8 15:02:18 2012 [AuM][D]: Message received: LOG I 10
>>> ExitCode: 255
>>> Sun Apr 8 15:02:18 2012 [AuM][I]: ExitCode: 255
>>> Sun Apr 8 15:02:18 2012 [AuM][D]: Message received: AUTHENTICATE
>>> FAILURE 10 bad decrypt
>>> Sun Apr 8 15:02:18 2012 [AuM][E]: Auth Error: bad decrypt
>>> Sun Apr 8 15:02:18 2012 [ReM][E]: [UserPoolInfo] User couldn't be
>>> authenticated, aborting call.
>>> Sun Apr 8 15:02:22 2012 [ReM][D]: HostPoolInfo method invoked
>>> Sun Apr 8 15:02:22 2012 [ReM][D]: VirtualMachinePoolInfo method
>>> invoked
>>> Sun Apr 8 15:02:22 2012 [ReM][D]: AclInfo method invoked
>>>
>>> I think that cipher_server is the right auth option in this case.
>>> Notice that authenticate script in both cases receive
>>> 'serveradmin' credentials regardless of the use of oneadmin
>>> credentials in the second attempt.
>>>
>>> Please, could anybody help me with this login failure issue?
>>>
>>> Let me know if you need anything else.
>>>
>>>
>>> Thanks in advance.
>>>
>>> Carlos.
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opennebula.org <mailto:Users at lists.opennebula.org>
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>
>>>
>
>
More information about the Users
mailing list