[one-users] Sunstone login failure - bad decrypt

Carlos Jiménez cjimenez at eneotecnologia.com
Mon Apr 9 07:48:12 PDT 2012


Hi Carlos,

According to the part of the update of the serveradmin password, I 
thought it was enough using 'oneuser passwd' command. It seems I was 
wrong. Therefore, I've tried this:
1. 'oneuser passwd 1 password'
2. Editing sunstone_auth and modifying the password field (from 
"32e5b0cdcc08c836dfac6a598695fd2e84acebc0" to "password").
3. Log in to the Sunstone Web Interface with oneadmin credentials

I think that matches the procedure explained in the documentation. 
However, the result has been the same as previously (failure), but in 
this case, oned.log showed a message related to the use of a key length 
too short. This is the output:

Mon Apr  9 16:28:17 2012 [ReM][D]: UserPoolInfo method invoked
Mon Apr  9 16:28:17 2012 [AuM][D]: Message received: LOG I 0 Command 
execution fail: /var/lib/one/remotes/auth/server_cipher/authenticate 
'serveradmin' 'password' 
JiInGlGUMB3IBo5GK9w3q9POxvRC8z/NdZLtEQpuno4jkwpY1kQDn0gO4ao3hol/
Mon Apr  9 16:28:17 2012 [AuM][I]: Command execution fail: 
/var/lib/one/remotes/auth/server_cipher/authenticate 'serveradmin' 
'password' JiInGlGUMB3IBo5GK9w3q9POxvRC8z/NdZLtEQpuno4jkwpY1kQDn0gO4ao3hol/
Mon Apr  9 16:28:17 2012 [AuM][D]: Message received: LOG E 0 key length 
too short
Mon Apr  9 16:28:17 2012 [AuM][I]: key length too short
Mon Apr  9 16:28:17 2012 [AuM][D]: Message received: LOG I 0 ExitCode: 255
Mon Apr  9 16:28:17 2012 [AuM][I]: ExitCode: 255
Mon Apr  9 16:28:17 2012 [AuM][D]: Message received: AUTHENTICATE 
FAILURE 0 key length too short
Mon Apr  9 16:28:17 2012 [AuM][E]: Auth Error: key length too short
Mon Apr  9 16:28:17 2012 [ReM][E]: [UserPoolInfo] User couldn't be 
authenticated, aborting call.


Additional information:

### sunstone_auth ###
serveradmin:password

### 'oneuser list -x' ###
<USER_POOL>
<USER>
<ID>0</ID>
<GID>0</GID>
<GNAME>oneadmin</GNAME>
<NAME>oneadmin</NAME>
<PASSWORD>b29f6e6fed87fb100ae2e5921d66eb76d5670af7</PASSWORD>
<AUTH_DRIVER>core</AUTH_DRIVER>
<ENABLED>1</ENABLED>
<TEMPLATE/>
</USER>
<USER>
<ID>1</ID>
<GID>0</GID>
<GNAME>oneadmin</GNAME>
<NAME>serveradmin</NAME>
<PASSWORD>password</PASSWORD>
<AUTH_DRIVER>server_cipher</AUTH_DRIVER>
<ENABLED>1</ENABLED>
<TEMPLATE/>
</USER>
</USER_POOL>

I thought it was enough using oneuser and editing sunstone-auth. Does it 
require additional actions?


Thanks,

Carlos.







On 04/09/2012 10:51 AM, Carlos Martín Sánchez wrote:
> Hi,
>
> serveradmin is a special user that the servers, like sunstone, use to 
> forward user requests to the core. You can't login with that user.
>
> You have more information about the opennebula authentication here 
> [1], and what is the serveradmin account here [2]. In that second link 
> you will also find how to configure the servers to use the updated 
> serveradmin password you set.
>
> Regards
>
> [1] http://www.opennebula.org/documentation:rel3.2:external_auth
> [2] http://www.opennebula.org/documentation:rel3.2:cloud_auth
>
> --
> Carlos Martín, MSc
> Project Engineer
> OpenNebula - The Open-source Solution for Data Center Virtualization
> www.OpenNebula.org <http://www.OpenNebula.org> | 
> cmartin at opennebula.org <mailto:cmartin at opennebula.org> | @OpenNebula 
> <http://twitter.com/opennebula>
>
>
>
> 2012/4/8 Carlos Jiménez <cjimenez at eneotecnologia.com 
> <mailto:cjimenez at eneotecnologia.com>>
>
>     Hello everybody,
>
>     I have four computers with CentOS 6.2: 1 running as a NFS Server,
>     2 as Host with KVM hypervisor installed and 1 as a Front-End with
>     OpenNebula 3.2.1 installed.
>     According to the documentation, ssh, oneadmin uid/gid, user
>     profile (shared between all the computers by using NFS)... all of
>     them have been set up.
>     Additionally, I've installed and configured the front-end server
>     to use MySQL instead of SQLite. After granting the right
>     permissions to the opennebula table for the oneadmin user and once
>     I've modified /etc/one/oned.conf DB options, this part is running
>     fine too.
>
>     I've used oneuser to modify the password of serveradmin and it
>     seems that it was successful.
>     This is the output of 'oneuser list':
>
>     ID GROUP     NAME               AUTH                              
>                  PASSWORD
>      0 oneadmin oneadmin        core              
>     b29f6e6fed87fb100ae2e5921d66eb76d5670af7
>      1 oneadmin serveradmin    server_c        
>     a7d66b6799d29142042316cc8cee0f3c81eac33e
>
>
>     I've launched oned, oneacctd and sunstone-server as oneadmin and
>     all of them are running:
>
>     oneadmin 11364  0.0  0.1 1460920 10476 ?       Sl   Apr04   0:20
>     /usr/bin/oned -f
>     oneadmin 11389  0.0  0.0  43764  7020 ?        SNl  Apr04   3:29
>      \_ ruby /usr/lib/one/mads/one_vmm_exec.rb -t 15 -r 0 kvm
>     oneadmin 11400  0.0  0.0  39304  3984 ?        SNl  Apr04   3:28
>      \_ ruby /usr/lib/one/mads/one_im_exec.rb -r 0 -t 15 kvm
>     oneadmin 11410  0.0  0.0  39248  3932 ?        SNl  Apr04   3:27
>      \_ ruby /usr/lib/one/mads/one_tm.rb tm_shared/tm_shared.conf
>     oneadmin 11424  0.0  0.0  39212  3864 ?        SNl  Apr04   3:28
>      \_ ruby /usr/lib/one/mads/one_hm.rb
>     oneadmin 11435  0.0  0.0  39308  3988 ?        SNl  Apr04   3:36
>      \_ ruby /usr/lib/one/mads/one_image.rb fs -t 15
>     oneadmin 11445  0.2  0.0  39388  4104 ?        SNl  Apr04  13:16
>      \_ ruby /usr/lib/one/mads/one_auth_mad.rb --authn
>     ssh,x509,ldap,server_cipher,server_x509
>     oneadmin 11365  0.0  0.0 192196  5424 ?        Sl   Apr04   0:19
>     /usr/bin/mm_sched
>     oneadmin 11461  0.0  0.4 113828 32700 ?        S    Apr04   0:13
>     ruby /usr/lib/one/ruby/acct/acctd.rb
>     oneadmin 11471  0.0  0.5 163548 43708 ?        Sl   Apr04   5:29
>     ruby /usr/lib/one/sunstone/sunstone-server.rb
>
>
>     However, when I try to log in to Sunstone web interface using
>     serveradmin or oneadmin credentials (or whatever else) it always
>     fails. In the web it states that "OpenNebula is not running".
>     I've checked oned.log and this is the output of both attempts:
>
>
>     ### serveradmin login attempt ###
>
>     Sun Apr  8 15:02:05 2012 [ReM][D]: UserPoolInfo method invoked
>     Sun Apr  8 15:02:05 2012 [AuM][D]: Message received: LOG I 9
>     Command execution fail:
>     /var/lib/one/remotes/auth/server_cipher/authenticate 'serveradmin'
>     'a7d66b6799d29142042316cc8cee0f3c81eac33e'
>     gmxtq1n6pxBEwnyjP94dU1EihSzqOU3bQgVxVpIEizqsxonauO8PP/sNTclxWciE
>     Sun Apr  8 15:02:05 2012 [AuM][I]: Command execution fail:
>     /var/lib/one/remotes/auth/server_cipher/authenticate 'serveradmin'
>     'a7d66b6799d29142042316cc8cee0f3c81eac33e'
>     gmxtq1n6pxBEwnyjP94dU1EihSzqOU3bQgVxVpIEizqsxonauO8PP/sNTclxWciE
>     Sun Apr  8 15:02:05 2012 [AuM][D]: Message received: LOG E 9 bad
>     decrypt
>     Sun Apr  8 15:02:05 2012 [AuM][I]: bad decrypt
>     Sun Apr  8 15:02:05 2012 [AuM][D]: Message received: LOG I 9
>     ExitCode: 255
>     Sun Apr  8 15:02:05 2012 [AuM][I]: ExitCode: 255
>     Sun Apr  8 15:02:05 2012 [AuM][D]: Message received: AUTHENTICATE
>     FAILURE 9 bad decrypt
>     Sun Apr  8 15:02:05 2012 [AuM][E]: Auth Error: bad decrypt
>     Sun Apr  8 15:02:05 2012 [ReM][E]: [UserPoolInfo] User couldn't be
>     authenticated, aborting call.
>
>
>     ### oneadmin login attempt ###
>
>     Sun Apr  8 15:02:18 2012 [ReM][D]: UserPoolInfo method invoked
>     Sun Apr  8 15:02:18 2012 [AuM][D]: Message received: LOG I 10
>     Command execution fail:
>     /var/lib/one/remotes/auth/server_cipher/authenticate 'serveradmin'
>     'a7d66b6799d29142042316cc8cee0f3c81eac33e'
>     gmxtq1n6pxBEwnyjP94dU1EihSzqOU3bQgVxVpIEizqsxonauO8PP/sNTclxWciE
>     Sun Apr  8 15:02:18 2012 [AuM][I]: Command execution fail:
>     /var/lib/one/remotes/auth/server_cipher/authenticate 'serveradmin'
>     'a7d66b6799d29142042316cc8cee0f3c81eac33e'
>     gmxtq1n6pxBEwnyjP94dU1EihSzqOU3bQgVxVpIEizqsxonauO8PP/sNTclxWciE
>     Sun Apr  8 15:02:18 2012 [AuM][D]: Message received: LOG E 10 bad
>     decrypt
>     Sun Apr  8 15:02:18 2012 [AuM][I]: bad decrypt
>     Sun Apr  8 15:02:18 2012 [AuM][D]: Message received: LOG I 10
>     ExitCode: 255
>     Sun Apr  8 15:02:18 2012 [AuM][I]: ExitCode: 255
>     Sun Apr  8 15:02:18 2012 [AuM][D]: Message received: AUTHENTICATE
>     FAILURE 10 bad decrypt
>     Sun Apr  8 15:02:18 2012 [AuM][E]: Auth Error: bad decrypt
>     Sun Apr  8 15:02:18 2012 [ReM][E]: [UserPoolInfo] User couldn't be
>     authenticated, aborting call.
>     Sun Apr  8 15:02:22 2012 [ReM][D]: HostPoolInfo method invoked
>     Sun Apr  8 15:02:22 2012 [ReM][D]: VirtualMachinePoolInfo method
>     invoked
>     Sun Apr  8 15:02:22 2012 [ReM][D]: AclInfo method invoked
>
>     I think that cipher_server is the right auth option in this case.
>     Notice that authenticate script in both cases receive
>     'serveradmin' credentials regardless of the use of oneadmin
>     credentials in the second attempt.
>
>     Please, could anybody help me with this login failure issue?
>
>     Let me know if you need anything else.
>
>
>     Thanks in advance.
>
>     Carlos.
>     _______________________________________________
>     Users mailing list
>     Users at lists.opennebula.org <mailto:Users at lists.opennebula.org>
>     http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20120409/d30d0478/attachment-0003.htm>


More information about the Users mailing list