[one-users] Sunstone login failure - bad decrypt

Hector Sanjuan hsanjuan at opennebula.org
Mon Apr 9 08:27:10 PDT 2012


Hello,

the server admin password in opennebula is sha1 hashed. Try

oneuser passwd 1 password --sha1

Hope it helps,

Hector


En Mon, 09 Apr 2012 16:48:12 +0200, Carlos Jiménez  
<cjimenez at eneotecnologia.com> escribió:

> Hi Carlos,
>
> According to the part of the update of the serveradmin password, I
> thought it was enough using 'oneuser passwd' command. It seems I was
> wrong. Therefore, I've tried this:
> 1. 'oneuser passwd 1 password'
> 2. Editing sunstone_auth and modifying the password field (from
> "32e5b0cdcc08c836dfac6a598695fd2e84acebc0" to "password").
> 3. Log in to the Sunstone Web Interface with oneadmin credentials
>
> I think that matches the procedure explained in the documentation.
> However, the result has been the same as previously (failure), but in
> this case, oned.log showed a message related to the use of a key length
> too short. This is the output:
>
> Mon Apr  9 16:28:17 2012 [ReM][D]: UserPoolInfo method invoked
> Mon Apr  9 16:28:17 2012 [AuM][D]: Message received: LOG I 0 Command
> execution fail: /var/lib/one/remotes/auth/server_cipher/authenticate
> 'serveradmin' 'password'
> JiInGlGUMB3IBo5GK9w3q9POxvRC8z/NdZLtEQpuno4jkwpY1kQDn0gO4ao3hol/
> Mon Apr  9 16:28:17 2012 [AuM][I]: Command execution fail:
> /var/lib/one/remotes/auth/server_cipher/authenticate 'serveradmin'
> 'password'  
> JiInGlGUMB3IBo5GK9w3q9POxvRC8z/NdZLtEQpuno4jkwpY1kQDn0gO4ao3hol/
> Mon Apr  9 16:28:17 2012 [AuM][D]: Message received: LOG E 0 key length
> too short
> Mon Apr  9 16:28:17 2012 [AuM][I]: key length too short
> Mon Apr  9 16:28:17 2012 [AuM][D]: Message received: LOG I 0 ExitCode:  
> 255
> Mon Apr  9 16:28:17 2012 [AuM][I]: ExitCode: 255
> Mon Apr  9 16:28:17 2012 [AuM][D]: Message received: AUTHENTICATE
> FAILURE 0 key length too short
> Mon Apr  9 16:28:17 2012 [AuM][E]: Auth Error: key length too short
> Mon Apr  9 16:28:17 2012 [ReM][E]: [UserPoolInfo] User couldn't be
> authenticated, aborting call.
>
>
> Additional information:
>
> ### sunstone_auth ###
> serveradmin:password
>
> ### 'oneuser list -x' ###
> <USER_POOL>
> <USER>
> <ID>0</ID>
> <GID>0</GID>
> <GNAME>oneadmin</GNAME>
> <NAME>oneadmin</NAME>
> <PASSWORD>b29f6e6fed87fb100ae2e5921d66eb76d5670af7</PASSWORD>
> <AUTH_DRIVER>core</AUTH_DRIVER>
> <ENABLED>1</ENABLED>
> <TEMPLATE/>
> </USER>
> <USER>
> <ID>1</ID>
> <GID>0</GID>
> <GNAME>oneadmin</GNAME>
> <NAME>serveradmin</NAME>
> <PASSWORD>password</PASSWORD>
> <AUTH_DRIVER>server_cipher</AUTH_DRIVER>
> <ENABLED>1</ENABLED>
> <TEMPLATE/>
> </USER>
> </USER_POOL>
>
> I thought it was enough using oneuser and editing sunstone-auth. Does it
> require additional actions?
>
>
> Thanks,
>
> Carlos.
>
>
>
>
>
>
>
> On 04/09/2012 10:51 AM, Carlos Martín Sánchez wrote:
>> Hi,
>>
>> serveradmin is a special user that the servers, like sunstone, use to
>> forward user requests to the core. You can't login with that user.
>>
>> You have more information about the opennebula authentication here
>> [1], and what is the serveradmin account here [2]. In that second link
>> you will also find how to configure the servers to use the updated
>> serveradmin password you set.
>>
>> Regards
>>
>> [1] http://www.opennebula.org/documentation:rel3.2:external_auth
>> [2] http://www.opennebula.org/documentation:rel3.2:cloud_auth
>>
>> --
>> Carlos Martín, MSc
>> Project Engineer
>> OpenNebula - The Open-source Solution for Data Center Virtualization
>> www.OpenNebula.org <http://www.OpenNebula.org> |
>> cmartin at opennebula.org <mailto:cmartin at opennebula.org> | @OpenNebula
>> <http://twitter.com/opennebula>
>>
>>
>>
>> 2012/4/8 Carlos Jiménez <cjimenez at eneotecnologia.com
>> <mailto:cjimenez at eneotecnologia.com>>
>>
>>     Hello everybody,
>>
>>     I have four computers with CentOS 6.2: 1 running as a NFS Server,
>>     2 as Host with KVM hypervisor installed and 1 as a Front-End with
>>     OpenNebula 3.2.1 installed.
>>     According to the documentation, ssh, oneadmin uid/gid, user
>>     profile (shared between all the computers by using NFS)... all of
>>     them have been set up.
>>     Additionally, I've installed and configured the front-end server
>>     to use MySQL instead of SQLite. After granting the right
>>     permissions to the opennebula table for the oneadmin user and once
>>     I've modified /etc/one/oned.conf DB options, this part is running
>>     fine too.
>>
>>     I've used oneuser to modify the password of serveradmin and it
>>     seems that it was successful.
>>     This is the output of 'oneuser list':
>>
>>     ID GROUP     NAME               AUTH
>>                  PASSWORD
>>      0 oneadmin oneadmin        core
>>     b29f6e6fed87fb100ae2e5921d66eb76d5670af7
>>      1 oneadmin serveradmin    server_c
>>     a7d66b6799d29142042316cc8cee0f3c81eac33e
>>
>>
>>     I've launched oned, oneacctd and sunstone-server as oneadmin and
>>     all of them are running:
>>
>>     oneadmin 11364  0.0  0.1 1460920 10476 ?       Sl   Apr04   0:20
>>     /usr/bin/oned -f
>>     oneadmin 11389  0.0  0.0  43764  7020 ?        SNl  Apr04   3:29
>>      \_ ruby /usr/lib/one/mads/one_vmm_exec.rb -t 15 -r 0 kvm
>>     oneadmin 11400  0.0  0.0  39304  3984 ?        SNl  Apr04   3:28
>>      \_ ruby /usr/lib/one/mads/one_im_exec.rb -r 0 -t 15 kvm
>>     oneadmin 11410  0.0  0.0  39248  3932 ?        SNl  Apr04   3:27
>>      \_ ruby /usr/lib/one/mads/one_tm.rb tm_shared/tm_shared.conf
>>     oneadmin 11424  0.0  0.0  39212  3864 ?        SNl  Apr04   3:28
>>      \_ ruby /usr/lib/one/mads/one_hm.rb
>>     oneadmin 11435  0.0  0.0  39308  3988 ?        SNl  Apr04   3:36
>>      \_ ruby /usr/lib/one/mads/one_image.rb fs -t 15
>>     oneadmin 11445  0.2  0.0  39388  4104 ?        SNl  Apr04  13:16
>>      \_ ruby /usr/lib/one/mads/one_auth_mad.rb --authn
>>     ssh,x509,ldap,server_cipher,server_x509
>>     oneadmin 11365  0.0  0.0 192196  5424 ?        Sl   Apr04   0:19
>>     /usr/bin/mm_sched
>>     oneadmin 11461  0.0  0.4 113828 32700 ?        S    Apr04   0:13
>>     ruby /usr/lib/one/ruby/acct/acctd.rb
>>     oneadmin 11471  0.0  0.5 163548 43708 ?        Sl   Apr04   5:29
>>     ruby /usr/lib/one/sunstone/sunstone-server.rb
>>
>>
>>     However, when I try to log in to Sunstone web interface using
>>     serveradmin or oneadmin credentials (or whatever else) it always
>>     fails. In the web it states that "OpenNebula is not running".
>>     I've checked oned.log and this is the output of both attempts:
>>
>>
>>     ### serveradmin login attempt ###
>>
>>     Sun Apr  8 15:02:05 2012 [ReM][D]: UserPoolInfo method invoked
>>     Sun Apr  8 15:02:05 2012 [AuM][D]: Message received: LOG I 9
>>     Command execution fail:
>>     /var/lib/one/remotes/auth/server_cipher/authenticate 'serveradmin'
>>     'a7d66b6799d29142042316cc8cee0f3c81eac33e'
>>     gmxtq1n6pxBEwnyjP94dU1EihSzqOU3bQgVxVpIEizqsxonauO8PP/sNTclxWciE
>>     Sun Apr  8 15:02:05 2012 [AuM][I]: Command execution fail:
>>     /var/lib/one/remotes/auth/server_cipher/authenticate 'serveradmin'
>>     'a7d66b6799d29142042316cc8cee0f3c81eac33e'
>>     gmxtq1n6pxBEwnyjP94dU1EihSzqOU3bQgVxVpIEizqsxonauO8PP/sNTclxWciE
>>     Sun Apr  8 15:02:05 2012 [AuM][D]: Message received: LOG E 9 bad
>>     decrypt
>>     Sun Apr  8 15:02:05 2012 [AuM][I]: bad decrypt
>>     Sun Apr  8 15:02:05 2012 [AuM][D]: Message received: LOG I 9
>>     ExitCode: 255
>>     Sun Apr  8 15:02:05 2012 [AuM][I]: ExitCode: 255
>>     Sun Apr  8 15:02:05 2012 [AuM][D]: Message received: AUTHENTICATE
>>     FAILURE 9 bad decrypt
>>     Sun Apr  8 15:02:05 2012 [AuM][E]: Auth Error: bad decrypt
>>     Sun Apr  8 15:02:05 2012 [ReM][E]: [UserPoolInfo] User couldn't be
>>     authenticated, aborting call.
>>
>>
>>     ### oneadmin login attempt ###
>>
>>     Sun Apr  8 15:02:18 2012 [ReM][D]: UserPoolInfo method invoked
>>     Sun Apr  8 15:02:18 2012 [AuM][D]: Message received: LOG I 10
>>     Command execution fail:
>>     /var/lib/one/remotes/auth/server_cipher/authenticate 'serveradmin'
>>     'a7d66b6799d29142042316cc8cee0f3c81eac33e'
>>     gmxtq1n6pxBEwnyjP94dU1EihSzqOU3bQgVxVpIEizqsxonauO8PP/sNTclxWciE
>>     Sun Apr  8 15:02:18 2012 [AuM][I]: Command execution fail:
>>     /var/lib/one/remotes/auth/server_cipher/authenticate 'serveradmin'
>>     'a7d66b6799d29142042316cc8cee0f3c81eac33e'
>>     gmxtq1n6pxBEwnyjP94dU1EihSzqOU3bQgVxVpIEizqsxonauO8PP/sNTclxWciE
>>     Sun Apr  8 15:02:18 2012 [AuM][D]: Message received: LOG E 10 bad
>>     decrypt
>>     Sun Apr  8 15:02:18 2012 [AuM][I]: bad decrypt
>>     Sun Apr  8 15:02:18 2012 [AuM][D]: Message received: LOG I 10
>>     ExitCode: 255
>>     Sun Apr  8 15:02:18 2012 [AuM][I]: ExitCode: 255
>>     Sun Apr  8 15:02:18 2012 [AuM][D]: Message received: AUTHENTICATE
>>     FAILURE 10 bad decrypt
>>     Sun Apr  8 15:02:18 2012 [AuM][E]: Auth Error: bad decrypt
>>     Sun Apr  8 15:02:18 2012 [ReM][E]: [UserPoolInfo] User couldn't be
>>     authenticated, aborting call.
>>     Sun Apr  8 15:02:22 2012 [ReM][D]: HostPoolInfo method invoked
>>     Sun Apr  8 15:02:22 2012 [ReM][D]: VirtualMachinePoolInfo method
>>     invoked
>>     Sun Apr  8 15:02:22 2012 [ReM][D]: AclInfo method invoked
>>
>>     I think that cipher_server is the right auth option in this case.
>>     Notice that authenticate script in both cases receive
>>     'serveradmin' credentials regardless of the use of oneadmin
>>     credentials in the second attempt.
>>
>>     Please, could anybody help me with this login failure issue?
>>
>>     Let me know if you need anything else.
>>
>>
>>     Thanks in advance.
>>
>>     Carlos.
>>     _______________________________________________
>>     Users mailing list
>>     Users at lists.opennebula.org <mailto:Users at lists.opennebula.org>
>>     http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>>


-- 
Hector Sanjuan
OpenNebula Developer



More information about the Users mailing list