[one-users] Problem with x509 authentication for cli

Ruben S. Montero rsmontero at opennebula.org
Fri Sep 7 09:44:33 PDT 2012


Hi

It seems that your debug efforts are in the right direction, would you
mind to double check a couple of things. Using a irb session

1.- define a variable with the encrypted string of
/home/new_user/.one/one_x509, that after the ':'

a="1Af34.."

2.- This is a base64 encoding of the encrypted token. Try to decode it

require 'base64'

Base64::decode64(a)

3.- This is the actual token in the form
<base64_encrypted_text>:cert_chain. Cert chain is the x509 cert of the
user plus any other needed to check that one.

At this step can you check that the certificates are as expected (i.e.
match with the x509 of the user)

(The secret is base64 encoded, so you need to decode it first if you
want to try to decrypt it with openssl for example.)

Cheers

Ruben



On Thu, Sep 6, 2012 at 8:14 PM, Uli <ulihorn at gmail.com> wrote:
> Hi
>
> I am having a problem with setting up x509 authentication for the cli .
> The symptoms are as follows:  If I run the following command as the new x509
> authenticated user:
>
> onetemplate list
>
> I get:
>
> [TemplatePoolInfo] User couldn't be authenticated, aborting call.
>
> I tried to debug this with rdebug by running something like:
>
> ruby -rdebug /var/lib/one/remotes/auth/x509/authenticate <new_user>
> <user_dn> <user_secret>
>
> where <new_user> is the newly x509 authenticated user
> <user_dn> is then password taken from onehost show <new_user>
> <user_secret> is the string in file /home/new_user/.one/one_x509 containing
> <new_user>:encrypted string
>
> /usr/lib/one/ruby/x509_auth.rb:183: `data greater than mod len'
> (OpenSSL::PKey::RSAError)
> from /usr/lib/one/ruby/x509_auth.rb:183:in `decrypt'
> from /usr/lib/one/ruby/x509_auth.rb:116:in `authenticate'
> from authenticate:50
> /usr/lib/one/ruby/x509_auth.rb:183:
> @cert_chain[0].public_key.public_decrypt(Base64::decode64(data)
>
> From similar errors mentioned on the internet it seems this has something to
> do with a truncation that may have occurred in the database
>
> the certificate certs = "MII..==" contains 2532 characters and the
>                         token = "..=" contains 690 characters
>
> Many thanks
> Uli
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>



-- 
Ruben S. Montero, PhD
Project co-Lead and Chief Architect
OpenNebula - The Open Source Solution for Data Center Virtualization
www.OpenNebula.org | rsmontero at opennebula.org | @OpenNebula



More information about the Users mailing list