[one-users] RPC API and PHP (auth pb)

Nicolas Bélan nicolas.belan at gmail.com
Mon Mar 25 17:31:12 PDT 2013


Hi,

Well, the encrypted field is not clear for me.

I tried:
    function test_request_1() {
        // build userAuth
        $userAuth =    $this->oca_username . ":" . $this->user_email .
":" . sha1($this->oca_password);
        $request = xmlrpc_encode_request("one.vmpool.info",
array($userAuth, -2, -1, -1 , -1));
        $content = stream_context_create(array(
                "http" => array("method" => "POST",
                        "header" => "Content-Type: text/xml",
                        "content" => $request
                )
        ));
        $file = file_get_contents($this->oca_base_url, false, $content);
        $response = xmlrpc_decode($file);
}

But, I got:
Tue Mar 26 01:24:31 2013 [AuM][E]: Auth Error: wrong final block length
Tue Mar 26 01:24:31 2013 [ReM][E]: Req:7056 UID:- VirtualMachinePoolInfo
result FAILURE [VirtualMachinePoolInfo] User couldn't be authenticated,
aborting call.

oca_username is "serveradmin", and "oca_password" is the password of
serveradmin.
user_email is the login  id of the client.

The think that I can not understand is the following:
I captured the third field:
PWyaJz96iwdYldYoPHXWZYle/HkPus+rFpkJhLRSf8wRMWGr+/NRXA7Qf8YPiwU3
it is 64 chars long.

a sha1(str) is 40 bytes long.

So, how ruby can make a 40+24 sha1() password ?


I tested also using:
    function test_aes_4() {
        // let's do it with openssl
        // like Ruby, we generate a 40 bytes key, but only 32 bytes for
aes-256-CBC
        $key = substr(sha1($this->oca_password), 0, $this->mcrypt_keysize);
        $this->assertEquals($this->mcrypt_keysize, strlen($key));
        // let's make data with an iv
        $iv = mcrypt_create_iv($this->mcrypt_ivsize);
        $data = $this->oca_username . ":" . $this->user_email . ":" .
time()+3600;
        $encrypted_data64 = openssl_encrypt($data, "aes-256-cbc", $key,
false, $iv);
        $this->assertEquals(64, strlen($encrypted_data64));
    }

It failed with:
2) CloudTest::test_aes_4
Failed asserting that 24 matches expected 64.

-- sure, the ! "reply all" was an error, sorry

Best regards,
Nicolas

Le 25/03/2013 17:25, Carlos Martín Sánchez a écrit :
> Hi,
>
> On Mon, Mar 25, 2013 at 2:48 PM, Nicolas Bélan
> <nicolas.belan at gmail.com <mailto:nicolas.belan at gmail.com>> wrote:
>
>     Hello,
>
>     the problem is that password is in a LDAP tree, and I do not get
>     clear user password from the user (got it in SHA1) through web
>     connection.
>
>     I only map ldap[uidnumber] to get various other informations (DNS
>     owner, SMTP accounting, Support requests and so on).
>     I would like to keep avoiding getting clear text password to
>     access OpenNebula Interface.
>     If it is not possible, I may get access directly to SQL Database,
>     but this not what I would like to do first ...
>
>
> In that case serveradmin is the right approach.
>
> I see in your first email that you already found login_token in
> server_cipher_auth.rb. Maybe you were not using the same encryption
> algorithm, aes-256-cbc?
>
> Regards
>
> PS: Please reply to the list, more people may find it useful...
> --
> Carlos Martín, MSc
> Project Engineer
> OpenNebula - The Open-source Solution for Data Center Virtualization
> www.OpenNebula.org
> <http://www.opennebula.org/> | cmartin at opennebula.org
> <mailto:cmartin at opennebula.org> | @OpenNebula
> <http://twitter.com/opennebula>
>
>  
>
>     Regards,
>     nicolas.
>
>     Le 25/03/2013 11:29, Carlos Martín Sánchez a écrit :
>>     Hi,
>>
>>     The serveradmin users allows more secure communications, and
>>     advanced authentication scenarios, like browser certificates [1].
>>     But if you are building a simple user interface, you might want
>>     to keep things simple and use the 'username:password' session
>>     token for your xmlrpc requests.
>>
>>     Regards
>>
>>     [1] http://opennebula.org/documentation:rel3.8:sunstone#x509_auth
>>     --
>>     Carlos Martín, MSc
>>     Project Engineer
>>     OpenNebula - The Open-source Solution for Data Center Virtualization
>>     www.OpenNebula.org <http://www.OpenNebula.org> |
>>     cmartin at opennebula.org <mailto:cmartin at opennebula.org> |
>>     @OpenNebula <http://twitter.com/opennebula>
>>
>>
>>     On Fri, Mar 22, 2013 at 5:46 PM, Nicolas Bélan
>>     <nicolas.belan at gmail.com <mailto:nicolas.belan at gmail.com>> wrote:
>>
>>         Hello,
>>
>>         well, i would like to display to user their vm, networks,
>>         images and so on, according to the role and access of each user.
>>         so i am trying to use as much as possible openNebula rbac and
>>         rpc to retrieve only right informations.
>>         the step after is to deploy vm as user, not as oneadmin or
>>         serveradmin, but directly as "user"
>>
>>         the service i am building is a very simplified user
>>         interface. the step after for the user is to have access to
>>         self service, but to begin, i would like to hide some
>>         concepts to make easier cloud access.
>>
>>         best regards,
>>         nicolas
>>         Le 22 mars 2013 à 17:25, Tino Vazquez <tinova at opennebula.org
>>         <mailto:tinova at opennebula.org>> a écrit :
>>
>>         > Hi Nicolas,
>>         >
>>         > serveradmin is used by Sunstone and related interface
>>         services. Did
>>         > you try it out with other users (ie, oneadmin)?
>>         >
>>         > Depending on what type of service you are building, you may be
>>         > interested indeed in serveradmin. Could you elaborate a bit
>>         more on
>>         > that?
>>         >
>>         > Regards
>>         > --
>>         > Constantino Vázquez Blanco, PhD, MSc
>>         > Project Engineer
>>         > OpenNebula - The Open-Source Solution for Data Center
>>         Virtualization
>>         > www.OpenNebula.org <http://www.OpenNebula.org> | @tinova79
>>         | @OpenNebula
>>         >
>>         >
>>         > On Fri, Mar 22, 2013 at 4:16 PM, Nicolas Bélan
>>         <nicolas.belan at gmail.com <mailto:nicolas.belan at gmail.com>> wrote:
>>         >> Hello the list,
>>         >>
>>         >> I am trying (unsuccessfully) to call RPM methods.
>>         >>
>>         >> The problem is that I can not make my user authenticated
>>         by code (while
>>         >> it is ok with http://localhost:4567/ui)
>>         >> I am using version 3.8.3.
>>         >>
>>         >> I am trying to user serveradmin:<user>:<password> with it
>>         does not work
>>         >> as written in the documentation.
>>         >> Deeply investigating, I found, in
>>         >> /usr/lib/one/ruby/server_cipher_auth.rb that the third
>>         part is a token,
>>         >> but i am not ruby compliant....
>>         >> It seems, If i understand, that:
>>         >> a string is built with: "serveradmin:username:time()+expire"
>>         >> the serveradmin password is used to create a key.
>>         >> This key is then used to cipher (salted ?) the previous
>>         string.
>>         >> The result is then appended like that:
>>         >>
>>         "serveradmin:username:cipher(key,serveradmin:username:time()+expire)"
>>         >> and sent as the first parameter of the rpc call.
>>         >> Am i completely wrong ?
>>         >> For example:
>>         >>
>>         serveradmin:user_example:PWyaJz96iwdYldYoPHXWZYkBMbuvKIEXiTVb0WuAHURYuQ2Dzmhnzjm0JDNCMchB
>>         >>
>>         >> Using perl, I failed to authenticate user ....
>>         >> using tcpdump, it seems that the third part is quite
>>         constant during a
>>         >> certain laps of time ...
>>         >> So, I may be wrong with my time() expire part ....
>>         >> Can you help me writing this part of code ? Perl or PHP
>>         are welcome ;)
>>         >>
>>         >> Thank you for you help
>>         >>
>>         >> Best regards,
>>         >> Nicolas.
>>         >>
>>         >>
>>         >>
>>         >>
>>         >>
>>         >>
>>         >> _______________________________________________
>>         >> Users mailing list
>>         >> Users at lists.opennebula.org <mailto:Users at lists.opennebula.org>
>>         >> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>         >>
>>         _______________________________________________
>>         Users mailing list
>>         Users at lists.opennebula.org <mailto:Users at lists.opennebula.org>
>>         http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130326/2af81d3a/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4474 bytes
Desc: Signature cryptographique S/MIME
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130326/2af81d3a/attachment-0002.bin>


More information about the Users mailing list