[one-users] RPC API and PHP (auth pb)
Nicolas Bélan
nicolas.belan at gmail.com
Tue Mar 26 07:51:46 PDT 2013
Hello,
nope, the code is base64_encoded.
I found it !!
You have an error in your code (well ... a default usage, not an error)
and I did not notice it quickly.
You do not set any Initialization Vector for the AES-256-CBC.
mcrypt and openssl implementation does not like that !
So, I tried to pass through, (and failed) and I find this lib:
http://phpseclib.sourceforge.net/
The implementation is good, and the result is fine. I can now call RPC
through serveradmin ...
I cut&paste for list users sample code:
http://pastebin.com/06Z52nXG
Have a nice day
Best regards
nicolas.
Le 26/03/2013 11:30, Carlos Martín Sánchez a écrit :
> Your second code looks better.
> In ruby the encrypted token is then encoded to Base64, is this step
> missing from your code?
>
> Regards
> --
> Carlos Martín, MSc
> Project Engineer
> OpenNebula - The Open-source Solution for Data Center Virtualization
> www.OpenNebula.org <http://www.OpenNebula.org> |
> cmartin at opennebula.org <mailto:cmartin at opennebula.org> | @OpenNebula
> <http://twitter.com/opennebula>
>
>
> On Tue, Mar 26, 2013 at 1:31 AM, Nicolas Bélan
> <nicolas.belan at gmail.com <mailto:nicolas.belan at gmail.com>> wrote:
>
> Hi,
>
> Well, the encrypted field is not clear for me.
>
> I tried:
> function test_request_1() {
> // build userAuth
> $userAuth = $this->oca_username . ":" .
> $this->user_email . ":" . sha1($this->oca_password);
> $request = xmlrpc_encode_request("one.vmpool.info
> <http://one.vmpool.info>", array($userAuth, -2, -1, -1 , -1));
> $content = stream_context_create(array(
> "http" => array("method" => "POST",
> "header" => "Content-Type: text/xml",
> "content" => $request
> )
> ));
> $file = file_get_contents($this->oca_base_url, false,
> $content);
> $response = xmlrpc_decode($file);
> }
>
> But, I got:
> Tue Mar 26 01:24:31 2013 [AuM][E]: Auth Error: wrong final block
> length
> Tue Mar 26 01:24:31 2013 [ReM][E]: Req:7056 UID:-
> VirtualMachinePoolInfo result FAILURE [VirtualMachinePoolInfo]
> User couldn't be authenticated, aborting call.
>
> oca_username is "serveradmin", and "oca_password" is the password
> of serveradmin.
> user_email is the login id of the client.
>
> The think that I can not understand is the following:
> I captured the third field:
> PWyaJz96iwdYldYoPHXWZYle/HkPus+rFpkJhLRSf8wRMWGr+/NRXA7Qf8YPiwU3
> it is 64 chars long.
>
> a sha1(str) is 40 bytes long.
>
> So, how ruby can make a 40+24 sha1() password ?
>
>
> I tested also using:
> function test_aes_4() {
> // let's do it with openssl
> // like Ruby, we generate a 40 bytes key, but only 32
> bytes for aes-256-CBC
> $key = substr(sha1($this->oca_password), 0,
> $this->mcrypt_keysize);
> $this->assertEquals($this->mcrypt_keysize, strlen($key));
> // let's make data with an iv
> $iv = mcrypt_create_iv($this->mcrypt_ivsize);
> $data = $this->oca_username . ":" . $this->user_email .
> ":" . time()+3600;
> $encrypted_data64 = openssl_encrypt($data, "aes-256-cbc",
> $key, false, $iv);
> $this->assertEquals(64, strlen($encrypted_data64));
> }
>
> It failed with:
> 2) CloudTest::test_aes_4
> Failed asserting that 24 matches expected 64.
>
> -- sure, the ! "reply all" was an error, sorry
>
> Best regards,
> Nicolas
>
> Le 25/03/2013 17:25, Carlos Martín Sánchez a écrit :
>> Hi,
>>
>> On Mon, Mar 25, 2013 at 2:48 PM, Nicolas Bélan
>> <nicolas.belan at gmail.com <mailto:nicolas.belan at gmail.com>> wrote:
>>
>> Hello,
>>
>> the problem is that password is in a LDAP tree, and I do not
>> get clear user password from the user (got it in SHA1)
>> through web connection.
>>
>> I only map ldap[uidnumber] to get various other informations
>> (DNS owner, SMTP accounting, Support requests and so on).
>> I would like to keep avoiding getting clear text password to
>> access OpenNebula Interface.
>> If it is not possible, I may get access directly to SQL
>> Database, but this not what I would like to do first ...
>>
>>
>> In that case serveradmin is the right approach.
>>
>> I see in your first email that you already found login_token in
>> server_cipher_auth.rb. Maybe you were not using the same
>> encryption algorithm, aes-256-cbc?
>>
>> Regards
>>
>> PS: Please reply to the list, more people may find it useful...
>> --
>> Carlos Martín, MSc
>> Project Engineer
>> OpenNebula - The Open-source Solution for Data Center Virtualization
>> www.OpenNebula.org
>> <http://www.opennebula.org/> | cmartin at opennebula.org
>> <mailto:cmartin at opennebula.org> | @OpenNebula
>> <http://twitter.com/opennebula>
>>
>>
>>
>> Regards,
>> nicolas.
>>
>> Le 25/03/2013 11:29, Carlos Martín Sánchez a écrit :
>>> Hi,
>>>
>>> The serveradmin users allows more secure communications, and
>>> advanced authentication scenarios, like browser certificates
>>> [1]. But if you are building a simple user interface, you
>>> might want to keep things simple and use the
>>> 'username:password' session token for your xmlrpc requests.
>>>
>>> Regards
>>>
>>> [1] http://opennebula.org/documentation:rel3.8:sunstone#x509_auth
>>> --
>>> Carlos Martín, MSc
>>> Project Engineer
>>> OpenNebula - The Open-source Solution for Data Center
>>> Virtualization
>>> www.OpenNebula.org <http://www.OpenNebula.org> |
>>> cmartin at opennebula.org <mailto:cmartin at opennebula.org> |
>>> @OpenNebula <http://twitter.com/opennebula>
>>>
>>>
>>> On Fri, Mar 22, 2013 at 5:46 PM, Nicolas Bélan
>>> <nicolas.belan at gmail.com <mailto:nicolas.belan at gmail.com>>
>>> wrote:
>>>
>>> Hello,
>>>
>>> well, i would like to display to user their vm,
>>> networks, images and so on, according to the role and
>>> access of each user.
>>> so i am trying to use as much as possible openNebula
>>> rbac and rpc to retrieve only right informations.
>>> the step after is to deploy vm as user, not as oneadmin
>>> or serveradmin, but directly as "user"
>>>
>>> the service i am building is a very simplified user
>>> interface. the step after for the user is to have access
>>> to self service, but to begin, i would like to hide some
>>> concepts to make easier cloud access.
>>>
>>> best regards,
>>> nicolas
>>> Le 22 mars 2013 à 17:25, Tino Vazquez
>>> <tinova at opennebula.org <mailto:tinova at opennebula.org>> a
>>> écrit :
>>>
>>> > Hi Nicolas,
>>> >
>>> > serveradmin is used by Sunstone and related interface
>>> services. Did
>>> > you try it out with other users (ie, oneadmin)?
>>> >
>>> > Depending on what type of service you are building,
>>> you may be
>>> > interested indeed in serveradmin. Could you elaborate
>>> a bit more on
>>> > that?
>>> >
>>> > Regards
>>> > --
>>> > Constantino Vázquez Blanco, PhD, MSc
>>> > Project Engineer
>>> > OpenNebula - The Open-Source Solution for Data Center
>>> Virtualization
>>> > www.OpenNebula.org <http://www.OpenNebula.org> |
>>> @tinova79 | @OpenNebula
>>> >
>>> >
>>> > On Fri, Mar 22, 2013 at 4:16 PM, Nicolas Bélan
>>> <nicolas.belan at gmail.com
>>> <mailto:nicolas.belan at gmail.com>> wrote:
>>> >> Hello the list,
>>> >>
>>> >> I am trying (unsuccessfully) to call RPM methods.
>>> >>
>>> >> The problem is that I can not make my user
>>> authenticated by code (while
>>> >> it is ok with http://localhost:4567/ui)
>>> >> I am using version 3.8.3.
>>> >>
>>> >> I am trying to user serveradmin:<user>:<password>
>>> with it does not work
>>> >> as written in the documentation.
>>> >> Deeply investigating, I found, in
>>> >> /usr/lib/one/ruby/server_cipher_auth.rb that the
>>> third part is a token,
>>> >> but i am not ruby compliant....
>>> >> It seems, If i understand, that:
>>> >> a string is built with:
>>> "serveradmin:username:time()+expire"
>>> >> the serveradmin password is used to create a key.
>>> >> This key is then used to cipher (salted ?) the
>>> previous string.
>>> >> The result is then appended like that:
>>> >>
>>> "serveradmin:username:cipher(key,serveradmin:username:time()+expire)"
>>> >> and sent as the first parameter of the rpc call.
>>> >> Am i completely wrong ?
>>> >> For example:
>>> >>
>>> serveradmin:user_example:PWyaJz96iwdYldYoPHXWZYkBMbuvKIEXiTVb0WuAHURYuQ2Dzmhnzjm0JDNCMchB
>>> >>
>>> >> Using perl, I failed to authenticate user ....
>>> >> using tcpdump, it seems that the third part is quite
>>> constant during a
>>> >> certain laps of time ...
>>> >> So, I may be wrong with my time() expire part ....
>>> >> Can you help me writing this part of code ? Perl or
>>> PHP are welcome ;)
>>> >>
>>> >> Thank you for you help
>>> >>
>>> >> Best regards,
>>> >> Nicolas.
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> Users mailing list
>>> >> Users at lists.opennebula.org
>>> <mailto:Users at lists.opennebula.org>
>>> >>
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>> >>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opennebula.org
>>> <mailto:Users at lists.opennebula.org>
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130326/f7dfdc1f/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4474 bytes
Desc: Signature cryptographique S/MIME
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130326/f7dfdc1f/attachment-0002.bin>
More information about the Users
mailing list