<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hello,<br>
<br>
nope, the code is base64_encoded.<br>
<br>
I found it !!<br>
<br>
You have an error in your code (well ... a default usage, not an
error) and I did not notice it quickly.<br>
<br>
You do not set any Initialization Vector for the AES-256-CBC.<br>
mcrypt and openssl implementation does not like that !<br>
So, I tried to pass through, (and failed) and I find this lib:
<a class="moz-txt-link-freetext" href="http://phpseclib.sourceforge.net/">http://phpseclib.sourceforge.net/</a><br>
The implementation is good, and the result is fine. I can now call
RPC through serveradmin ...<br>
<br>
I cut&paste for list users sample code:<br>
<br>
<a class="moz-txt-link-freetext" href="http://pastebin.com/06Z52nXG">http://pastebin.com/06Z52nXG</a><br>
<br>
Have a nice day<br>
Best regards<br>
nicolas.<br>
<br>
<br>
<div class="moz-cite-prefix">Le 26/03/2013 11:30, Carlos Martín
Sánchez a écrit :<br>
</div>
<blockquote
cite="mid:CAEPYvFLPbT33vB60PyJf+zmJkfAha8WJec3-RYmc8iz=zrhDug@mail.gmail.com"
type="cite">Your second code looks better.
<div>In ruby the encrypted token is then encoded to Base64, is
this step missing from your code?</div>
<div><br>
</div>
<div>Regards<br clear="all">
<div>--<br>
Carlos Martín, MSc<br>
Project Engineer<br>
OpenNebula - The Open-source Solution for Data Center
Virtualization
<div><span
style="border-collapse:collapse;color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px"><a
moz-do-not-send="true" href="http://www.OpenNebula.org"
target="_blank">www.OpenNebula.org</a> | <a
moz-do-not-send="true"
href="mailto:cmartin@opennebula.org" target="_blank">cmartin@opennebula.org</a>
| <a moz-do-not-send="true"
href="http://twitter.com/opennebula" target="_blank">@OpenNebula</a></span><span
style="border-collapse:collapse;color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px"></span></div>
</div>
<br>
<br>
<div class="gmail_quote">On Tue, Mar 26, 2013 at 1:31 AM,
Nicolas Bélan <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:nicolas.belan@gmail.com" target="_blank">nicolas.belan@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi,<br>
<br>
Well, the encrypted field is not clear for me.<br>
<br>
I tried: <br>
function test_request_1() {<br>
// build userAuth<br>
$userAuth = $this->oca_username . ":" .
$this->user_email . ":" . sha1($this->oca_password);<br>
$request = xmlrpc_encode_request("<a
moz-do-not-send="true" href="http://one.vmpool.info"
target="_blank">one.vmpool.info</a>", array($userAuth,
-2, -1, -1 , -1));<br>
$content = stream_context_create(array(<br>
"http" => array("method" => "POST",<br>
"header" => "Content-Type:
text/xml",<br>
"content" => $request<br>
)<br>
));<br>
$file = file_get_contents($this->oca_base_url,
false, $content);<br>
$response = xmlrpc_decode($file);<br>
}<br>
<br>
But, I got:<br>
Tue Mar 26 01:24:31 2013 [AuM][E]: Auth Error: wrong final
block length<br>
Tue Mar 26 01:24:31 2013 [ReM][E]: Req:7056 UID:-
VirtualMachinePoolInfo result FAILURE
[VirtualMachinePoolInfo] User couldn't be authenticated,
aborting call.<br>
<br>
oca_username is "serveradmin", and "oca_password" is the
password of serveradmin.<br>
user_email is the login id of the client.<br>
<br>
The think that I can not understand is the following:<br>
I captured the third field:<br>
PWyaJz96iwdYldYoPHXWZYle/HkPus+rFpkJhLRSf8wRMWGr+/NRXA7Qf8YPiwU3<br>
it is 64 chars long.<br>
<br>
a sha1(str) is 40 bytes long.<br>
<br>
So, how ruby can make a 40+24 sha1() password ?<br>
<br>
<br>
I tested also using:<br>
function test_aes_4() {<br>
// let's do it with openssl<br>
// like Ruby, we generate a 40 bytes key, but only
32 bytes for aes-256-CBC<br>
$key = substr(sha1($this->oca_password), 0,
$this->mcrypt_keysize);<br>
$this->assertEquals($this->mcrypt_keysize,
strlen($key));<br>
// let's make data with an iv<br>
$iv = mcrypt_create_iv($this->mcrypt_ivsize);<br>
$data = $this->oca_username . ":" .
$this->user_email . ":" . time()+3600;<br>
$encrypted_data64 = openssl_encrypt($data,
"aes-256-cbc", $key, false, $iv);<br>
$this->assertEquals(64,
strlen($encrypted_data64));<br>
}<br>
<br>
It failed with:<br>
2) CloudTest::test_aes_4<br>
Failed asserting that 24 matches expected 64.<br>
<br>
-- sure, the ! "reply all" was an error, sorry<br>
<br>
Best regards,<br>
Nicolas<br>
<br>
<div>Le 25/03/2013 17:25, Carlos Martín Sánchez a écrit :<br>
</div>
<div>
<div class="h5">
<blockquote type="cite">
<div>Hi,</div>
<br>
<div class="gmail_quote">On Mon, Mar 25, 2013 at
2:48 PM, Nicolas Bélan <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:nicolas.belan@gmail.com"
target="_blank">nicolas.belan@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hello,<br>
<br>
the problem is that password is in a LDAP
tree, and I do not get clear user password
from the user (got it in SHA1) through web
connection.<br>
<br>
I only map ldap[uidnumber] to get various
other informations (DNS owner, SMTP
accounting, Support requests and so on).<br>
I would like to keep avoiding getting clear
text password to access OpenNebula Interface.<br>
If it is not possible, I may get access
directly to SQL Database, but this not what I
would like to do first ...<br>
</div>
</blockquote>
<div><br>
</div>
<div>
<div>In that case serveradmin is the right
approach.</div>
<div><br>
</div>
<div>I see in your first email that you already
found login_token in server_cipher_auth.rb.
Maybe you were not using the same encryption
algorithm, aes-256-cbc?</div>
<div><br>
</div>
<div>Regards</div>
<div><br>
</div>
PS: Please reply to the list, more people may
find it useful...<br clear="all">
<div>--<br>
Carlos Martín, MSc<br>
Project Engineer<br>
OpenNebula - The Open-source Solution for Data
Center Virtualization
<div> <span
style="border-collapse:collapse;color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px"><a
moz-do-not-send="true"
href="http://www.opennebula.org/"
target="_blank">www.OpenNebula.org</a> | <a
moz-do-not-send="true"
href="mailto:cmartin@opennebula.org"
target="_blank">cmartin@opennebula.org</a> | <a
moz-do-not-send="true"
href="http://twitter.com/opennebula"
target="_blank">@OpenNebula</a></span></div>
</div>
</div>
<div><br>
</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Regards,<br>
nicolas.<br>
<br>
<div>Le 25/03/2013 11:29, Carlos Martín
Sánchez a écrit :<br>
</div>
<div>
<div>
<blockquote type="cite">Hi,
<div><br>
</div>
<div>The serveradmin users allows more
secure communications, and advanced
authentication scenarios, like browser
certificates [1]. But if you are
building a simple user interface, you
might want to keep things simple and
use the 'username:password' session
token for your xmlrpc requests.</div>
<div><br>
</div>
<div>Regards</div>
<div><br>
</div>
<div>[1] <a moz-do-not-send="true"
href="http://opennebula.org/documentation:rel3.8:sunstone#x509_auth"
target="_blank">http://opennebula.org/documentation:rel3.8:sunstone#x509_auth</a><br
clear="all">
<div>--<br>
Carlos Martín, MSc<br>
Project Engineer<br>
OpenNebula - The Open-source
Solution for Data Center
Virtualization
<div><span
style="border-collapse:collapse;color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px"><a
moz-do-not-send="true"
href="http://www.OpenNebula.org"
target="_blank">www.OpenNebula.org</a>
| <a moz-do-not-send="true"
href="mailto:cmartin@opennebula.org"
target="_blank">cmartin@opennebula.org</a>
| <a moz-do-not-send="true"
href="http://twitter.com/opennebula"
target="_blank">@OpenNebula</a></span><span
style="border-collapse:collapse;color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px"></span></div>
</div>
<br>
<br>
<div class="gmail_quote">On Fri, Mar
22, 2013 at 5:46 PM, Nicolas Bélan <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:nicolas.belan@gmail.com"
target="_blank">nicolas.belan@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"> Hello,<br>
<br>
well, i would like to display to
user their vm, networks, images
and so on, according to the role
and access of each user.<br>
so i am trying to use as much as
possible openNebula rbac and rpc
to retrieve only right
informations.<br>
the step after is to deploy vm as
user, not as oneadmin or
serveradmin, but directly as
"user"<br>
<br>
the service i am building is a
very simplified user interface.
the step after for the user is to
have access to self service, but
to begin, i would like to hide
some concepts to make easier cloud
access.<br>
<br>
best regards,<br>
nicolas<br>
Le 22 mars 2013 à 17:25, Tino
Vazquez <<a
moz-do-not-send="true"
href="mailto:tinova@opennebula.org"
target="_blank">tinova@opennebula.org</a>>
a écrit :<br>
<div>
<div><br>
> Hi Nicolas,<br>
><br>
> serveradmin is used by
Sunstone and related interface
services. Did<br>
> you try it out with other
users (ie, oneadmin)?<br>
><br>
> Depending on what type of
service you are building, you
may be<br>
> interested indeed in
serveradmin. Could you
elaborate a bit more on<br>
> that?<br>
><br>
> Regards<br>
> --<br>
> Constantino Vázquez
Blanco, PhD, MSc<br>
> Project Engineer<br>
> OpenNebula - The
Open-Source Solution for Data
Center Virtualization<br>
> <a
moz-do-not-send="true"
href="http://www.OpenNebula.org"
target="_blank">www.OpenNebula.org</a>
| @tinova79 | @OpenNebula<br>
><br>
><br>
> On Fri, Mar 22, 2013 at
4:16 PM, Nicolas Bélan <<a
moz-do-not-send="true"
href="mailto:nicolas.belan@gmail.com"
target="_blank">nicolas.belan@gmail.com</a>>
wrote:<br>
>> Hello the list,<br>
>><br>
>> I am trying
(unsuccessfully) to call RPM
methods.<br>
>><br>
>> The problem is that I
can not make my user
authenticated by code (while<br>
>> it is ok with <a
moz-do-not-send="true"
href="http://localhost:4567/ui"
target="_blank">http://localhost:4567/ui</a>)<br>
>> I am using version
3.8.3.<br>
>><br>
>> I am trying to user
serveradmin:<user>:<password>
with it does not work<br>
>> as written in the
documentation.<br>
>> Deeply investigating,
I found, in<br>
>>
/usr/lib/one/ruby/server_cipher_auth.rb
that the third part is a
token,<br>
>> but i am not ruby
compliant....<br>
>> It seems, If i
understand, that:<br>
>> a string is built
with:
"serveradmin:username:time()+expire"<br>
>> the serveradmin
password is used to create a
key.<br>
>> This key is then used
to cipher (salted ?) the
previous string.<br>
>> The result is then
appended like that:<br>
>>
"serveradmin:username:cipher(key,serveradmin:username:time()+expire)"<br>
>> and sent as the first
parameter of the rpc call.<br>
>> Am i completely wrong
?<br>
>> For example:<br>
>>
serveradmin:user_example:PWyaJz96iwdYldYoPHXWZYkBMbuvKIEXiTVb0WuAHURYuQ2Dzmhnzjm0JDNCMchB<br>
>><br>
>> Using perl, I failed
to authenticate user ....<br>
>> using tcpdump, it
seems that the third part is
quite constant during a<br>
>> certain laps of time
...<br>
>> So, I may be wrong
with my time() expire part
....<br>
>> Can you help me
writing this part of code ?
Perl or PHP are welcome ;)<br>
>><br>
>> Thank you for you
help<br>
>><br>
>> Best regards,<br>
>> Nicolas.<br>
>><br>
>><br>
>><br>
>><br>
>><br>
>><br>
>>
_______________________________________________<br>
>> Users mailing list<br>
>> <a
moz-do-not-send="true"
href="mailto:Users@lists.opennebula.org"
target="_blank">Users@lists.opennebula.org</a><br>
>> <a
moz-do-not-send="true"
href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org"
target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
>><br>
_______________________________________________<br>
Users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Users@lists.opennebula.org"
target="_blank">Users@lists.opennebula.org</a><br>
<a moz-do-not-send="true"
href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org"
target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>