Hello, nope, the code is base64_encoded.
I found it !! You have an error in your code (well ... a default usage, not an error) and I did not notice it quickly. You do not set any Initialization Vector for the AES-256-CBC. mcrypt and openssl implementation does not like that ! So, I tried to pass through, (and failed) and I find this lib: http://phpseclib.sourceforge.net/ The implementation is good, and the result is fine. I can now call RPC through serveradmin ... I cut&paste for list users sample code: http://pastebin.com/06Z52nXG Have a nice day Best regards nicolas. Le 26/03/2013 11:30, Carlos Martín Sánchez a écrit : > Your second code looks better. > In ruby the encrypted token is then encoded to Base64, is this step > missing from your code? > > Regards > -- > Carlos Martín, MSc > Project Engineer > OpenNebula - The Open-source Solution for Data Center Virtualization > www.OpenNebula.org <http://www.OpenNebula.org> | > [email protected] <mailto:[email protected]> | @OpenNebula > <http://twitter.com/opennebula> > > > On Tue, Mar 26, 2013 at 1:31 AM, Nicolas Bélan > <[email protected] <mailto:[email protected]>> wrote: > > Hi, > > Well, the encrypted field is not clear for me. > > I tried: > function test_request_1() { > // build userAuth > $userAuth = $this->oca_username . ":" . > $this->user_email . ":" . sha1($this->oca_password); > $request = xmlrpc_encode_request("one.vmpool.info > <http://one.vmpool.info>", array($userAuth, -2, -1, -1 , -1)); > $content = stream_context_create(array( > "http" => array("method" => "POST", > "header" => "Content-Type: text/xml", > "content" => $request > ) > )); > $file = file_get_contents($this->oca_base_url, false, > $content); > $response = xmlrpc_decode($file); > } > > But, I got: > Tue Mar 26 01:24:31 2013 [AuM][E]: Auth Error: wrong final block > length > Tue Mar 26 01:24:31 2013 [ReM][E]: Req:7056 UID:- > VirtualMachinePoolInfo result FAILURE [VirtualMachinePoolInfo] > User couldn't be authenticated, aborting call. > > oca_username is "serveradmin", and "oca_password" is the password > of serveradmin. > user_email is the login id of the client. > > The think that I can not understand is the following: > I captured the third field: > PWyaJz96iwdYldYoPHXWZYle/HkPus+rFpkJhLRSf8wRMWGr+/NRXA7Qf8YPiwU3 > it is 64 chars long. > > a sha1(str) is 40 bytes long. > > So, how ruby can make a 40+24 sha1() password ? > > > I tested also using: > function test_aes_4() { > // let's do it with openssl > // like Ruby, we generate a 40 bytes key, but only 32 > bytes for aes-256-CBC > $key = substr(sha1($this->oca_password), 0, > $this->mcrypt_keysize); > $this->assertEquals($this->mcrypt_keysize, strlen($key)); > // let's make data with an iv > $iv = mcrypt_create_iv($this->mcrypt_ivsize); > $data = $this->oca_username . ":" . $this->user_email . > ":" . time()+3600; > $encrypted_data64 = openssl_encrypt($data, "aes-256-cbc", > $key, false, $iv); > $this->assertEquals(64, strlen($encrypted_data64)); > } > > It failed with: > 2) CloudTest::test_aes_4 > Failed asserting that 24 matches expected 64. > > -- sure, the ! "reply all" was an error, sorry > > Best regards, > Nicolas > > Le 25/03/2013 17:25, Carlos Martín Sánchez a écrit : >> Hi, >> >> On Mon, Mar 25, 2013 at 2:48 PM, Nicolas Bélan >> <[email protected] <mailto:[email protected]>> wrote: >> >> Hello, >> >> the problem is that password is in a LDAP tree, and I do not >> get clear user password from the user (got it in SHA1) >> through web connection. >> >> I only map ldap[uidnumber] to get various other informations >> (DNS owner, SMTP accounting, Support requests and so on). >> I would like to keep avoiding getting clear text password to >> access OpenNebula Interface. >> If it is not possible, I may get access directly to SQL >> Database, but this not what I would like to do first ... >> >> >> In that case serveradmin is the right approach. >> >> I see in your first email that you already found login_token in >> server_cipher_auth.rb. Maybe you were not using the same >> encryption algorithm, aes-256-cbc? >> >> Regards >> >> PS: Please reply to the list, more people may find it useful... >> -- >> Carlos Martín, MSc >> Project Engineer >> OpenNebula - The Open-source Solution for Data Center Virtualization >> www.OpenNebula.org >> <http://www.opennebula.org/> | [email protected] >> <mailto:[email protected]> | @OpenNebula >> <http://twitter.com/opennebula> >> >> >> >> Regards, >> nicolas. >> >> Le 25/03/2013 11:29, Carlos Martín Sánchez a écrit : >>> Hi, >>> >>> The serveradmin users allows more secure communications, and >>> advanced authentication scenarios, like browser certificates >>> [1]. But if you are building a simple user interface, you >>> might want to keep things simple and use the >>> 'username:password' session token for your xmlrpc requests. >>> >>> Regards >>> >>> [1] http://opennebula.org/documentation:rel3.8:sunstone#x509_auth >>> -- >>> Carlos Martín, MSc >>> Project Engineer >>> OpenNebula - The Open-source Solution for Data Center >>> Virtualization >>> www.OpenNebula.org <http://www.OpenNebula.org> | >>> [email protected] <mailto:[email protected]> | >>> @OpenNebula <http://twitter.com/opennebula> >>> >>> >>> On Fri, Mar 22, 2013 at 5:46 PM, Nicolas Bélan >>> <[email protected] <mailto:[email protected]>> >>> wrote: >>> >>> Hello, >>> >>> well, i would like to display to user their vm, >>> networks, images and so on, according to the role and >>> access of each user. >>> so i am trying to use as much as possible openNebula >>> rbac and rpc to retrieve only right informations. >>> the step after is to deploy vm as user, not as oneadmin >>> or serveradmin, but directly as "user" >>> >>> the service i am building is a very simplified user >>> interface. the step after for the user is to have access >>> to self service, but to begin, i would like to hide some >>> concepts to make easier cloud access. >>> >>> best regards, >>> nicolas >>> Le 22 mars 2013 à 17:25, Tino Vazquez >>> <[email protected] <mailto:[email protected]>> a >>> écrit : >>> >>> > Hi Nicolas, >>> > >>> > serveradmin is used by Sunstone and related interface >>> services. Did >>> > you try it out with other users (ie, oneadmin)? >>> > >>> > Depending on what type of service you are building, >>> you may be >>> > interested indeed in serveradmin. Could you elaborate >>> a bit more on >>> > that? >>> > >>> > Regards >>> > -- >>> > Constantino Vázquez Blanco, PhD, MSc >>> > Project Engineer >>> > OpenNebula - The Open-Source Solution for Data Center >>> Virtualization >>> > www.OpenNebula.org <http://www.OpenNebula.org> | >>> @tinova79 | @OpenNebula >>> > >>> > >>> > On Fri, Mar 22, 2013 at 4:16 PM, Nicolas Bélan >>> <[email protected] >>> <mailto:[email protected]>> wrote: >>> >> Hello the list, >>> >> >>> >> I am trying (unsuccessfully) to call RPM methods. >>> >> >>> >> The problem is that I can not make my user >>> authenticated by code (while >>> >> it is ok with http://localhost:4567/ui) >>> >> I am using version 3.8.3. >>> >> >>> >> I am trying to user serveradmin:<user>:<password> >>> with it does not work >>> >> as written in the documentation. >>> >> Deeply investigating, I found, in >>> >> /usr/lib/one/ruby/server_cipher_auth.rb that the >>> third part is a token, >>> >> but i am not ruby compliant.... >>> >> It seems, If i understand, that: >>> >> a string is built with: >>> "serveradmin:username:time()+expire" >>> >> the serveradmin password is used to create a key. >>> >> This key is then used to cipher (salted ?) the >>> previous string. >>> >> The result is then appended like that: >>> >> >>> >>> "serveradmin:username:cipher(key,serveradmin:username:time()+expire)" >>> >> and sent as the first parameter of the rpc call. >>> >> Am i completely wrong ? >>> >> For example: >>> >> >>> >>> serveradmin:user_example:PWyaJz96iwdYldYoPHXWZYkBMbuvKIEXiTVb0WuAHURYuQ2Dzmhnzjm0JDNCMchB >>> >> >>> >> Using perl, I failed to authenticate user .... >>> >> using tcpdump, it seems that the third part is quite >>> constant during a >>> >> certain laps of time ... >>> >> So, I may be wrong with my time() expire part .... >>> >> Can you help me writing this part of code ? Perl or >>> PHP are welcome ;) >>> >> >>> >> Thank you for you help >>> >> >>> >> Best regards, >>> >> Nicolas. >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> _______________________________________________ >>> >> Users mailing list >>> >> [email protected] >>> <mailto:[email protected]> >>> >> >>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >>> >> >>> _______________________________________________ >>> Users mailing list >>> [email protected] >>> <mailto:[email protected]> >>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >>> >>> >> >> > >
smime.p7s
Description: Signature cryptographique S/MIME
_______________________________________________ Users mailing list [email protected] http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
