Actions
Support #41243
closedCannot access Sepia lab
% Done:
0%
Tags:
Reviewed:
Affected Versions:
Description
I recently changed my laptop and I am getting auth failure with previous key.
I did copy the entire sepia directory.
Do I have to generate new keys?
Username: varsha
openvpn debug
# systemctl status openvpn-client@sepia
● openvpn-client@sepia.service - OpenVPN tunnel for sepia
Loaded: loaded (/usr/lib/systemd/system/openvpn-client@.service; enabled; vendor preset: disabled)
Active: inactive (dead) since Wed 2019-08-14 15:42:58 IST; 16s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 4213 ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config sepia.conf (code=exited, status=0/SUCCESS)
Main PID: 4213 (code=exited, status=0/SUCCESS)
Status: "Pre-connection initialization successful"
Aug 14 15:42:55 localhost.localdomain openvpn[4213]: VERIFY KU OK
Aug 14 15:42:55 localhost.localdomain openvpn[4213]: Validating certificate extended key usage
Aug 14 15:42:55 localhost.localdomain openvpn[4213]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Aug 14 15:42:55 localhost.localdomain openvpn[4213]: VERIFY EKU OK
Aug 14 15:42:55 localhost.localdomain openvpn[4213]: VERIFY OK: depth=0, O=Redhat, CN=openvpn-sepia
Aug 14 15:42:57 localhost.localdomain openvpn[4213]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2432 bit RSA
Aug 14 15:42:57 localhost.localdomain openvpn[4213]: [openvpn-sepia] Peer Connection Initiated with [AF_INET]8.43.84.129:1194
Aug 14 15:42:58 localhost.localdomain openvpn[4213]: AUTH: Received control message: AUTH_FAILED
Aug 14 15:42:58 localhost.localdomain openvpn[4213]: SIGTERM[soft,auth-failure] received, process exiting
Aug 14 15:42:58 localhost.localdomain systemd[1]: openvpn-client@sepia.service: Succeeded.
# openvpn --config /etc/openvpn/client/sepia.conf --cd /etc/openvpn --verb 5 --auth-nocache
Wed Aug 14 15:36:06 2019 us=507862 WARNING: file '/etc/openvpn/client/sepia/tlsauth' is group or others accessible
Wed Aug 14 15:36:06 2019 us=507911 Current Parameter Settings:
Wed Aug 14 15:36:06 2019 us=507919 config = '/etc/openvpn/client/sepia.conf'
Wed Aug 14 15:36:06 2019 us=507926 mode = 0
Wed Aug 14 15:36:06 2019 us=507932 persist_config = DISABLED
Wed Aug 14 15:36:06 2019 us=507938 persist_mode = 1
Wed Aug 14 15:36:06 2019 us=507946 show_ciphers = DISABLED
Wed Aug 14 15:36:06 2019 us=507953 show_digests = DISABLED
Wed Aug 14 15:36:06 2019 us=507961 show_engines = DISABLED
Wed Aug 14 15:36:06 2019 us=507967 genkey = DISABLED
Wed Aug 14 15:36:06 2019 us=507973 key_pass_file = '[UNDEF]'
Wed Aug 14 15:36:06 2019 us=507980 NOTE: --mute triggered...
Wed Aug 14 15:36:06 2019 us=507992 273 variation(s) on previous 10 message(s) suppressed by --mute
Wed Aug 14 15:36:06 2019 us=508000 OpenVPN 2.4.7 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Wed Aug 14 15:36:06 2019 us=508013 library versions: OpenSSL 1.1.1c FIPS 28 May 2019, LZO 2.08
Wed Aug 14 15:36:06 2019 us=508678 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Aug 14 15:36:06 2019 us=508695 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Aug 14 15:36:06 2019 us=508708 LZO compression initializing
Wed Aug 14 15:36:06 2019 us=508776 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Wed Aug 14 15:36:09 2019 us=521391 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Wed Aug 14 15:36:09 2019 us=521537 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Wed Aug 14 15:36:09 2019 us=521573 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Wed Aug 14 15:36:09 2019 us=523857 TCP/UDP: Preserving recently used remote address: [AF_INET]8.43.84.129:1194
Wed Aug 14 15:36:09 2019 us=524001 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Aug 14 15:36:09 2019 us=524039 UDP link local: (not bound)
Wed Aug 14 15:36:09 2019 us=524065 UDP link remote: [AF_INET]8.43.84.129:1194
Wed Aug 14 15:36:09 2019 us=524085 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
WRWed Aug 14 15:36:10 2019 us=11661 TLS: Initial packet from [AF_INET]8.43.84.129:1194, sid=58b9b2e0 ce9ba61f
WWRWed Aug 14 15:36:10 2019 us=527937 VERIFY OK: depth=1, O=Redhat, CN=openvpnca-sepia
Wed Aug 14 15:36:10 2019 us=528487 VERIFY KU OK
Wed Aug 14 15:36:10 2019 us=528537 Validating certificate extended key usage
Wed Aug 14 15:36:10 2019 us=528560 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Aug 14 15:36:10 2019 us=528578 VERIFY EKU OK
Wed Aug 14 15:36:10 2019 us=528602 VERIFY OK: depth=0, O=Redhat, CN=openvpn-sepia
WRWRWRWWed Aug 14 15:36:12 2019 us=449501 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2432 bit RSA
Wed Aug 14 15:36:12 2019 us=449624 [openvpn-sepia] Peer Connection Initiated with [AF_INET]8.43.84.129:1194
Wed Aug 14 15:36:13 2019 us=542340 SENT CONTROL [openvpn-sepia]: 'PUSH_REQUEST' (status=1)
WRRWed Aug 14 15:36:13 2019 us=971109 AUTH: Received control message: AUTH_FAILED
Wed Aug 14 15:36:13 2019 us=971484 TCP/UDP: Closing socket
Wed Aug 14 15:36:13 2019 us=971587 SIGTERM[soft,auth-failure] received, process exiting
ssh debug
[varsha@localhost ceph]$ ssh -vvv -i ~/.ssh/id_rsa varsha@teuthology.front.sepia.ceph.com OpenSSH_8.0p1, OpenSSL 1.1.1c FIPS 28 May 2019 debug1: Reading configuration data /etc/ssh/ssh_config debug3: /etc/ssh/ssh_config line 51: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0 debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf debug2: checking match for 'final all' host teuthology.front.sepia.ceph.com originally teuthology.front.sepia.ceph.com debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: not matched 'final' debug2: match not found debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only) debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug3: gss kex names ok: [gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1-] debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1] debug1: configuration requests final Match pass debug1: re-parsing configuration debug1: Reading configuration data /etc/ssh/ssh_config debug3: /etc/ssh/ssh_config line 51: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0 debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf debug2: checking match for 'final all' host teuthology.front.sepia.ceph.com originally teuthology.front.sepia.ceph.com debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: matched 'final' debug2: match found debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug3: gss kex names ok: [gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1-] debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1] debug2: resolving "teuthology.front.sepia.ceph.com" port 22 debug2: ssh_connect_direct debug1: Connecting to teuthology.front.sepia.ceph.com [172.21.0.51] port 22. debug1: connect to address 172.21.0.51 port 22: Connection timed out ssh: connect to host teuthology.front.sepia.ceph.com port 22: Connection timed out
Updated by David Galloway over 4 years ago
- Category set to User access
- Status changed from New to 4
- Assignee set to David Galloway
I can see in our ansible inventory that your username should be 'varsha@local' but OpenVPN is attempting to connect as 'varsha@localhost'
Can you try replacing 'localhost' with 'local' in /etc/openvpn/sepia/secret and restart the service?
If that doesn't work, you'll need to sudo rm -rf /etc/openvpn/sepia* /etc/openvpn/client/sepia* and start over with the VPN setup: https://wiki.sepia.ceph.com/doku.php?id=vpnaccess#linux
Updated by Varsha Rao over 4 years ago
Replacing localhost with local did not resolve the issue.
VPN credentials
varsha@local AGrJViO6wZF253aFeh/r5w f1248029ccdc45fd6e8fddb09ab3f8aa01123ab69cc6f3f11273528ce33e5a31
SSH key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcQ8xMjwVf+KiFIQARcbFT+wg4NHysBRrFxk3Bx5X2k2hGKcEYR2tY/ApHZYfJ6me3LUvJEXg2c/6xa6ibVTUp/90l4y0cF6RmF5uB45J0xuBYoFJd8xJkVrhDIlZix4aFfb7TrmJEqjleBrkTwam7Q9aE3lss16nVOxU4hiViYiCANJ45wobK6tz7y5btfzrHE/iYpwniDvzLwK7EpkEK336VVd6f9wV0vG+ErEFxnNVxheXLLm05LuvdVQvFqJcTFrc7/GZ54yKg5IgwVwXqSAyOXIhgduUqk+oN1ciA7jnSqdiOKQPS/VmYkbhw2YP85l8wGVreIYUmOG19QEyVLB82oB9KS1LezM2KCH61XW22+85dHf4PvuL9DULhGt6wBCvpO10OHxw0JvHXbEgBPhiyd9j2yJmcQozbRPth/sMUvLKNXOGabZhhkPBYL7xZICHc+UwxrXs0h/j9jOjLyHzBAWMomF2lzgbvtzjcbxJ1a5oclJ6IW8yHJllkOh0= varsha@localhost.localdomain
Please update the ssh key too.
Updated by adam kraitman over 4 years ago
Hi Varsha,
I added your new vpn credentials and ssh key, Please try now
Actions