Project

General

Profile

Support #41243

Cannot access Sepia lab

Added by Varsha Rao about 1 month ago. Updated 26 days ago.

Status:
Resolved
Priority:
Normal
Category:
User access
Target version:
-
Start date:
Due date:
% Done:

0%

Tags:
Reviewed:
Affected Versions:

Description

I recently changed my laptop and I am getting auth failure with previous key.
I did copy the entire sepia directory.
Do I have to generate new keys?

Username: varsha

openvpn debug

# systemctl status openvpn-client@sepia
‚óŹ openvpn-client@sepia.service - OpenVPN tunnel for sepia
   Loaded: loaded (/usr/lib/systemd/system/openvpn-client@.service; enabled; vendor preset: disabled)
   Active: inactive (dead) since Wed 2019-08-14 15:42:58 IST; 16s ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
  Process: 4213 ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config sepia.conf (code=exited, status=0/SUCCESS)
 Main PID: 4213 (code=exited, status=0/SUCCESS)
   Status: "Pre-connection initialization successful" 

Aug 14 15:42:55 localhost.localdomain openvpn[4213]: VERIFY KU OK
Aug 14 15:42:55 localhost.localdomain openvpn[4213]: Validating certificate extended key usage
Aug 14 15:42:55 localhost.localdomain openvpn[4213]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Aug 14 15:42:55 localhost.localdomain openvpn[4213]: VERIFY EKU OK
Aug 14 15:42:55 localhost.localdomain openvpn[4213]: VERIFY OK: depth=0, O=Redhat, CN=openvpn-sepia
Aug 14 15:42:57 localhost.localdomain openvpn[4213]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2432 bit RSA
Aug 14 15:42:57 localhost.localdomain openvpn[4213]: [openvpn-sepia] Peer Connection Initiated with [AF_INET]8.43.84.129:1194
Aug 14 15:42:58 localhost.localdomain openvpn[4213]: AUTH: Received control message: AUTH_FAILED
Aug 14 15:42:58 localhost.localdomain openvpn[4213]: SIGTERM[soft,auth-failure] received, process exiting
Aug 14 15:42:58 localhost.localdomain systemd[1]: openvpn-client@sepia.service: Succeeded.

# openvpn --config /etc/openvpn/client/sepia.conf --cd /etc/openvpn --verb 5 --auth-nocache
Wed Aug 14 15:36:06 2019 us=507862 WARNING: file '/etc/openvpn/client/sepia/tlsauth' is group or others accessible
Wed Aug 14 15:36:06 2019 us=507911 Current Parameter Settings:
Wed Aug 14 15:36:06 2019 us=507919   config = '/etc/openvpn/client/sepia.conf'
Wed Aug 14 15:36:06 2019 us=507926   mode = 0
Wed Aug 14 15:36:06 2019 us=507932   persist_config = DISABLED
Wed Aug 14 15:36:06 2019 us=507938   persist_mode = 1
Wed Aug 14 15:36:06 2019 us=507946   show_ciphers = DISABLED
Wed Aug 14 15:36:06 2019 us=507953   show_digests = DISABLED
Wed Aug 14 15:36:06 2019 us=507961   show_engines = DISABLED
Wed Aug 14 15:36:06 2019 us=507967   genkey = DISABLED
Wed Aug 14 15:36:06 2019 us=507973   key_pass_file = '[UNDEF]'
Wed Aug 14 15:36:06 2019 us=507980 NOTE: --mute triggered...
Wed Aug 14 15:36:06 2019 us=507992 273 variation(s) on previous 10 message(s) suppressed by --mute
Wed Aug 14 15:36:06 2019 us=508000 OpenVPN 2.4.7 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Wed Aug 14 15:36:06 2019 us=508013 library versions: OpenSSL 1.1.1c FIPS  28 May 2019, LZO 2.08
Wed Aug 14 15:36:06 2019 us=508678 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Aug 14 15:36:06 2019 us=508695 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Aug 14 15:36:06 2019 us=508708 LZO compression initializing
Wed Aug 14 15:36:06 2019 us=508776 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Wed Aug 14 15:36:09 2019 us=521391 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Wed Aug 14 15:36:09 2019 us=521537 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Wed Aug 14 15:36:09 2019 us=521573 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Wed Aug 14 15:36:09 2019 us=523857 TCP/UDP: Preserving recently used remote address: [AF_INET]8.43.84.129:1194
Wed Aug 14 15:36:09 2019 us=524001 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Aug 14 15:36:09 2019 us=524039 UDP link local: (not bound)
Wed Aug 14 15:36:09 2019 us=524065 UDP link remote: [AF_INET]8.43.84.129:1194
Wed Aug 14 15:36:09 2019 us=524085 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
WRWed Aug 14 15:36:10 2019 us=11661 TLS: Initial packet from [AF_INET]8.43.84.129:1194, sid=58b9b2e0 ce9ba61f
WWRWed Aug 14 15:36:10 2019 us=527937 VERIFY OK: depth=1, O=Redhat, CN=openvpnca-sepia
Wed Aug 14 15:36:10 2019 us=528487 VERIFY KU OK
Wed Aug 14 15:36:10 2019 us=528537 Validating certificate extended key usage
Wed Aug 14 15:36:10 2019 us=528560 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Aug 14 15:36:10 2019 us=528578 VERIFY EKU OK
Wed Aug 14 15:36:10 2019 us=528602 VERIFY OK: depth=0, O=Redhat, CN=openvpn-sepia
WRWRWRWWed Aug 14 15:36:12 2019 us=449501 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2432 bit RSA
Wed Aug 14 15:36:12 2019 us=449624 [openvpn-sepia] Peer Connection Initiated with [AF_INET]8.43.84.129:1194
Wed Aug 14 15:36:13 2019 us=542340 SENT CONTROL [openvpn-sepia]: 'PUSH_REQUEST' (status=1)
WRRWed Aug 14 15:36:13 2019 us=971109 AUTH: Received control message: AUTH_FAILED
Wed Aug 14 15:36:13 2019 us=971484 TCP/UDP: Closing socket
Wed Aug 14 15:36:13 2019 us=971587 SIGTERM[soft,auth-failure] received, process exiting

ssh debug
[varsha@localhost ceph]$ ssh -vvv -i ~/.ssh/id_rsa varsha@teuthology.front.sepia.ceph.com
OpenSSH_8.0p1, OpenSSL 1.1.1c FIPS  28 May 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 51: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug2: checking match for 'final all' host teuthology.front.sepia.ceph.com originally teuthology.front.sepia.ceph.com
debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: not matched 'final'
debug2: match not found
debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 51: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug2: checking match for 'final all' host teuthology.front.sepia.ceph.com originally teuthology.front.sepia.ceph.com
debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: matched 'final'
debug2: match found
debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]
debug2: resolving "teuthology.front.sepia.ceph.com" port 22
debug2: ssh_connect_direct
debug1: Connecting to teuthology.front.sepia.ceph.com [172.21.0.51] port 22.
debug1: connect to address 172.21.0.51 port 22: Connection timed out
ssh: connect to host teuthology.front.sepia.ceph.com port 22: Connection timed out

History

#1 Updated by David Galloway about 1 month ago

  • Category set to User access
  • Status changed from New to Feedback
  • Assignee set to David Galloway

I can see in our ansible inventory that your username should be 'varsha@local' but OpenVPN is attempting to connect as 'varsha@localhost'

Can you try replacing 'localhost' with 'local' in /etc/openvpn/sepia/secret and restart the service?

If that doesn't work, you'll need to sudo rm -rf /etc/openvpn/sepia* /etc/openvpn/client/sepia* and start over with the VPN setup: https://wiki.sepia.ceph.com/doku.php?id=vpnaccess#linux

#2 Updated by Varsha Rao about 1 month ago

Replacing localhost with local did not resolve the issue.

VPN credentials

varsha@local AGrJViO6wZF253aFeh/r5w f1248029ccdc45fd6e8fddb09ab3f8aa01123ab69cc6f3f11273528ce33e5a31

SSH key

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcQ8xMjwVf+KiFIQARcbFT+wg4NHysBRrFxk3Bx5X2k2hGKcEYR2tY/ApHZYfJ6me3LUvJEXg2c/6xa6ibVTUp/90l4y0cF6RmF5uB45J0xuBYoFJd8xJkVrhDIlZix4aFfb7TrmJEqjleBrkTwam7Q9aE3lss16nVOxU4hiViYiCANJ45wobK6tz7y5btfzrHE/iYpwniDvzLwK7EpkEK336VVd6f9wV0vG+ErEFxnNVxheXLLm05LuvdVQvFqJcTFrc7/GZ54yKg5IgwVwXqSAyOXIhgduUqk+oN1ciA7jnSqdiOKQPS/VmYkbhw2YP85l8wGVreIYUmOG19QEyVLB82oB9KS1LezM2KCH61XW22+85dHf4PvuL9DULhGt6wBCvpO10OHxw0JvHXbEgBPhiyd9j2yJmcQozbRPth/sMUvLKNXOGabZhhkPBYL7xZICHc+UwxrXs0h/j9jOjLyHzBAWMomF2lzgbvtzjcbxJ1a5oclJ6IW8yHJllkOh0= varsha@localhost.localdomain

Please update the ssh key too.

#3 Updated by adam kraitman 28 days ago

Hi Varsha,
I added your new vpn credentials and ssh key, Please try now

#4 Updated by Varsha Rao 26 days ago

Thanks Adam and David, it works now.

#5 Updated by David Galloway 26 days ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF