Project

General

Profile

Support #47867

Sepia Lab Access Request

Added by Josh Salomon over 2 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
User access
Target version:
-
% Done:

0%

Tags:
Reviewed:
Affected Versions:

Description

1) Do you just need VPN access or will you also be running teuthology jobs? ONLY VPN

2) Desired Username: jsalomon

3) Alternate e-mail address(es) we can reach you at:

4) If you don't already have an established history of code contributions to Ceph, is there an existing community or core developer you've worked with who has reviewed your work and can vouch for your access request? Orit Wasserman, Mark Kogan

If you answered "No" to # 4, please answer the following (paste directly below the question to keep indentation):

4a) Paste a link to a Blueprint or planning doc of yours that was reviewed at a Ceph Developer Monthly.

4b) Paste a link to an accepted pull request for a major patch or feature.

4c) If applicable, include a link to the current project (planning doc, dev branch, or pull request) that you are looking to test.

5) Paste your SSH public key(s) between the pre tags

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBYtdHKBXQcXQFkEW8fSwlFK/xZM16VcFY288ABI/DPfejTStHhxiRvmlsWzMy0Ar5WadZ8FU1ptjA3MKBEY1Do1r1Ul369k3zHCvxXyg9QGGMNPYfHmnNeoF4GEgoJpuounPs0mkLmrPTR+cR+/XuaZZt38nsad8M/zJetnolvqCWpcV87D7+Rt8F32J6kGDknC4ikEe8I0n7F+goOmJhlgkqegbKEeJ/EMnOItwVZHFwaC+sxOq4IlYp2f1aZMKGAtr5+ICwYH1SMCcvnp3qWL8O//t2tvguZgQxzIs6Nf5GaxwdQkh4CvjbWiCkIbGFJ57YICS6k++KMXMbEnwh jsalomon@Josh-laptop.tlv.redhat.com

6) Paste your hashed VPN credentials between the pre tags (Format: user@hostname 22CharacterSalt 65CharacterHashedPassword)

jsalomon@Josh-laptop bx1T0aYlusvDbpwouDUqrQ 63d552b49c3c3797ba4d65e87e0b7f3fa76cf8114ff61c38e7ce12ef534ed7f6

sepia.conf View (274 Bytes) Josh Salomon, 10/25/2020 02:10 PM

open-vpn-verbose.txt View - openvpn --config /etc/openvpn/client/sepia.conf --cd /etc/openvpn/client --verb 11 (37.1 KB) Josh Salomon, 10/27/2020 07:54 AM

History

#1 Updated by adam kraitman over 2 years ago

  • Category set to User access
  • Status changed from New to In Progress
  • Assignee set to adam kraitman

#2 Updated by adam kraitman over 2 years ago

Hi Josh,

You should have access to the Sepia lab now. Please verify you're able to connect to the vpn and ssh using the private key matching the pubkey you provided.

Be sure to check out the following links for final workstation setup steps:
https://wiki.sepia.ceph.com/doku.php?id=vpnaccess#vpn_client_access
https://wiki.sepia.ceph.com/doku.php?id=testnodeaccess#ssh_config

Most developers choose to schedule runs from the shared teuthology VM. For information on that, see http://docs.ceph.com/teuthology/docs/intro_testers.html

Thanks

#3 Updated by Josh Salomon over 2 years ago

Hi,
I still can't connect to the vpn, i get AUTH_FAILED response all the time.
I attach the config file

See the output of the command
@openvpn --config /etc/openvpn/client/sepia.conf --cd /etc/openvpn/client --verb 5

Sun Oct 25 16:02:37 2020 us=740111 WARNING: file 'sepia/tlsauth' is group or others accessible
Sun Oct 25 16:02:37 2020 us=740360 Current Parameter Settings:
Sun Oct 25 16:02:37 2020 us=740397 config = '/etc/openvpn/client/sepia.conf'
Sun Oct 25 16:02:37 2020 us=740424 mode = 0
Sun Oct 25 16:02:37 2020 us=740447 persist_config = DISABLED
Sun Oct 25 16:02:37 2020 us=740491 persist_mode = 1
Sun Oct 25 16:02:37 2020 us=740520 show_ciphers = DISABLED
Sun Oct 25 16:02:37 2020 us=740546 show_digests = DISABLED
Sun Oct 25 16:02:37 2020 us=740569 show_engines = DISABLED
Sun Oct 25 16:02:37 2020 us=740597 genkey = DISABLED
Sun Oct 25 16:02:37 2020 us=740623 key_pass_file = '[UNDEF]'
Sun Oct 25 16:02:37 2020 us=740647 NOTE: --mute triggered...
Sun Oct 25 16:02:37 2020 us=740691 273 variation(s) on previous 10 message(s) suppressed by --mute
Sun Oct 25 16:02:37 2020 us=740720 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 19 2020
Sun Oct 25 16:02:37 2020 us=740772 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.10
Sun Oct 25 16:02:37 2020 us=748014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Oct 25 16:02:37 2020 us=748075 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Oct 25 16:02:37 2020 us=748119 LZO compression initializing
Sun Oct 25 16:02:37 2020 us=748377 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sun Oct 25 16:02:37 2020 us=773348 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sun Oct 25 16:02:37 2020 us=773490 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Sun Oct 25 16:02:37 2020 us=773520 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Sun Oct 25 16:02:37 2020 us=774343 TCP/UDP: Preserving recently used remote address: [AF_INET]8.43.84.129:1194
Sun Oct 25 16:02:37 2020 us=774421 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Oct 25 16:02:37 2020 us=774444 UDP link local: (not bound)
Sun Oct 25 16:02:37 2020 us=774479 UDP link remote: [AF_INET]8.43.84.129:1194
Sun Oct 25 16:02:37 2020 us=774500 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
WRSun Oct 25 16:02:37 2020 us=940822 TLS: Initial packet from [AF_INET]8.43.84.129:1194, sid=e438cf52 5be85f96
WSun Oct 25 16:02:37 2020 us=941178 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
WRSun Oct 25 16:02:39 2020 us=49958 VERIFY OK: depth=1, O=Redhat, CN=openvpnca-sepia
Sun Oct 25 16:02:39 2020 us=50634 VERIFY KU OK
Sun Oct 25 16:02:39 2020 us=50691 Validating certificate extended key usage
Sun Oct 25 16:02:39 2020 us=50721 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Oct 25 16:02:39 2020 us=50756 VERIFY EKU OK
Sun Oct 25 16:02:39 2020 us=50778 VERIFY OK: depth=0, O=Redhat, CN=openvpn-sepia
WRWRWRWSun Oct 25 16:02:40 2020 us=478373 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2432 bit RSA
Sun Oct 25 16:02:40 2020 us=478491 [openvpn-sepia] Peer Connection Initiated with [AF_INET]8.43.84.129:1194
Sun Oct 25 16:02:41 2020 us=628395 SENT CONTROL [openvpn-sepia]: 'PUSH_REQUEST' (status=1)
WRRSun Oct 25 16:02:41 2020 us=809342 AUTH: Received control message: AUTH_FAILED
Sun Oct 25 16:02:41 2020 us=809712 TCP/UDP: Closing socket
Sun Oct 25 16:02:41 2020 us=809797 SIGTERM[soft,auth-failure] received, process exiting
@

#4 Updated by adam kraitman over 2 years ago

Please run this -
sed -i 's/nobody/openvpn/g' /etc/openvpn/sepia/client.conf || sed -i 's/nobody/openvpn/g' /etc/openvpn/client/sepia/client.conf
sed -i 's/nogroup/openvpn/g' /etc/openvpn/sepia/client.conf || sed -i 's/nogroup/openvpn/g' /etc/openvpn/client/sepia/client.conf

And then restart the openvpn service and try to connect

Thanks

#5 Updated by Josh Salomon over 2 years ago

Already did so before I opened the ticket - look at the file I attached, it is already after these changes.

#6 Updated by David Galloway over 2 years ago

Did you re-run the new-client script? It's unfortunately not idempotent so if you re-ran it and still have the output, we'll need the new string it printed. If you don't have the output, please re-run it again and send the new string.

I see a couple of things on the server side. You did successfully authenticate at one point but your VPN client sent a private IP as your IP so the server dropped your connection.

Oct 25 13:04:43 gw openvpn: Sun Oct 25 13:04:43 2020 us=137059 185.175.35.246:42821 TLS: Username/Password authentication succeeded for username 'jsalomon@Josh-laptop' [CN SET]

...

Oct 25 13:04:44 gw openvpn: Sun Oct 25 13:04:44 2020 us=634953 jsalomon@Josh-laptop/185.175.35.246:42821 MULTI: bad source address from client [192.168.1.26], packet dropped

Then every instance of your username in the server log after that indicates either your secret file got mangled or overwritten by the new-client script being re-ran.

#7 Updated by Josh Salomon over 2 years ago

OK - I ran new-client again this is the output:

jsalomon@Josh-laptop d/6EBHirWQUGFG37CkQJzw 53c3c314cb77ea724783dd44e6e2e8eb3d3dcb9cdbe76b6d2968f8fa58f8f89d

#8 Updated by adam kraitman over 2 years ago

Hey Josh, I added your new cred you can try to ssh

#9 Updated by Josh Salomon over 2 years ago

Still doesn't work :-(. The problem is not with the ssh, the problem is with establishing the vpn connection. I attach below the output of the openvpn command whic heventually returns AUTH_FAILED

openvpn --config /etc/openvpn/client/sepia.conf --cd /etc/openvpn/client --verb 5
Tue Oct 27 09:47:56 2020 us=596295 WARNING: file 'sepia/tlsauth' is group or others accessible
Tue Oct 27 09:47:56 2020 us=596481 Current Parameter Settings:
Tue Oct 27 09:47:56 2020 us=596514 config = '/etc/openvpn/client/sepia.conf'
Tue Oct 27 09:47:56 2020 us=596543 mode = 0
Tue Oct 27 09:47:56 2020 us=596587 persist_config = DISABLED
Tue Oct 27 09:47:56 2020 us=596612 persist_mode = 1
Tue Oct 27 09:47:56 2020 us=596635 show_ciphers = DISABLED
Tue Oct 27 09:47:56 2020 us=596659 show_digests = DISABLED
Tue Oct 27 09:47:56 2020 us=596700 show_engines = DISABLED
Tue Oct 27 09:47:56 2020 us=596726 genkey = DISABLED
Tue Oct 27 09:47:56 2020 us=596749 key_pass_file = '[UNDEF]'
Tue Oct 27 09:47:56 2020 us=596772 NOTE: --mute triggered...
Tue Oct 27 09:47:56 2020 us=596872 273 variation(s) on previous 10 message(s) suppressed by --mute
Tue Oct 27 09:47:56 2020 us=596899 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 19 2020
Tue Oct 27 09:47:56 2020 us=596961 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.10
Tue Oct 27 09:47:56 2020 us=614134 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 27 09:47:56 2020 us=614169 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 27 09:47:56 2020 us=614193 LZO compression initializing
Tue Oct 27 09:47:56 2020 us=614323 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Tue Oct 27 09:47:57 2020 us=165168 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Oct 27 09:47:57 2020 us=165328 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Tue Oct 27 09:47:57 2020 us=165366 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Tue Oct 27 09:47:57 2020 us=166203 TCP/UDP: Preserving recently used remote address: [AF_INET]8.43.84.129:1194
Tue Oct 27 09:47:57 2020 us=166279 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Oct 27 09:47:57 2020 us=166313 UDP link local: (not bound)
Tue Oct 27 09:47:57 2020 us=166348 UDP link remote: [AF_INET]8.43.84.129:1194
Tue Oct 27 09:47:57 2020 us=166374 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
WRTue Oct 27 09:47:57 2020 us=336236 TLS: Initial packet from [AF_INET]8.43.84.129:1194, sid=ab21c798 3a571c4d
WTue Oct 27 09:47:57 2020 us=336547 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
WRTue Oct 27 09:47:57 2020 us=616128 VERIFY OK: depth=1, O=Redhat, CN=openvpnca-sepia
Tue Oct 27 09:47:57 2020 us=616530 VERIFY KU OK
Tue Oct 27 09:47:57 2020 us=616561 Validating certificate extended key usage
Tue Oct 27 09:47:57 2020 us=616574 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Oct 27 09:47:57 2020 us=616585 VERIFY EKU OK
Tue Oct 27 09:47:57 2020 us=616595 VERIFY OK: depth=0, O=Redhat, CN=openvpn-sepia
WRWRWWRWTue Oct 27 09:47:59 2020 us=40265 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2432 bit RSA
Tue Oct 27 09:47:59 2020 us=40355 [openvpn-sepia] Peer Connection Initiated with [AF_INET]8.43.84.129:1194
RTue Oct 27 09:48:00 2020 us=506389 SENT CONTROL [openvpn-sepia]: 'PUSH_REQUEST' (status=1)
WRRTue Oct 27 09:48:00 2020 us=688189 AUTH: Received control message: AUTH_FAILED
Tue Oct 27 09:48:00 2020 us=688574 TCP/UDP: Closing socket
Tue Oct 27 09:48:00 2020 us=688666 SIGTERM[soft,auth-failure] received, process exiting

#10 Updated by Josh Salomon over 2 years ago

In the attached file is the output of openvpn with verbosity level 11

#11 Updated by adam kraitman about 2 years ago

  • Status changed from In Progress to Resolved

Also available in: Atom PDF