Closed cromlegionar closed 4 years ago
Hi, it seems you configured everything well because you successfully connected to the server. So, you are saying SSH connection works fine? Then I do not know what can be wrong.
I have just tried to set up TLS from scratch and it worked fine so my suggestion is to completely clean and reinstall sysrepo, keystored, and netopeer2-server and then try again. Also, what version OpenSSL are you using?
Regards, Michal
Hello, thank you for your quick answer. Unfortunately I cannot get the system running after a reinstall. I deleted all files with the install_manifest.txt files, deleted all github clones, updated all my packages, cloned the repositorys from the current version and cmake'd, make'd, and make installed everything. Now the server cannot set the hostkey "ssh-host_rsa_key" when a client is connecting:
[2018/12/03 18:04:22.968307, 1] ssh_pki_import_privkey_file: Error opening /usr/local/etc/keystored/keys/ssh_host_rsa_key.pem: No such file or directory
[ERR]: Failed to set hostkey "ssh_host_rsa_key" (/usr/local/etc/keystored/keys/ssh_host_rsa_key.pem).
client:
> connect
nc ERROR: Starting the SSH session failed (Socket error: Connection reset by peer).
cmd_connect: Connecting to the localhost:830 as user "root" failed.
I noticed that during the keystore installation a message like this one from "ssh-key-import.sh" popped up, sadly I did not save the installation log:
Some ietf-keystore configuration set, skipping stock key configuration import.
Could you point out what I mixed up this time? The keystore dir /usr/local/etc/keystored/keys/ is indeed empty, is there an easy way to repopulate it or do I have to reinstall the whole setup (If I left sth. out while de/reinstalling everything, please tell me)
Thank you for your help
Hi,
I could have been more specific, probably the most important step is correctly reinstalling sysrepo and we have recently added a make
target uninstall_with_repo
that should perform all that is needed. After that install sysrepo, keystored, and netopeer2-server and pay special attention to the install output as any problems should be displayed. If the installations finish successfully without warnings, it should all work fine.
Regards, Michal
Hello, I am sorry to bother you again (and for replying so late) but now I am running into an error I never had before. I reinstalled everthing, even installed the whole project from scratch onto a brand new debian installation (ion a pc which is physically identical to the one I am working on). I scanned through the whole installation log, but I could not find any errors. (I did not install valgrind which is throwing a warning, but no serious/unexplainable messages) Now the client disconnects from the server (because the encryption does not match?):
Client Log:
> connect
nc ERROR: Starting the SSH session failed (Public key from server (rsa-sha2-512) doesn't match user preference (ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,ssh-rsa,ssh-dss)).
cmd_connect: Connecting to the localhost:830 as user "siemens" failed.
Server Log:
[INF]: Path "/ietf-netconf-server:netconf-server/listen/endpoint[name='all-interfaces']/name" created.
[INF]: Path "/ietf-netconf-server:netconf-server/listen/endpoint[name='all-interfaces']/ssh" created.
[INF]: Path "/ietf-netconf-server:netconf-server/listen/endpoint[name='all-interfaces']/ssh/address" created.
[INF]: Path "/ietf-netconf-server:netconf-server/listen/endpoint[name='all-interfaces']/ssh/port" created.
[INF]: Listening on 0.0.0.0:830 for SSH connections.
[INF]: Path "/ietf-netconf-server:netconf-server/listen/endpoint[name='all-interfaces']/ssh/host-keys" created.
[INF]: Path "/ietf-netconf-server:netconf-server/listen/endpoint[name='all-interfaces']/ssh/host-keys/host-key[name='imported SSH key']/name" created.
[INF]: Path "/ietf-netconf-server:netconf-server/listen/endpoint[name='all-interfaces']/ssh/host-keys/host-key[name='imported SSH key']/public-key" created.
[INF]: Accepted a connection on 0.0.0.0:830.
[2018/12/07 14:47:12.343262, 2] ssh_pki_import_privkey_base64: Trying to decode privkey passphrase=false
[2018/12/07 14:47:12.344929, 1] ssh_server_connection_callback: SSH client banner: SSH-2.0-libssh_0.8.90
[2018/12/07 14:47:12.344970, 1] ssh_analyze_banner: Analyzing banner: SSH-2.0-libssh_0.8.90
[2018/12/07 14:47:12.346293, 2] ssh_kex_select_methods: Negotiated curve25519-sha256,ssh-rsa,aes256-gcm@openssh.com,aes256-gcm@openssh.com,hmac-sha2-256,hmac-sha2-256,none,none,,
[2018/12/07 14:47:12.411862, 2] ssh_server_curve25519_init: SSH_MSG_KEX_ECDH_REPLY sent
[2018/12/07 14:47:12.411919, 2] ssh_server_curve25519_init: SSH_MSG_NEWKEYS sent
[2018/12/07 14:47:12.420715, 2] ssh_packet_newkeys: Received SSH_MSG_NEWKEYS
[2018/12/07 14:47:12.420873, 1] ssh_socket_exception_callback: Socket exception callback: 1 (0)
[2018/12/07 14:47:12.420881, 1] ssh_socket_exception_callback: Socket error: disconnected
[ERR]: Communication SSH socket unexpectedly closed.
I cannot recall doing anything different than when I used to get a ssh connection and only fail at the TLS connection, do you know what went wrong this time? Again thank you very much for your help!
Regards, Kilian
Hi Kilian,
I would blame libssh
for this as you are using the latest master
version, which is my guess. Try using libssh
v0.8.5
.
Regards, Michal
Hello Michal,
it actually was the mastr version of libssh which caused the problems - thank you. (although it did originally work with the master version ..) However all of this did not solve the original problem. I noticed i placed the wrong log output into the server: connect --tls (in the original post):
[INF]: Session 1: thread 0 event new RPC.
[INF]: Accepted a connection on 0.0.0.0:6513.
[INF]: Cert verify: depth 1.
[INF]: Cert verify: subject: /C=CZ/ST=South Moravia/L=Brno/O=CESNET/OU=TMC/CN=example CA/emailAddress=exampleca@localhost.
[INF]: Cert verify: issuer: /C=CZ/ST=South Moravia/L=Brno/O=CESNET/OU=TMC/CN=example CA/emailAddress=exampleca@localhost.
[INF]: Cert verify CTN: entry with a matching fingerprint found.
[INF]: Cert verify CTN: new client username recognized as "test".
[INF]: Cert verify: depth 0.
[INF]: Cert verify: subject: /C=CZ/ST=South Moravia/O=CESNET/OU=TMC/CN=example client/emailAddress=exampleclient@localhost.
[INF]: Cert verify: issuer: /C=CZ/ST=South Moravia/L=Brno/O=CESNET/OU=TMC/CN=example CA/emailAddress=exampleca@localhost.
[INF]: Generated new event (netconf-session-start).
[INF]: Resolving unresolved data nodes and their constraints...
[INF]: All data nodes and constraints resolved.
[INF]: Resolving unresolved data nodes and their constraints...
[INF]: All data nodes and constraints resolved.
[INF]: Session 2: thread 1 event new RPC.
[ERR]: Session 2: reading from the TLS session failed (SSL code 1).
[INF]: Session 2: thread 3 event session terminated.
[INF]: Generated new event (netconf-session-end).
Also I am currently using Version OpenSSL 1.1.0j 20 Nov 2018
(Should I use another one?)
Hi, I do not know much about OpenSSL versions but as long as you are using a specific release, I think it should be fine. So, what does the client print in this case? Server seems fine, the error occurs after you got authenticated.
Regards, Michal
Hi, The client in this case prints:
> connect --tls
nc ERROR: Session 2: communication socket unexpectedly closed (OpenSSL).
nc ERROR: Session 2: failed to receive a reply to <get-schema>.
ly ERROR: Importing "ietf-datastores" module into "ietf-yang-library" failed.
nc ERROR: Session 2: invalid session to send RPCs.
nc ERROR: Session 2: failed to send the <get-schema> RPC.
nc ERROR: Session 2: invalid session, discarding.
cmd_connect: Connecting to the localhost:6513 failed.
>
UPDATE: It works - kind of.After a variable amount of tries a connection can be established:
> connect --tls
nc ERROR: Session 2: communication socket unexpectedly closed (OpenSSL).
nc ERROR: Session 2: failed to receive a reply to <get-schema>.
ly ERROR: Importing "ietf-datastores" module into "ietf-yang-library" failed.
nc ERROR: Session 2: invalid session to send RPCs.
nc ERROR: Session 2: failed to send the <get-schema> RPC.
nc ERROR: Session 2: invalid session, discarding.
cmd_connect: Connecting to the localhost:6513 failed.
> connect --tls
nc ERROR: Session 3: communication socket unexpectedly closed (OpenSSL).
nc ERROR: Session 3: failed to receive a reply to <get-schema>.
ly ERROR: Importing "ietf-datastores" module into "ietf-yang-library" failed.
nc ERROR: Session 3: invalid session to send RPCs.
nc ERROR: Session 3: failed to send the <get-schema> RPC.
nc ERROR: Session 3: invalid session, discarding.
cmd_connect: Connecting to the localhost:6513 failed.
> connect --tls
nc ERROR: Session 4: communication socket unexpectedly closed (OpenSSL).
nc ERROR: Session 4: failed to receive a reply to <get-schema>.
ly ERROR: Importing "ietf-datastores" module into "ietf-yang-library" failed.
nc ERROR: Session 4: invalid session to send RPCs.
nc ERROR: Session 4: failed to send the <get-schema> RPC.
nc ERROR: Session 4: invalid session, discarding.
cmd_connect: Connecting to the localhost:6513 failed.
> connect --tls
nc ERROR: Session 5: communication socket unexpectedly closed (OpenSSL).
nc ERROR: Session 5: failed to receive a reply to <get-schema>.
nc ERROR: Session 5: invalid session, discarding.
cmd_connect: Connecting to the localhost:6513 failed.
> connect --tls
nc ERROR: Session 6: communication socket unexpectedly closed (OpenSSL).
nc ERROR: Session 6: failed to receive a reply to <get-schema>.
nc ERROR: Session 6: invalid session, discarding.
cmd_connect: Connecting to the localhost:6513 failed.
> connect --tls
nc ERROR: Session 7: communication socket unexpectedly closed (OpenSSL).
nc ERROR: Session 7: failed to receive a reply to <get-schema>.
ly ERROR: Importing "id-ref-base" module into "id-ref-aug" failed.
nc ERROR: Session 7: invalid session, discarding.
cmd_connect: Connecting to the localhost:6513 failed.
> connect --tls
nc ERROR: Session 8: communication socket unexpectedly closed (OpenSSL).
nc ERROR: Session 8: failed to receive a reply to <get-schema>.
nc ERROR: Session 8: invalid session, discarding.
cmd_connect: Connecting to the localhost:6513 failed.
> connect --tls
nc ERROR: Session 9: communication socket unexpectedly closed (OpenSSL).
nc ERROR: Session 9: failed to receive a reply to <get-schema>.
nc ERROR: Session 9: invalid session, discarding.
cmd_connect: Connecting to the localhost:6513 failed.
> connect --tls
nc ERROR: Session 10: communication channel unexpectedly closed.
nc ERROR: Session 10: failed to receive a reply to <get-schema>.
ly ERROR: Importing "ietf-datastores" module into "ietf-yang-library" failed.
nc ERROR: Session 10: invalid session to send RPCs.
nc ERROR: Session 10: failed to send the <get-schema> RPC.
nc ERROR: Session 10: invalid session, discarding.
cmd_connect: Connecting to the localhost:6513 failed.
> connect --tls
>
I did not change anything since my last post.
Hi, that is all quite weird. I have somehow improved error handling for TLS in libnetconf2, could you please update and try again?
Regards, Michal
Hi,
i rebuilt the project with your changes, this is the result: server:
Accepted a connection on 0.0.0.0:6513.
[INF]: Cert verify: depth 1.
[INF]: Cert verify: subject: /C=CZ/ST=South Moravia/L=Brno/O=CESNET/OU=TMC/CN=example CA/emailAddress=exampleca@localhost.
[INF]: Cert verify: issuer: /C=CZ/ST=South Moravia/L=Brno/O=CESNET/OU=TMC/CN=example CA/emailAddress=exampleca@localhost.
[INF]: Cert verify CTN: entry with a matching fingerprint found.
[INF]: Cert verify CTN: new client username recognized as "test".
[INF]: Cert verify: depth 0.
[INF]: Cert verify: subject: /C=CZ/ST=South Moravia/O=CESNET/OU=TMC/CN=example client/emailAddress=exampleclient@localhost.
[INF]: Cert verify: issuer: /C=CZ/ST=South Moravia/L=Brno/O=CESNET/OU=TMC/CN=example CA/emailAddress=exampleca@localhost.
[INF]: Generated new event (netconf-session-start).
[INF]: Resolving unresolved data nodes and their constraints...
[INF]: All data nodes and constraints resolved.
[INF]: Resolving unresolved data nodes and their constraints...
[INF]: All data nodes and constraints resolved.
[INF]: Session 2: thread 3 event new RPC.
[ERR]: Session 2: SSL error ((null)).
[INF]: Session 2: thread 0 event session terminated.
[INF]: Generated new event (netconf-session-end).
client(connect --tls):
> connect --tls
nc ERROR: Session 2: communication socket unexpectedly closed (OpenSSL).
nc ERROR: Session 2: failed to receive a reply to <get-schema>.
ly ERROR: Importing "ietf-datastores" module into "ietf-yang-library" failed.
nc ERROR: Session 2: invalid session to send RPCs.
nc ERROR: Session 2: failed to send the <get-schema> RPC.
nc ERROR: Session 2: invalid session, discarding.
cmd_connect: Connecting to the localhost:6513 failed.
Hi, this has given me more information, but we still do not know anything specific. I have made other changes hoping we could finally get an actual error, so please pull it and try again. Sorry that it was not already there but we have never really had any chance to test it until now, so thanks.
Regards, Michal
Hello Michal,
Sorry for letting you wait until now, i could not resume working on this any sooner.
Since your previous commit and my response to it the only thing I did was pulling the second commit, building and installing it.
Now the client connects via connect --tls
without any problems.
I only took a quick look at your changes, am I correct that you mainly added a more detailed error message output? Is this the result you expected?
Regards Kilian
Hi Kilian, yes, I have only added code that should have generated an actual error message of what went wrong. If it is working for you now I highly doubt it is because of my changes. Anyway, if you encounter any problems in future, let us know.
Regards, Michal
Hello all,
I am just getting stared with the topic of network configuration and currently trying to set up a netopeer client<->server communication over TLS. I followed the instructions on how to configure TLS in netopeer like it is discribed in here , but I cannot get the connection to survive the inital "connect --tls" communication:
Server Log:
edit-config:
connect --tls
Client Log:
As you can see the error messages in the client are not consistent, i cannot figure out why this is. I am able to connect via ssh, perform get / get-config, edit-config. (In order to change the config as I am currently only modifying the running datastore)
At first I did not have a dummy "test" user, but adding him to my system did not change the error.
This is the complete config I am sending via the edit-config command:
I am sorry if I missed something obvious, as I said I am just getting started with this topic.