Closed MarcelWaldvogel closed 7 years ago
marxistvegan
commented
7 years ago API key an nextcloud account certainly, shell that would be a little less likely from security end...I can however provide what you need here. I will start with the -A and -I outputs and logs, but the logs have been short as in not really giving me anything
marxistvegan
commented
7 years ago -I output
root@hedy:/opt/xmpp-cloud-auth# ./external_cloud.py -t prosody -u https://DOMAIN/index.php/apps/ojsxc/ajax/externalApi.php -s API -l /var/log/prosody -I marxistvegan DOMAIN
2017-06-08 20:13:34,970 INFO: Start external auth script 0.2.1+ for prosody with endpoint: https://DOMAIN/index.php/apps/ojsxc/ajax/externalApi.php
2017-06-08 20:13:34,990 INFO: Starting new HTTPS connection (1): DOMAIN
2017-06-08 20:13:35,412 INFO: Cloud says user marxistvegan@DOMAIN exists
True
root@hedy:/opt/xmpp-cloud-auth#-A output
root@hedy:/opt/xmpp-cloud-auth# ./external_cloud.py -t prosody -u https://DOMAIN/index.php/apps/ojsxc/ajax/externalApi.php -s pVmE4I7lWarSjp8evw+ZRKQ -l /var/log/prosody -A marxistvegan DOMAIN PASSWORD
2017-06-08 20:15:55,360 INFO: Start external auth script 0.2.1+ for prosody with endpoint: https://DOMIAN/index.php/apps/ojsxc/ajax/externalApi.php
2017-06-08 20:15:55,361 DEBUG: Log level: INFO
2017-06-08 20:15:55,361 DEBUG: Token is too short: 8 != 23 (maybe not a token?)
2017-06-08 20:15:55,378 INFO: Starting new HTTPS connection (1): DOMAIN
2017-06-08 20:15:55,910 DEBUG: "POST /index.php/apps/ojsxc/ajax/externalApi.php HTTP/1.1" 200 None
2017-06-08 20:15:55,917 INFO: SUCCESS: Cloud says password for marxistvegan@DOMAIN is valid
True
root@hedy:/opt/xmpp-cloud-auth# It is now spiting me, cause now it ring true, but I am not able to login via nextcloud or pidgin. Nextcloud the 'wheels' keep turning and no result. Pidgin says Not Authorized
MarcelWaldvogel
commented
7 years ago I was assuming the "dev" in the domain name meant that it was an internal development test. Therefore, I dared asking for the credentials.
With the result from your comment above, the cause may be the same as for #19, but let's keep the issues separate for now.
extenal_auth.py running on that machine?extauth.{log,err} files?MarcelWaldvogel
commented
7 years ago Another debug aid, if the above is not conclusive:
Can you try calling the following script as the external authentication program from Prosody instead of external_cloud.py?
#!/bin/sh
exec 2>>/tmp/ec2.log
date >&2
socat -lf/tmp/ec.log -v -x - SYSTEM:"/opt/xmpp-cloud-auth/external_cloud.py"(assuming the default paths, that socat is installed, and the script is executable).
It will log more to /tmp/ec*.log, including the actual data exchange (passwords, also in hex; so be careful when publishing them)
marxistvegan
commented
7 years ago Thanks for being patient on this...so I will respond inline
Is apparmor active?No it is not installed nor running via
ps -eFH | grep apparmorandapt-cache policy apparmornot installed.Is extenal_auth.py running on that machine?Yep running on the same server as the nextcoud and prosody
Does it create output to the extauth.{log,err} files?To a point... extauth.log... nothing in the last two days which I find odd...
2017-06-06 19:41:59,545 INFO: Start external auth script 0.2.0+ for prosody with endpoint: https://DOMAIN/index.php/apps/ojsxc/ajax/externalApi.php 2017-06-06 19:46:46,386 INFO: Start external auth script 0.2.0+ for prosody with endpoint: https://DOMAIN/index.php/apps/ojsxc/ajax/externalApi.php 2017-06-07 18:19:24,347 INFO: Start external auth script 0.2.0+ for prosody with endpoint: https://DOMAIN/index.php/apps/ojsxc/ajax/externalApi.php 2017-06-07 19:00:53,565 INFO: Start external auth script 0.2.0+ for prosody with endpoint: https://DOMAIN/index.php/apps/ojsxc/ajax/externalApi.php (END)extauth.err... Also nothing new on this in the last two days
KeyboardInterrupt Traceback (most recent call last): File "./external_cloud.py", line 271, in <module> for data in from_server(TYPE): File "./external_cloud.py", line 129, in from_prosody line = sys.stdin.readline() KeyboardInterruptWhat does it say? (Preferably with debug enabled and the passwords redacted)Let me see if the above is enough to determine anything otherwise I will run this.
Is there relevant output in the Prosody logs?Not really
Jun 08 20:24:55 mod_posix info Prosody is about to detach from the console, disabling further console output Jun 08 20:24:55 mod_posix info Successfully daemonized to PID 19516 Jun 09 13:10:58 s2sin1d40160 info incoming s2s stream (unknown host)->. closed: This host does not serve .
marxistvegan
commented
7 years ago OK I think i found something in the apache logs...
[Sat Jun 10 00:41:30.071541 2017] [proxy:error] [pid 26000] AH00961: HTTPS: failed to enable ssl support for [::1]:5280 (localhost)
[Sat Jun 10 00:42:13.871335 2017] [ssl:error] [pid 32367] [remote ::1:5280] AH01961: SSL Proxy requested for DOMAIN:443 but not enabled [Hint: SSLProxyEngine]
[Sat Jun 10 00:42:13.871382 2017] [proxy:error] [pid 32367] AH00961: HTTPS: failed to enable ssl support for [::1]:5280 (localhost)
Not clear of a best solution
marxistvegan
commented
7 years ago Additional logs
Error while waiting for result from auth process: unknown error
Jun 10 00:59:02 c2s1d00f10 info c2s stream for <73.123.224.216> closed: session closed
Jun 10 00:59:02 c2s1d00f10 info Client disconnected: connection closed
While trying to recreate the problems, I created installation instructions.
The Apache configuration needs an additional SSLProxyEngine On and — depending on your setup — also ProxyPreserveHost On (see here)
Can you try with this?
MarcelWaldvogel
commented
7 years ago Assuming it works, please reopen if it does not work.
@marxistvegan commented in #13:
-I user domain-A user domain passwordWould it be possible to get access to that instance? (API secret, Nextcloud account, maybe even shell? By mail to mw@uni.kn; PGP accepted)