munged always denies credentials

Question

munged always denies credentials

Closed this issue 10 years ago · 6 comments

GoogleCodeExporter commented 10 years ago

Built MUNGE 0.5.10 (and .9) on a CentOS 5 system. Ran the munged. The munge -n | unmunge test results in lt-unmunge: Error: Invalid credential

Built MUNGE on an Ubuntu system, and copied it to the CentOS. Works fine. readelf shows that the same libraries are being used in both cases.

I've tried different compilers to no avail.

Original issue reported on code.google.com by arroosen on 18 Mar 2011 at 9:42

Answer 1 · 2015-05-15T22:16:31.000Z

We're currently running RHEL 5.5 in production, and a CentOS 5 system should be essentially identical. What is the output from lsb_release -a? What are the contents of config.log after having run configure? (please attach)

An invalid credential error can happen during decoding. It means the credential was successfully unpacked (i.e., the headers and whatnot were valid), but decryption failed (wrong key), the embedded MAC didn't match the computed MAC (contents altered), or decompression failed.

Your problem is rather odd. With munge -n | unmunge, both clients are presumably contacting the same munged, and thus using the same key. Passing the credential through a pipe shouldn't allow it to be altered. And compression is disabled by default.

Things you can check:

Does munged log any errors when this happens?
Are munge, unmunge, and munged linked against the same libmunge.so.2? (check with ldd)
Does /path/to/munge -n -o foo && /path/to/unmunge -i foo produce the same problem? Also, does "foo" look like a MUNGE credential (i.e., MUNGE:blahblahblah:)?
Does building & running this on a different CentOS 5 system produce the same problem?

Original comment by chris.m.dunlap on 20 Mar 2011 at 6:56

Answer 2 · 2015-05-15T22:16:31.000Z

Hi, thanks for the response. The problem seems odd to me, too :) .

I made a clean build in my home on another CentOS machine (though one managed similarly), and had it install under my home as well. Same problem. Tried munge -n -o file as suggested; produces something that looks okay but won't unmunge. I ran the munged with the -F flag, and got: munged: Info: Invalid credential. Nothing seems to be logged elsewhere.

lsb_release -a:
LSB 
Version:    :core-3.1-amd64:core-3.1-ia32:core-3.1-noarch:graphics-3.1-amd64:graphi
cs-3.1-ia32:graphics-3.1-noarch
Distributor ID: CentOS
Description:    CentOS release 5.5 (Final)
Release:    5.5
Codename:   Final

============

% ldd munge unmunge 
munge:
    libmunge.so.2 => /usa/roosen//munge/lib/libmunge.so.2 (0x00002ae9d1f13000)
    libc.so.6 => /lib64/libc.so.6 (0x00000031b5a00000)
    /lib64/ld-linux-x86-64.so.2 (0x00000031b5600000)
unmunge:
    libmunge.so.2 => /usa/roosen//munge/lib/libmunge.so.2 (0x00002afcf3e7d000)
    libc.so.6 => /lib64/libc.so.6 (0x00000031b5a00000)
    /lib64/ld-linux-x86-64.so.2 (0x00000031b5600000)

config.log.gz

Original comment by arroosen on 23 Mar 2011 at 8:03

Answer 3 · 2015-05-15T22:16:31.000Z

More things to check:

ldd munged
rpm -q openssl
munge -c0 -z0 -n | unmunge
build with ./configure --with-crypto-lib=libgcrypt, restart munged, then try munge -n | unmunge again

Original comment by chris.m.dunlap on 24 Mar 2011 at 7:24

Answer 4 · 2015-05-15T22:16:31.000Z

ldd sbin/munged

    libmunge.so.2 => /usa/roosen//munge/lib/libmunge.so.2 (0x00002afe0dd57000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00000031b6600000)
    libbz2.so.1 => /usr/lib64/libbz2.so.1 (0x00000031ca400000)
    libz.so.1 => /usr/lib64/libz.so.1 (0x00000031b6a00000)
    libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00000031c1400000)
    libc.so.6 => /lib64/libc.so.6 (0x00000031b5a00000)
    /lib64/ld-linux-x86-64.so.2 (0x00000031b5600000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00000031b6200000)

% rpm -q openssl

openssl-0.9.8e-7.el5
openssl-0.9.8e-7.el5

Still invalid credential.
Well, how 'bout that: success! Thanks!

Original comment by arroosen on 28 Mar 2011 at 6:26

Answer 5 · 2015-05-15T22:16:31.000Z

Generating the credential with -c0 and -z0 disables encryption and compression. That leaves the only cause for an invalid credential error to be with the MAC.

Good to hear that building with libgcrypt works for you, although I'm still curious as to the problem you're having with openssl.

We're currently running with the latest openssl update (openssl-0.9.8e-12.el5_5.7). Can you try upgrading your openssl and then build with ./configure --with-crypto-lib=openssl, restart munged, and try munge -n | unmunge again?

Original comment by chris.m.dunlap on 28 Mar 2011 at 8:57

Answer 6 · 2015-05-15T22:16:31.000Z

I installed a CentOS 5.5 x86_64 system that should essentially match your setup. One difference is that the openssl rpm is at openssl-0.9.8e-12.el5_5.7. On this system, everything worked for me using both openssl and libgcrypt. I'm marking this issue as closed since everything works with openssl under CentOS 5.5 and since libgcrypt resolved your issue.

Original comment by chris.m.dunlap on 3 Jul 2011 at 9:36

Changed state: WorksForMe