I am attempting to authenticate with a CentOS server using the PHPSecLib library, and now my password authentication is failing.
The platform that I am running on got a "security upgrade" but I was not involved in that process and what they did to make changes. This has now resulted in array ( 'version' => NULL, ). The previous platform version would return array ( 'version' => 3, )
I would guess that this is a bad server configuration, but I am not sure what setting would cause this mis match. There is nothing in the /etc/ssh/sshd_config that is uncommented that would change the protocol
The problem is that the password was flagged as an expired password. Even though the login was successful, PHPSecLib would fail to login and not give a clear answer as to why.
Related
I got the Net::SFTP::Foreign module installed and it is being worked fine for the key-exchange sftp set-up. But I need to set it up to have password based authentication where it should take the password that I passed to login.
I have gone through multiple threads on this topic and found that it is somehow possible using IO:Pty module of Perl. Below is the command that I found to use.
my $sftp = Net::SFTP::Foreign->new(
$host,
user => $user,
password => $password,
more => [
-o => 'PreferredAuthentications=password,keyboard-interactive,***publickey***'
],
);
But here, in the preferred authentications, the public key is also being passed.
Can anyone please help me on this? What is the public key that is being referred here?
Also, installing IO::Pty along with Net::SFTP::Foreign modules can server my requirement?
Please help.
Thanks and Regards,
Edu
I do not see a point of using the Net::SFTP::Foreign, use the native Net::SFTP.
Anyway, the PreferredAuthentications just lists your preference order of authentication mechanisms. The publickey does not refer to any specific key. It just says that the Net::SFTP::Foreign should try first password authentication, if that fails, try keyboard-interactive authentication, and only, if even that fails, try the public key authentication. Obviously, if you do not specify any key pair, the public key authentication won't be tried, even if listed.
See also the PreferredAuthentications entry in the ssh_config man page.
If you want to use the password authentication no matter what, there's no point listing the other methods, list just the password:
-o => 'PreferredAuthentications=password'
The IO:Pty is needed to implement the password authentication using
the Net::SFTP::Foreign, but not when using the Net::SFTP (though that have other dependencies too).
I have a Perl script that uses WWW::Mechanize to connect to a site over
https, and that script just stopped working the other day. The status
and error message I get back are 500 and "Can't connect to
jobs.illinois.edu:443". The URL I'm trying to connect to is
https://jobs.illinois.edu/. I can connect from my browser (Firefox).
My platform is Linux -- up-to-date Arch Linux. I can also connect
(using WWW::Mechanize) to other https sites.
I tried using LWP::UserAgent, and the behavior is the same.
I'm using ssl_opts => { SSL_version => 'TLSv1' }; I don't remember why
I added that -- it may have been necessary to get it working at some
point.
Any ideas on how to fix this, or how I might get more information as
to what the problem is? Are there other ssl options I can try?
I have a feeling there was some slight configuration change on the
site that led to this problem -- maybe some SSL-protocol version
change or something like that. (I don't think I updated anything
on my machine inbetween the times it worked and stopped working.)
Thanks.
Here's sample code that fails:
#!/usr/bin/perl
use strict;
use warnings;
use constant AJB_URL => 'https://jobs.illinois.edu/academic-job-board';
use WWW::Mechanize;
my $mech = WWW::Mechanize->new( ssl_opts => { SSL_version => 'TLSv1' } );
$mech->get( AJB_URL );
It returns:
Error GETing https://jobs.illinois.edu/academic-job-board: Can't connect to jobs.illinois.edu:443 at ./test2.pl line 12.
... that script just stopped working the other day.
Which in most cases is caused by server-side or client-side changes. But I assume that you did not make any changes on the client side.
Calling your code with perl -MIO::Socket::SSL=debug4... gives:
DEBUG: ...SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Looking at the SSLLabs report you see two trust paths, where one requires an extra download. The root-CA "USERTrust RSA Certification Authority" for the first trust path is not installed on my system (Ubuntu 14.04), and I guess it is not installed on yours (no information about your OS is known, so just guessing). This means the second trust chain will be used and the relevant Root-CA "AddTrust External CA Root" is also installed on my system. Unfortunately this trust chain is missing an intermediate certificate ("Extra download"), so the verification fails.
To fix the problem, find the missing root-CA which should match the fingerprint 2b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e and use it:
$ENV{PERL_LWP_SSL_CA_FILE} = '2b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e.pem';
Looking at the certificate you see that it was issued on 22 May 2015, i.e. three days ago. This explains why the problem happened just now.
[Running perl 5.16.2 on OS X 10.9.5]
I have a little Secret Santa perl script I dust off once a year, and now this time it has decided to give me a hassle. (I do have a new computer as well, so there does exist a different environment from last year.) I am calling:
$smtp = Net::SMTP::SSL->new(Host => "mail.mydomain.org", Port => 465);
and when this returns, $smtp contains no value ('p $smtp' in the perl debugger just displays a blank line) and subsequent accesses like $stmp->domain (and $smtp->auth()) fail with the error
Can't call method "domain" on an undefined value at ./secretsanta.pl line 67.
What am I missing here? Thanks for any pointers.
EDIT: when I turn on SSL debugging (perl -MIO::Socket::SSL=debug4 secretsanta.pl) I get:
DEBUG: .../IO/Socket/SSL.pm:1769: Invalid default certificate authority locations
SSL error: 8606: 1 - error:2006D002:BIO routines:BIO_new_file:system lib
SSL error: 8606: 2 - error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
DEBUG: .../IO/Socket/SSL.pm:1774: Invalid default certificate authority locations error:0200100D:system library:fopen:Permission denied
DEBUG: .../IO/Socket/SSL.pm:529: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:531: socket connected
DEBUG: .../IO/Socket/SSL.pm:553: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:1769: SSL structure creation failed
DEBUG: .../IO/Socket/SSL.pm:1774: SSL structure creation failed error:140BA0C3:SSL routines:SSL_new:null ssl ctx
DEBUG: .../IO/Socket/SSL.pm:1758: IO::Socket::INET configuration failed
(I am using an SSL cert provided by my hosting company that doesn't match the DNS name of my mail server, but obviously something changed from last year to cause this not to work.)
Have you checked whether, by upgrading, you are affected by one of those bugs (first perhaps):
Cpan Bug reports
Seems to me that fits: new computer -> perhaps updated versions ->
bug with SMTP 2.35+ ( first in list ).
Perhaps you should simply use Net::SMTP itself?
I tried a few things. I installed Perl 5.18.2 (x86) for Windows and got past the empty SMTP-SSL connector, but was having problems resolving a '554 5.7.1 client host rejected' error. I ended up going back to the Mac, changing my password temporarily and using the insecure Net::SMTP to send the email, then changing password again. Obviously some bug, but I just needed this to be done with.
IO::Socket::SSL: 2.002
Which is the newest version. If you run your script only once a year there changed a lot in the mean time.
DEBUG: .../IO/Socket/SSL.pm:1769: Invalid default certificate authority locations
SSL error: 8606: 1 - error:2006D002:BIO routines:BIO_new_file:system lib
SSL error: 8606: 2 - error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
Looks like it found a CA path, but has some problems to use it. Could you please check what it found, that is
perl -MIO::Socket::SSL -MData::Dumper -e 'warn Dumper({ IO::Socket::SSL::default_ca() })'
If this returns a SSL_ca_path setting with a directory as value make sure that all files in this directory are actually readable by the program.
(I am using an SSL cert provided by my hosting company that doesn't match the DNS name of my mail server, but obviously something changed from last year to cause this not to work.)
This will definitely give problems too, but only once the first problem got fixed. One of the changes in the last year was to enforce some kind of hostname checking by default, because modules using IO::Socket::SSL often forgot to set the proper verification schema for hostnames (Net::SMTP::SSL included).
If this hostname in the certificate differs from what you specify as the destination you need to explicitly use the SSL_verifycn_name setting to define the expected hostname.
BTW, since about a month libnet (which provides the CORE modules Net::SMTP, Net::FTP, ...) has support for SSL/TLS if IO::Socket::SSL is installed. This includes support for direct SSL and STARTTLS, so you don't need any special case modules like Net::SMTP::SSL (only direct SSL), Net::SMTP::TLS (only STARTTLS) or Net::SSLGlue::SMTP (monkey patches Net::SMTP to support both) any longer.
I'm trying to read out (later maybe even write) into a Google Spreadsheet with Net::Google::Spreadsheets.
The most boilerplate script dies with "Login failed" and no error:
use Net::Google::Spreadsheets;
my $service = Net::Google::Spreadsheets->new(
username => 'myusername#googlemail.com',
password => 'mypassword'
);
All I'm getting is
Net::Google::AuthSub login failed
Sadly, I don't know how one would diagnose or fix this issue. Anyone?
Thanks so much!
May be because of SSL certificate checking. You can skip the test with:
$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0;
Though really you should set the certificate authorities correctly, as per the message returned by the Net::Google::AuthSub module:
Can't verify SSL peers without knowing which Certificate Authorities
to trust
This problem can be fixed by either setting the PERL_LWP_SSL_CA_FILE
envirionment variable or by installing the Mozilla::CA module.
To disable verification of SSL peers set the
PERL_LWP_SSL_VERIFY_HOSTNAME envirionment variable to 0. If you do
this you can't be sure that you communicate with the expected peer.
https://graph.facebook.com/oauth/access_token?client_id=[app-id]&redirect_uri=[url]&client_secret=[secret]&code=[code]
warning: peer certificate won't be verified in this SSL session
=> #<Net::HTTPBadRequest 400 Bad Request readbody=true>
irb(main):005:0> resp.body
=> "{\"error\":{\"type\":\"OAuthException\",\"message\":\"Missing redirect_uri parameter.\"}}"
Any idea what the matter is ? Since, I am including redirect_uri
Found the problem, very unusual thought. Would be great if someone could expand on this.
When I made the call with Net::HTTP (ruby client), it didn't work, although when I used just "curl" things worked perfectly fine !