Zimbra

gmsmith · #1 (**permalink**) 08-13-2006, 01:01 PM

I have been working with someone who wants to demo 3.2M2 on their infrastructure. All is working except the Mail Queue monitor. It is failing at public key authentication. I re-ran the keygen and keyupdate (then restarted tomcat), no go. ssh is running on 22, RSA Authentication is specifically enabled in sshd_conf. Any thoughts?

I get the following error from the admin web console when I try to access the mail queue:

Code:

Message:  system failure: exception during auth {RemoteManager: (removed real name)->zimbra@hostname (removed real name):22}
com.zimbra.cs.service.ServiceException: system failure: exception during auth {RemoteManager: hostname (removed real name)->hostname (removed real name):22}
        at com.zimbra.cs.service.ServiceException.FAILURE(ServiceException.java:174)
        at com.zimbra.cs.rmgmt.RemoteManager.getSession(RemoteManager.java:193)
        at com.zimbra.cs.rmgmt.RemoteManager.execute(RemoteManager.java:130)
        at com.zimbra.cs.service.admin.GetMailQueueInfo.handle(GetMailQueueInfo.java:56)
        at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:261)
        at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:162)
        at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:84)
        at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:223)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
        at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:159)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
        at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:667)
        at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
        at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
        at java.lang.Thread.run(Thread.java:595)
Caused by: java.io.IOException: Publickey authentication failed.
        at ch.ethz.ssh2.auth.AuthenticationManager.authenticatePublicKey(AuthenticationManager.java:259)
        at ch.ethz.ssh2.Connection.authenticateWithPublicKey(Connection.java:371)
        at ch.ethz.ssh2.Connection.authenticateWithPublicKey(Connection.java:422)
        at com.zimbra.cs.rmgmt.RemoteManager.getSession(RemoteManager.java:185)
        ... 24 more
Caused by: java.io.IOException: The connection is closed.
        at ch.ethz.ssh2.auth.AuthenticationManager.deQueue(AuthenticationManager.java:77)
        at ch.ethz.ssh2.auth.AuthenticationManager.getNextMessage(AuthenticationManager.java:99)
        at ch.ethz.ssh2.auth.AuthenticationManager.authenticatePublicKey(AuthenticationManager.java:234)
        ... 27 more
Caused by: java.io.IOException: Cannot read full block, EOF reached.
        at ch.ethz.ssh2.crypto.cipher.CipherInputStream.getBlock(CipherInputStream.java:81)
        at ch.ethz.ssh2.crypto.cipher.CipherInputStream.read(CipherInputStream.java:108)
        at ch.ethz.ssh2.transport.TransportConnection.receiveMessage(TransportConnection.java:231)
        at ch.ethz.ssh2.transport.TransportManager.receiveLoop(TransportManager.java:520)
        at ch.ethz.ssh2.transport.TransportManager$1.run(TransportManager.java:315)
        ... 1 more

Error code:  service.FAILURE
Method:  ZmCsfeCommand.prototype.invoke
Details:soap:Receiver

KevinH · #2 (**permalink**) 08-14-2006, 01:36 PM

Did you try to ssh manually with the generated keys?

gmsmith · #3 (**permalink**) 08-14-2006, 01:38 PM

Quote:

Originally Posted by KevinH

Did you try to ssh manually with the generated keys?

I did, it just prompts for a password, it doesn't like the keys for whatever reason. I then try to regenerate the keys as zimbra but it is viscious cycle. Have I mentioned I hate SuSE? It is different enough from RHEL to be frustrating.

marcmac · #4 (**permalink**) 08-14-2006, 04:20 PM

you might try
zmsshkeygen rsa
to force it to generate rsa keys. I know centos requires this.

Also, verify that the sshd_config allows logins with keys.

gmsmith · #5 (**permalink**) 08-14-2006, 04:31 PM

Quote:

Originally Posted by marcmac

you might try
zmsshkeygen rsa
to force it to generate rsa keys. I know centos requires this.

Also, verify that the sshd_config allows logins with keys.

No go...same error.

keys are specifically allowed in sshd_config.

gmsmith · #6 (**permalink**) 08-15-2006, 05:41 AM

Quote:

Originally Posted by gmsmith

No go...same error.

keys are specifically allowed in sshd_config.

Curious twist of fate, now a dev box we have (was running OS X PPC - 3.2m2, now running 4.0RC1) exhibits the same behavior after the 4.0RC1 upgrade. I won't have a chance to go back and play with it today maybe late tonight. I tried generating new keys, updating them, and restarting tomcat without success.

When I come back to it, I will blow away Zimbra and re-install.

bobby · #7 (**permalink**) 08-23-2006, 06:05 PM

make sure the permissions are ok on /opt/zimbra/.ssh/ and its contents: nothing group writable, and authorized_keys should only be read/write for the owner

gmsmith · #8 (**permalink**) 08-23-2006, 06:18 PM

Quote:

Originally Posted by bobby

make sure the permissions are ok on /opt/zimbra/.ssh/ and its contents: nothing group writable, and authorized_keys should only be read/write for the owner

Here is what they are:

drwx------ 2 zimbra zimbra 152 Aug 18 18:49 .ssh

drwx------ 2 zimbra zimbra 152 Aug 18 18:49 .
drwxr-xr-x 41 root root 1752 Aug 18 18:47 ..
-rw-r--r-- 1 zimbra zimbra 645 Aug 18 18:49 authorized_keys
-rw------- 1 zimbra zimbra 668 Aug 18 18:49 zimbra_identity
-rw-r--r-- 1 zimbra zimbra 608 Aug 18 18:49 zimbra_identity.pub

Should be fine, yes?

I should mention the OS X issue was probably just from a beaten up dev install, it is working fine now. But the SuSE install is not working, even with wiping and starting fresh with 4.0RC1

bobby · #9 (**permalink**) 08-27-2006, 11:51 AM

try chmod 600 authorized_keys

gmsmith · #10 (**permalink**) 08-28-2006, 04:51 AM

Quote:

Originally Posted by bobby

try chmod 600 authorized_keys

Sorry, no go.

Zimbra

Downloads

Product Information

Toolbox

Why Join?