Problem loggin in on CentOS 7

Hello everybody,

I have installed MineOS on a VPS i bought from OVH with CentOS 7.

I used the installer found at:

(wget friendly link)
https://gist.githubusercontent.com/hexparrot/8831fa43dcf12d3b0ab0/raw/cca4be3984d2e6428aadf7493ddc83caf24627bf/install_mineos-node

The problem is whenever I try to login using the webUI it doesn’t work, like i’m using the wrong password.

Steps I made:

useradd username
passwd username
(set password twice)

The logs doesnt write something useful:

mineos.log

[root@vps ~]# cat /var/log/mineos.log
{“level”:“info”,“message”:“Starting up server, using commit: 3a63e00 updated various npm module versions\n”,“timestamp”:“2017-05-23T22:35:46.655Z”}
{“level”:“info”,“message”:“Starting up server, using commit: 3a63e00 updated various npm module versions\n”,“timestamp”:“2017-05-23T22:37:35.320Z”}
{“level”:“info”,“message”:“Starting up server, using commit: 3a63e00 updated various npm module versions\n”,“timestamp”:“2017-05-23T22:41:06.819Z”}
{“level”:“info”,“message”:“Starting up server, using commit: 3a63e00 updated various npm module versions\n”,“timestamp”:“2017-05-23T22:43:34.595Z”}

Mineos.auth.log

[root@vps ~]# cat /var/log/mineos.auth.log
Wed May 24 2017 00:41:23 GMT+0200 (CEST) - failure from: myip user: custom
Wed May 24 2017 00:41:52 GMT+0200 (CEST) - failure from: myip user: minecraft
Wed May 24 2017 00:43:44 GMT+0200 (CEST) - failure from: myip user: minecraft

Obviously I can login with that user in SSH:

[minecraft@vps ~]$ whoami
minecraft
[minecraft@vps ~]$

[custom@vps ~]$ whoami
custom
[custom@vps ~]$

I tried to reset the webUI but it still doesn’t work.

The I modified the file webui.js:

.fail(function (err) {
  console.log('Unsuccessful login attempt for username:', username, password); <--HERE
  var logstring = new Date().toString() + ' - failure from: ' + req.connection.remoteAddress + ' user: ' + username + '\n';
  fs.appendFileSync('/var/log/mineos.auth.log', logstring);
  done(null);
});

to print the password, and it looks like the password i’m using is right. (run it using the ./webui.js command)

Do you have any suggestions?
Thanks a lot.

I just tried installing MineOS via the installer script and it failed spectacularly.

It turns out that the repo that was hosting these mirrored RPM files has gone defunct, and the rdiff-backup and rsync packages failed entirely to download install, causing my webui to not even startup.

In your installation with this script, did you check the output to make sure 100% of the package installation and module compiling worked out ok?

Of course, based on the mineos.auth.log, it tells me that it somehow advanced to the point where you were prompted to turn enter your creds, so I’m guessing then that you figured this out separately (and didn’t mention it here).

I’ve updated the scripts to reflect a 100% completely working install, so that should help future installs, but as for your authentication error…

I’ve seen this issue before arise with SELinux…I’ve been trying to locate the thread though, because SELinux and/or PAM authentication have both been issues that have arisen for CentOS systems only, but never with a good thread resolution to the point where I could add it to the installer script.

I can’t seem to reproduce the issue you’re having on my system:

[root@willvm2 minecraft]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)

Let’s try the test suite. Change the following lines in /usr/games/minecraft/test/test-auth.js under test.authenticate_shadow (modifications only necessary at WEBUI_LOGIN_USER and PASSWORD)

  async.series([
    function(callback) {
      auth.authenticate_shadow('WEBUI_LOGIN_USER', 'PASSWORD', function(authed_user) {
        test.equal(authed_user, 'WEBUI_LOGIN_USER');
        callback(!authed_user);
      })
    },
    function(callback) {
      auth.authenticate_shadow('WEBUI_LOGIN_USER', 'notthepassword', function(authed_user) {
        test.equal(authed_user, false);
        callback(authed_user);
      })
    },

Then, run that test:

[root@willvm2 ~]# cd /usr/games/minecraft/test/
[root@willvm2 test]# npm install -g nodeunit
/usr/bin/nodeunit -> /usr/lib/node_modules/nodeunit/bin/nodeunit
nodeunit@0.11.0 /usr/lib/node_modules/nodeunit
......
[root@willvm2 test]# nodeunit -t authenticate_shadow test-auth.js

test-auth.js
✔ authenticate_shadow

OK: 6 assertions (669ms)

This might help rule out if nodejs is able to access the shadow password that Linux checks it’s username against.

Yes.
Sorry, I didn’t told you: I saw that rdiff and rsync packages were offline so I have installed them manually (searched the same version and replaced the link in the script).
That’s why I have successfully installed mineOS.

I can retry the install using the new modified script and let you know if it installs all correctly, that’s not a problem.

Now I cant do the install but I can tell you that SELinux is disabled:
(removed the #)

-bash-4.2# cat /etc/selinux/config

This file controls the state of SELinux on the system.
SELINUX= can take one of these three values:
enforcing - SELinux security policy is enforced.
permissive - SELinux prints warnings instead of enforcing.
disabled - No SELinux policy is loaded.
SELINUX=disabled
SELINUXTYPE= can take one of three two values:
targeted - Targeted processes are protected,
minimum - Modification of targeted policy. Only selected processes are protected.
mls - Multi Level Security protection.
SELINUXTYPE=targeted

I also have the same version of CentOS:

-bash-4.2# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)

Maybe tonight I can try to reinstall and if it still doesn’t work try to replace the lines you told me.

I’ll update you as soon as possible.

Thanks a lot for your support.

No need; I’m glad you went through the steps to install those packages when they failed–I’m certain what you did should be sufficient, no need to reinstall on that basis.

But later if you are able to try out that test-auth.js issue, it would provide some good ideas for what to test next.

Ok, i tried.

I reinstalled everything, just in case
(Install log at: https://pastebin.com/RSKFEZ87)

I also modified the test-auth.js as you said.
(Modified test-auth.js at: test-auth.js - Pastebin.com)

When I run the command

nodeunit -t authenticate_shadow test-auth.js

The output is:

-bash-4.2# nodeunit -t authenticate_shadow test-auth.js

test-auth.js
authenticate_shadow

AssertionError: false == ‘WEBUI_LOGIN_USER’
at Object.equal (/usr/lib/node_modules/nodeunit/lib/types.js:83:39)
at /usr/games/minecraft/test/test-auth.js:11:14
at /usr/games/minecraft/auth.js:93:15
at posix (/usr/games/minecraft/auth.js:59:7)
at /usr/games/minecraft/auth.js:89:11
at /usr/games/minecraft/auth.js:27:13
at EventEmitter. (/usr/games/minecraft/node_modules/etc-passwd/index.js:72:16)
at emitNone (events.js:86:13)
at EventEmitter.emit (events.js:185:7)
at LineReadStream. (/usr/games/minecraft/node_modules/etc-passwd/index.js:47:19)
at emitNone (events.js:86:13)
at LineReadStream.emit (events.js:185:7)
at ReadStream. (/usr/games/minecraft/node_modules/lazylines/lazylines.js:41:14)
at emitNone (events.js:91:20)
at ReadStream.emit (events.js:185:7)
at endReadableNT (_stream_readable.js:974:12)

FAILURES: 1/1 assertions failed (182ms)

I’m really sorry but my knowledge of Linux/JS ends here, so I don’t know what that error means

Maybe OVH changed something on their VPS distribution of CentOS 7? Can this be possible?

Thanks a lot.

Well, there shouldn’t be an error here, ideally, because this is testing the authorization module–the module responsible for not letting you into the webui.

However, you should have replaced WEBUI_LOGIN_USER and PASSWORD with the actual webui user you’re trying to log in with, and the password for that user.

Really sorry for the long delay and for the big mistake.
I replaced “WEBUI_LOGIN_USER” and “PASSWORD” with the username and password but the problem still remains:

[root@vps test]# nodeunit -t authenticate_shadow test-auth.js

test-auth.js
authenticate_shadow

AssertionError: false == ‘minecraft’
at Object.equal (/usr/lib/node_modules/nodeunit/lib/types.js:83:39)
at /usr/games/minecraft/test/test-auth.js:11:14
at /usr/games/minecraft/auth.js:93:15
at posix (/usr/games/minecraft/auth.js:59:7)
at /usr/games/minecraft/auth.js:89:11
at /usr/games/minecraft/auth.js:25:13
at EventEmitter. (/usr/games/minecraft/node_modules/etc-passwd/index.js:60:20)
at emitOne (events.js:96:13)
at EventEmitter.emit (events.js:188:7)
at LineReadStream. (/usr/games/minecraft/node_modules/etc-passwd/index.js:42:21)
at emitOne (events.js:96:13)
at LineReadStream.emit (events.js:188:7)
at ReadStream. (/usr/games/minecraft/node_modules/lazylines/lazylines.js:29:26)
at emitOne (events.js:96:13)
at ReadStream.emit (events.js:188:7)
at readableAddChunk (_stream_readable.js:176:18)

FAILURES: 1/1 assertions failed (350ms)

Hello,

I am also using Centos 7, went through the same steps so far as nvezz and performed the above test with the same result.

Any other troubleshooting we should try here?

What steps are those, more precisely? The steps nvezz went through were unclear to me, and I just confirmed CentOS7 worked okay for my install.

If you’d prefer to send this to me in direct message, feel free to, but I’ll need to know what you tried exactly. For example, I just installed a fresh CentOS7, and then did the following commands (didn’t change any files):

# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
# adduser weak
# passwd weak   (set to 'password')
# adduser will
# groupadd sudo
# usermod will -a -G sudo
# cd /usr/games/minecraft
# nodeunit test/test-auth.js

test-auth.js
✔ authenticate_shadow
✔ test_membership
✔ verify_ids

You can try these exact steps as well, to test operation. (return the file to its original state by resetting the scripts)

Sorry for the lack of Clarity, I added the following to test-auth.js:

function(callback) {
auth.authenticate_shadow(‘WEBUI_LOGIN_USER’, ‘PASSWORD’, function(authed_user) {
test.equal(authed_user, ‘WEBUI_LOGIN_USER’);
callback(!authed_user);
})
},
function(callback) {
auth.authenticate_shadow(‘WEBUI_LOGIN_USER’, ‘notthepassword’, function(authed_user) {
test.equal(authed_user, false);
callback(authed_user);
})
},

Where the WEBUI_LOGIN_USER is a valid system user and PASSWORD is a valid password.

But I would rather perform your test for consistency. I just followed your steps in your last message with the following result:

[root@caesium minecraft]# nodeunit test/test-auth.js

test-auth.js
authenticate_shadow

AssertionError: false == ‘weak’
at Object.equal (/usr/lib/node_modules/nodeunit/lib/types.js:83:39)
at /usr/games/minecraft/test/test-auth.js:11:14
at /usr/games/minecraft/auth.js:93:15
at posix (/usr/games/minecraft/auth.js:59:7)
at /usr/games/minecraft/auth.js:89:11
at /usr/games/minecraft/auth.js:25:13
at EventEmitter. (/usr/games/minecraft/node_modules/etc-passwd/index.js:60:20)
at emitOne (events.js:77:13)
at EventEmitter.emit (events.js:169:7)
at LineReadStream. (/usr/games/minecraft/node_modules/etc-passwd/index.js:42:21)
at emitOne (events.js:77:13)
at LineReadStream.emit (events.js:169:7)
at ReadStream. (/usr/games/minecraft/node_modules/lazylines/lazylines.js:29:26)
at emitOne (events.js:77:13)
at ReadStream.emit (events.js:169:7)
at readableAddChunk (_stream_readable.js:153:18)

test_membership
verify_ids

FAILURES: 1/11 assertions failed (365ms)

I am quite a node novice so I have no clue why it would fail on this host. This was a clean installation when I installed mineos so not sure what testing I can do. Is there a way to get some more verbose logging from the webui logging? All I see is: failure from: 10.1.0.22 user: mc

Download this pastebin to your scripts directory (/usr/games/minecraft), giving it a name of whatever, like password_test.js (doesn’t really matter). We put it here so it can use the already-downloaded node.js modules.

https://pastebin.com/EaTLwkmv

Update the username and password to known-working combinations and then run it.

This is a minimal, self-contained snippet of code. It will cycle through the 3 available authentication methods MineOS uses. It doesn’t actually interact with MineOS in any way, so it should be able to tell us more swiftly what the issue is.

Keep in mind, I fully expect it to return 3 failures here–the only difference is that you won’t have to log into the webui to find it out.

Here’s an example of what it might output:

testing etc_shadow
expected value: mc
returned value: mc
testing posix
expected value: mc
returned value: true
testing pam
expected value: mc
returned value: true

The thing is: CentOS is often more locked-down than other distros, so it could be something like SELinux causing trouble, or PAM is more locked down, or …I don’t even know.

But the thing is, we have to systematically change Linux itself, then run this, until we get a working result. If, for example, PAM was not installed, disabled, or otherwise locked down, turning it on might make this program return a positive result. At that exact moment, we’d expect MineOS to work as well.

Of course, we could also expect test-auth.js to suddenly work when one of the components work, but this at least gives us individual feedback about which one (or ones) could be used based on your changes.

Ok interesting result. I set the ‘mc’ user’s password to ‘password’ like your pastebin had and I got the same result as your example:

[root@caesium minecraft]# node password_test.js
testing etc_shadow
expected value: mc
returned value: false

testing posix
expected value: mc
returned value: true

testing pam
expected value: mc
returned value: true

Still results in a failure from the webui when I test there.

Sun Mar 18 2018 19:57:54 GMT+0000 (UTC) - failure from: 10.1.0.22 user: mc

Selinux is disabled:
[root@caesium minecraft]# getenforce
Disabled

Just bizarre that it is not working on my clean install but works on yours. I have been using the docker image for the time being but I would love to figure this out.

I don’t use CentOS much, but it shouldn’t be too different from the nix-es I use regularly. That said, CentOS is the only one that reallllllly drills down on security, so it could be something other than SElinux that is stopping it. I don’t have any ideas, but the purpose of password_test.js was so that you could (on this new, mostly unused system), kinda trash it, and remove any and all possible stops regarding PAM, shadow passwords, and …whatever else is out there.

At some point, auth will go through. You take note of the last thing you tried, you nuke your install, re-install, and apply the one change necessary to let auth succeed and you’re good to go.