boinccmd RPC: "Authorization failure: -155"

Message boards : Questions and problems : boinccmd RPC: "Authorization failure: -155"
Message board moderation

To post messages, you must log in.

AuthorMessage
Dave Pickles

Send message
Joined: 7 Apr 22
Posts: 4
Canada
Message 107759 - Posted: 7 Apr 2022, 21:18:24 UTC

I am trying to set up some remote boinccmd scripts and am getting the "Authorization failure: -155" error.

This fails:
boinccmd --host TheRemoteHost --passdw 1234...cdef --client_version
however this works:
boincmgr /n TheRemoteHost /p 1234...cdef
and I can control the remote host with the resulting manager instance, which would indicate I have the RPC configuration and firewalls set up correctly.

The machine issuing the commands is Windows 10 Home.
The remote machine is Windows 7 Pro.
Both machines were upgraded to BOINC 7.16.20 today and neither is running as a service.

This also fails on Windows 8.1 and 10 Pro remote machines with older versions of BOINC.

Any thoughts? I looked through the forum, but the issues there all seem to be Linux related issues on the same host.
ID: 107759 · Report as offensive
Profile Keith Myers
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 17 Nov 16
Posts: 863
United States
Message 107761 - Posted: 7 Apr 2022, 23:14:13 UTC - in response to Message 107759.  

RPC calls have to go through boinccmd and use the rpc_auth.cfg password file. If the salted password or the custom password don't match, you get the error.
Also the file has to be able to be read with the correct permissions. Most likely the permissions don't match the user.
You can add yourself to the boinc user group.


ID: 107761 · Report as offensive
Dave Pickles

Send message
Joined: 7 Apr 22
Posts: 4
Canada
Message 107762 - Posted: 7 Apr 2022, 23:28:56 UTC - in response to Message 107761.  

Thanks Keith,

1. Are you saying the boinccmd command I issue from one machine goes to the boinccmd instance on the remote machine? If so, then I have a firewall issue.
2. Do you mean the gui_rpc_auth.cfg password file?
ID: 107762 · Report as offensive
Dave Pickles

Send message
Joined: 7 Apr 22
Posts: 4
Canada
Message 107763 - Posted: 8 Apr 2022, 0:24:11 UTC - in response to Message 107762.  

Well, I added boinccmd to the remote machine firewall, that didn't solve things. So I don't think point 1 is the issue.
ID: 107763 · Report as offensive
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 5077
United Kingdom
Message 107765 - Posted: 8 Apr 2022, 5:56:35 UTC

I'd put it slightly differently.

The remote machine needs to have a gui_rpc_auth.cfg password set. The BOINC client (not boinccmd) will be listening for that password. If you change that password, or set one for the first time, you need to re-start the BOINC client before it starts listening for the new one.

If you want to send instructions from the local machine to the remote machine, you have to send the remote machine's password from the command line on the local machine. You can get general information from the remote machine without a password, but you must send a password to make any changes.
ID: 107765 · Report as offensive
Richard Haselgrove
Volunteer tester
Help desk expert

Send message
Joined: 5 Oct 06
Posts: 5077
United Kingdom
Message 107766 - Posted: 8 Apr 2022, 6:26:32 UTC - in response to Message 107759.  

This fails:
boinccmd --host TheRemoteHost --passdw 1234...cdef --client_version
Typo.

The boinccmd switch is
--passwd
Boinccmd tool
ID: 107766 · Report as offensive
Dave Pickles

Send message
Joined: 7 Apr 22
Posts: 4
Canada
Message 107770 - Posted: 8 Apr 2022, 12:56:28 UTC - in response to Message 107766.  

Well don't I feel stupid now. It was indeed the typo which was the problem all along.

Thanks Richard!
ID: 107770 · Report as offensive
Bryn Mawr
Help desk expert

Send message
Joined: 31 Dec 18
Posts: 284
United Kingdom
Message 107771 - Posted: 8 Apr 2022, 14:41:48 UTC

What would the command be to open the firewall to allow Boinc (and only Boinc) to communicate on port 31416?

Ubuntu 20.04 on the local client computer and Win10 on the remote manager.
ID: 107771 · Report as offensive
robsmith
Volunteer tester
Help desk expert

Send message
Joined: 25 May 09
Posts: 1283
United Kingdom
Message 107772 - Posted: 8 Apr 2022, 16:15:56 UTC - in response to Message 107771.  

To a large extent that's going to be a firewall configuration setting and is probably very dependant on the firewall(s) in question.

If it's only a standard Windows firewall then the settings are buried in the Windows Security / Firewall & Network set of screens, then find the "allow an application to..." type sub menu where you can add an application to the "white list".

Good luck.
ID: 107772 · Report as offensive
computezrmle

Send message
Joined: 2 Feb 22
Posts: 81
Germany
Message 107773 - Posted: 8 Apr 2022, 17:12:24 UTC - in response to Message 107771.  

It depends on the firewall software you use on Linux/Windows.

The generic rules would be
- on the Linux client running the BOINC cruncher

allow incoming TCP packets from any source LAN IPs/any port to dest port 31416
or (more restrictive)
allow incoming TCP packets from source [LAN IP Windows computer] any port to dest [LAN IP Linux computer] port 31416


- on the Windows computer running the remote controller (e.g. BOINC manager)

allow outgoing TCP packets from source [LAN IP Windows computer] any port to dest [LAN IP Linux computer] port 31416
ID: 107773 · Report as offensive
Bryn Mawr
Help desk expert

Send message
Joined: 31 Dec 18
Posts: 284
United Kingdom
Message 107776 - Posted: 8 Apr 2022, 23:43:28 UTC - in response to Message 107773.  

It depends on the firewall software you use on Linux/Windows.

The generic rules would be
- on the Linux client running the BOINC cruncher

allow incoming TCP packets from any source LAN IPs/any port to dest port 31416
or (more restrictive)
allow incoming TCP packets from source [LAN IP Windows computer] any port to dest [LAN IP Linux computer] port 31416


- on the Windows computer running the remote controller (e.g. BOINC manager)

allow outgoing TCP packets from source [LAN IP Windows computer] any port to dest [LAN IP Linux computer] port 31416


I’m assuming ufw on Ubuntu, what I’m not sure of is whether there is any option to restrict the traffic to Boinc or whether, once opened, the port is available to traffic from any program.
ID: 107776 · Report as offensive
computezrmle

Send message
Joined: 2 Feb 22
Posts: 81
Germany
Message 107780 - Posted: 9 Apr 2022, 6:53:14 UTC - in response to Message 107776.  

I’m assuming ufw on Ubuntu, what I’m not sure of is whether there is any option to restrict the traffic to Boinc or whether, once opened, the port is available to traffic from any program.

When BOINC client starts it's RPC listener requests a network socket (like 203.0.113.27:31416) from the Linux kernel.
If this succeeds (i.e. the socket was not already in use) BOINC exclusively binds to that socket.

A network packet arriving at any interface does not include the sender/destination process name (at that protocol level), just the port number.
The packet then goes through the kernel's network stack and ends in the input buffer of the process that is connected to the destination socket.

UFW can be seen as a frontend to control the ruleset of the kernel's network stack.


So, from the perspective of the BOINC client on the linux machine:
it keeps the socket exclusively allocated until it's own end of live.

From the perspective of the network stack:
it delivers all packets allowed by the active ruleset to the destination socket but it doesn't know if they have been sent by a valid source process.
It's the BOINC client's task to check whether the network packets contain expected/valid data.
ID: 107780 · Report as offensive
Bryn Mawr
Help desk expert

Send message
Joined: 31 Dec 18
Posts: 284
United Kingdom
Message 107781 - Posted: 9 Apr 2022, 7:12:17 UTC - in response to Message 107780.  

I’m assuming ufw on Ubuntu, what I’m not sure of is whether there is any option to restrict the traffic to Boinc or whether, once opened, the port is available to traffic from any program.

When BOINC client starts it's RPC listener requests a network socket (like 203.0.113.27:31416) from the Linux kernel.
If this succeeds (i.e. the socket was not already in use) BOINC exclusively binds to that socket.

A network packet arriving at any interface does not include the sender/destination process name (at that protocol level), just the port number.
The packet then goes through the kernel's network stack and ends in the input buffer of the process that is connected to the destination socket.

UFW can be seen as a frontend to control the ruleset of the kernel's network stack.


So, from the perspective of the BOINC client on the linux machine:
it keeps the socket exclusively allocated until it's own end of live.

From the perspective of the network stack:
it delivers all packets allowed by the active ruleset to the destination socket but it doesn't know if they have been sent by a valid source process.
It's the BOINC client's task to check whether the network packets contain expected/valid data.


Many thanks, that’s exactly what I needed.
ID: 107781 · Report as offensive
Bryn Mawr
Help desk expert

Send message
Joined: 31 Dec 18
Posts: 284
United Kingdom
Message 107804 - Posted: 11 Apr 2022, 13:44:42 UTC - in response to Message 107781.  

Sorry to be a pest here but I’m struggling.

I’ve updated ufw to allow in port 31416

I’ve then updated my router to have a firewall rule connecting port 31416 to the IP address of my Boinc machine. I also set up a port forwarding rule to do the same.

On the laptop I want to use remotely I’ve updated the firewall to allow port 31416.

However, the laptop still connects perfectly when connected to my home Wi-Fi but fails to connect when I try using my phone as a mobile hotspot.

Is there anything I’ve missed? Anything else I can try?
ID: 107804 · Report as offensive
computezrmle

Send message
Joined: 2 Feb 22
Posts: 81
Germany
Message 107806 - Posted: 11 Apr 2022, 14:00:47 UTC - in response to Message 107804.  

STOP!

When I wrote my previous post I just described the principle assuming every connection to be made inside you own LAN segment and protected by the firewall on the internet router.

What you describe looks like a connection across your internet router and you may have opened a security hole on your router's firewall.
This is a much more complex scenario and can't be discussed here, especially since so far nobody knows what routing/firewall functions your router offers and how the have to be configured.
ID: 107806 · Report as offensive
Bryn Mawr
Help desk expert

Send message
Joined: 31 Dec 18
Posts: 284
United Kingdom
Message 107811 - Posted: 11 Apr 2022, 14:53:28 UTC - in response to Message 107806.  
Last modified: 11 Apr 2022, 14:59:43 UTC

STOP!

When I wrote my previous post I just described the principle assuming every connection to be made inside you own LAN segment and protected by the firewall on the internet router.

What you describe looks like a connection across your internet router and you may have opened a security hole on your router's firewall.
This is a much more complex scenario and can't be discussed here, especially since so far nobody knows what routing/firewall functions your router offers and how the have to be configured.


OK, a more explicit statement of requirements :-)

I am happily using Boinc Manager from a windows 10 laptop and an iPad from within my own wi-if area to connect to and control my desktops in the garage.

However, I spend a few months each year overseas and cannot sort any problems that occur during this period.

Therefore, I would be interested in opening up access to the Boinc client from an instance of Boinc manager residing outside of my router.

I recognise that, if done incorrectly, this could be a security issue but it should be possible to open a route through the various firewalls specifically for Boinc that would not be usable by anything / anyone else.

My router is a Technicolor DWA0120 VBNT-2 at software version 18.3
ID: 107811 · Report as offensive
Bryn Mawr
Help desk expert

Send message
Joined: 31 Dec 18
Posts: 284
United Kingdom
Message 107910 - Posted: 21 Apr 2022, 7:01:15 UTC

Success!

I am now overseas with my laptop running TN-Grid and showing in one Boinc Manager screen whilst my desktop is showing in another Boinc Manager screen that gives me control in case of problems.

Thank you for the pointers.
ID: 107910 · Report as offensive
computezrmle

Send message
Joined: 2 Feb 22
Posts: 81
Germany
Message 107911 - Posted: 21 Apr 2022, 8:32:22 UTC - in response to Message 107910.  

Interesting that it works across the ocean.
This means the reply returns within the usual timeout.
:-)

Out of curiosity - would you mind posting the typical ping times between your laptop and the cruncher at home?
You should obfuscate the real IPs to avoid getting them swamped with unwanted packets.
ID: 107911 · Report as offensive
Bryn Mawr
Help desk expert

Send message
Joined: 31 Dec 18
Posts: 284
United Kingdom
Message 107918 - Posted: 21 Apr 2022, 18:36:04 UTC - in response to Message 107911.  

Interesting that it works across the ocean.
This means the reply returns within the usual timeout.
:-)

Out of curiosity - would you mind posting the typical ping times between your laptop and the cruncher at home?
You should obfuscate the real IPs to avoid getting them swamped with unwanted packets.


Min 87.988
Ave 98.280
Max 113.985
Mdev 7.101
ID: 107918 · Report as offensive

Message boards : Questions and problems : boinccmd RPC: "Authorization failure: -155"

Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.