Thursday, 2010-12-16

« Wednesday, 2010-12-15 Index Friday, 2010-12-17 »
*** peter___ (3a6cbcf9@gateway/web/freenode/ip.58.108.188.249) has joined #wikid04:33
peter___hi04:33
*** peter___ has quit (Client Quit)04:36
*** nowen (~nowen@adsl-176-210-205.asm.bellsouth.net) has joined #wikid13:39
*** gvidals (18f9cf04@gateway/web/freenode/ip.24.249.207.4) has joined #wikid15:28
gvidalsowen, i'm stuck on the ssh authentication using wikid.15:28
nowengvidals: which part?  pam-radius?15:29
gvidalsusing PAM-RADIUS and i'm trying to authenticate gvidals@216.240.181.2915:29
gvidalsis the user "gvidals" suppose to be the same user as what is in the users section of wikid?15:30
nowenyes15:30
nowencheck out your /var/log/secure for errors15:30
nowenon the ssh box15:30
nowenalso, WiKIDAdmin logs15:30
nowenalso, gvidals will have to be a user on the ssh box15:30
gvidalsi thought i had success here: <181> Access-Accept(2) LEN=110 216.240.181.29:28709 Access-Request by gvandroid succeeded15:33
gvidalsbut i couldn't log in. this log entry seems to indicate that the PAM-RADIUS portion is set up properly.15:33
nowenyeah.  it's probably that you're not a user on the box.  run15:33
nowen'useradd gvidalis'15:33
gvidalsa user on the Ubuntu ssh box.15:34
nowenyes15:34
gvidalsi'm looking at the /var/log/auth.log on the ubuntu ssh server and I see "pam_radius_auth: packet from RADIUS server 127.0.0.1 fails verification: the shared secret is probably incorrect".15:47
gvidalsi thought PAM would try the next server in the list which is the wikid server....15:48
nowenis there a radius listener on 127?15:48
nowenif the first server rejects, it stops15:48
nowenif the first server fails to answer, it goes to the next15:48
gvidalsi installed by using apt-get pam-radius... and it probably is listening on 127.0.0.1... checking now...15:51
nowenno, pam-radius won't listen15:51
gvidalsi see that this line is before the wikid server in /etc/pam_radius_auth.conf: 127.0.0.1       secret             115:58
gvidalsi will comment that line out and test.15:58
gvidalscommenting out that line did the trick!16:01
gvidalsyou're the man. tks.16:01
nowenhuh16:01
nowenthat's weird.  must be something on the ubuntu side, because redhat is ok with it16:02
gvidalsyou are probably right.16:03
gvidalsi changed "auth sufficient /lib/security/pam_radius_auth.so" to "required"  and I cannot log in (i left the 127.0.0.1 commented out for now).16:04
gvidalstesting again with sufficient to ensure i can get in that way.16:04
nowenit's good to test with 2 ssh tunnels - so you don't get locked out ;)16:05
gvidalsis it reasonable to request the software token from my android Wikid's client and then use that for the ubuntu ssh password?16:21
nowensure16:21
gvidalsthat's what i thought, just checking....16:21
gvidalsstill no success. i thought i was able to log in with "sufficient", but not good.16:21
gvidals<114> Access-Request(1) LEN=110 216.240.181.29:13444 Access-Request by gvidals Failed: AccessRejectException: Access Denied16:22
gvidalsand on auth.log on the ubuntu ssh machine i see "Failed password for gvidals".16:22
nowenuser enabled?16:23
gvidalspam_radius_auth: DEBUG: getservbyname(radius, udp) returned -1469523808. Dec 16 08:19:15 gw sshd[12419]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=wsip-24-249-207-4.sd.sd.cox.net  user=gvidals Dec 16 08:19:16 gw sshd[12419]: Failed password for gvidals from 24.249.207.4 port 58324 ssh216:23
gvidalsyes, the user exists. i can log in with that user if I change the required to "sufficient" in /etc/pam.d/sshd16:24
gvidalsi mean i can log in with gvidals using "sufficient" and typing in my regular password16:24
nowenwhat else do you have in pam.d/sshd?16:24
gvidalsif i try the token, it fails.16:24
nowendo you have a line pointing to pam-radius?16:25
gvidalsauth       required     pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. auth       required     pam_env.so envfile=/etc/default/locale  # Standard Un*x authentication. @include common-auth  # Disallow non-root logins when /etc/nologin exists. account    required     pam_nologin.so  # Uncomment and edit /etc/security/access.conf if you need to set c16:26
gvidalsthe word "radius" does not appear anywhere in pam.d/sshd16:27
nowenthere should be a line 'auth  sufficient /lib/security/pam_radius_auth.so'16:32
gvidalsi emailed you my pam.d/sshd16:32
nowenassuming that is where you pam radius so is16:32
nowenjust add that line below the system auth line16:33
gvidalsok. got it.16:34
gvidals<92> Access-Request(1) LEN=110 216.240.181.29:13672 Access-Request by gvidals Failed: AccessRejectException: Access Denied16:46
gvidalsdoes this log entry indicate that at least i got past the radius server/client exchanging the shared secret?16:46
nowenI think so.  Set you radius logging to debug and you will see more data16:46
gvidalson the wikid server logs area you mean?16:48
nowenyes16:48
nowenhttp://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-set-radius-logging-to-debug-how-can-i-see-if-wikid-is-getting-the-radius-requests/?searchterm=radius%20debug16:48
gvidalsok i'll turn on debugging in the logs and take a look.16:52
gvidalsarghh :-/ "gvidals" was disabled17:03
gvidalsit woud be helpful to see that kind of event in the logs so the admin could re-enable.17:03
gvidalsit is working now. thanks for the help once again.17:03
nowencool17:26
*** remix_tj has quit (Quit: http://quassel-irc.org - Chat comfortably. Anywhere.)17:48
*** remix_tj (~remix_tj@ip6.server.remixtj.net) has joined #wikid17:49
*** cmatthews (d8ed3803@gateway/web/freenode/ip.216.237.56.3) has joined #wikid19:22
cmatthewsNick .. On the freenx server I changed the shared password for the raddb server.. Do I need to do anything to get that to take affect?19:23
nowenso, is it the same as on the network client on the WIKID server?19:23
nowenif you changed it on the WiKID server, you need to restart wikid19:24
nowenno restart on the freenx box19:24
cmatthewsOkay I'll give that a go ty19:24
cmatthewsbleh... eventually need to figure out why so far it's been 8 minutes since "wikidctl restart" but the radius daemon hasn't hit yet....19:33
cmatthewsjust started..19:34
gvidalsowen is there a way to change the number of failed attempts before the wikid server disables a user?19:35
nowenyes, on the domain page19:36
gvidalsok i'll look there.19:36
nowenit happens during testing, but really, not so much in production19:36
nowencmatthews: thats a but19:37
nowenbug19:37
nowenwe know about it, but we use an upstream provider for the radius interface19:37
cmatthewscool ty.. no big deal so long as it eventually does come up19:38
cmatthewsand it does19:38
nowenit's looking for an snmp listener.  since it's not there, it takes awhile to fail19:38
cmatthewshmmm... back to getting access denied resulting from wikid....19:41
cmatthewsCheck returned false.19:41
nowencmatthews: user still enabled?19:42
cmatthewsYou know it is.. but something wierd their.19:42
nowenset the com.wikidsystems.server.wAuth and com.wikidsystems loggers to debug and try again19:44
*** cmatthews has quit (Ping timeout: 265 seconds)19:47
gvidalsi must be missing something.... i'm about to send Lipso their domain code so they can test their login.20:02
gvidalshowever, the thought occured to me that any user on the internet can download the WiKID client and register a domain on a WiKID client.20:03
nowenon the phone - brb20:03
gvidalsso instead of guessting a password, they have to guess a username to gain access to a network device.20:03
gvidalsa user needs to know the following to access a server: a) wikid server (domain) code, target machine IP and username.20:05
gvidalsoh yea. I forgot that I have to authorize the new user as the WiKID admin :-)20:07
nowenthere ya go ;)20:07
nowenor they need to self-register based on some existing trusted creds20:12
*** JackH (4013e42d@gateway/web/freenode/ip.64.19.228.45) has joined #wikid20:14
JackHAnyone around?20:14
nowenyes20:14
nowenjust got your email20:15
JackHOh sweet20:15
JackHSorry for pestering so much20:15
nowennp20:15
nowengood to know20:16
JackHYea strangest thing20:16
JackHeverything works fine until I close out then bam no more domains20:17
nowenwhich os version is this?20:17
JackHFroyo 2.220:18
JackHIs there a file like there is in desktop version that holds the domain information?20:23
nowenJackH: can you try to add this domain:  88888888888?20:26
JackH3vpMGhgL20:29
nowennow, back out of the program using the return button?20:29
JackHThat worked20:31
JackHI still have that domain20:31
nowenhmm20:32
nowentry adding your corp domain20:33
JackHregistered20:34
nowenso, this might have to be the work-around until we get it reworked20:35
JackHNow my corp domain stayed20:36
nowenJackH: ok - well, we'll work on an update, it might be a bit though21:02
JackHno worries, idont work remotely that often21:02
JackHthanks for the help21:03
nowenit's all working now?21:03
JackHFor now yes21:03
JackHit saved the domain21:03
nowendon't forget to validate it soon.  the regcodes are not valid forever21:04
JackHyea i sent it to the admins21:04
*** JackH has quit (Ping timeout: 265 seconds)21:38
*** gvidals has quit (*.net *.split)21:57
*** remix_tj has quit (*.net *.split)21:57
*** remix_tj (~remix_tj@ip6.server.remixtj.net) has joined #wikid21:57
*** gvidals (18f9cf04@gateway/web/freenode/ip.24.249.207.4) has joined #wikid21:57
*** nowen has parted #wikid (None)23:16
« Wednesday, 2010-12-15 Index Friday, 2010-12-17 »

Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!