Thursday, 2011-04-28

« Wednesday, 2011-04-27 Index Friday, 2011-04-29 »
*** nowen has quit (Quit: Leaving.)15:47
*** nowen (~nowen@adsl-66-164-120.asm.bellsouth.net) has joined #wikid16:25
*** myndwire|WFH (myndwire@208.40.196.99) has joined #wikid17:03
myndwire|WFHello17:20
myndwire|WFHnowen: hey there... it's adam from the emails this morning. so i've got to use freeradius for this, right?17:20
nowenhi myndwire|WFH17:21
nowenno -  you don't have to17:21
nowenyou can have the client talk directly to wikid, if you like17:21
myndwire|WFHahh, the nomachine client, right?17:21
myndwire|WFHfrom what i've read it appears freenx is the piece that does that17:22
nowenwell, no I mean the freenx server - it would be a radius client to the WiKID server17:22
nowenyes - that's right so you set freenx through pam to talk to wikid17:22
myndwire|WFHya that's what i was shooting for, so wikid's radius plugin acts as the radius server and freenx just connects as a client17:23
nowenexactly17:23
myndwire|WFHthe only place i get stuck is adding the pam_radius_auth.so module to the sshd config for pam17:23
myndwire|WFHthe file doesn't exist, i figured it'd be part of freenx17:24
myndwire|WFHsorry for being a pain, i'm quite close to fully understanding all of this though17:24
nowenahh - no, you have to install pam-radius separately17:25
myndwire|WFHa-ha, i gotcha17:25
nowenhttp://freeradius.org/pam_radius_auth/17:25
nowennot all of freeradius, tho, just that17:25
myndwire|WFHNOW i see, it's only a small portion, and isn't in the yum repository17:26
nowenand this might help too http://www.wikidsystems.com/support/wikid-support-center/how-to/pam-radius-how-to/?searchterm=pam%20radius17:26
myndwire|WFHoh perfect, thanks17:27
nowenyou will need to install pam-devel17:28
myndwire|WFHjust noticed that one hehe17:28
myndwire|WFHhad to grab gcc too17:28
myndwire|WFHoo i think it built..17:29
myndwire|WFH-rwxr-xr-x 1 root root 26498 Apr 28 13:28 pam_radius_auth.so17:30
myndwire|WFHnice... some make errors but it still built.17:30
nowenhmm, what were the errors?17:30
myndwire|WFHpam_radius_auth.c: In function âtalk_radiusâ:17:30
myndwire|WFHpam_radius_auth.c:886: warning: pointer targets in passing argument 6 of ârecvfromâ differ in signedness17:30
myndwire|WFHpam_radius_auth.c: In function âpam_sm_authenticateâ:17:30
myndwire|WFHpam_radius_auth.c:1102: warning: assignment from incompatible pointer type17:30
myndwire|WFHcc -Wall -fPIC   -c -o md5.o md5.c17:30
myndwire|WFHld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so17:30
myndwire|WFHthen it built17:30
nowenok - well, just warnings, so I guess that is ok17:31
myndwire|WFHyeah thats what i'm thinking17:31
myndwire|WFHthe line they mention 2nd in the howtoforge doc mentions pam_stack.so... although that line isn't part of my /etc/pam.d/sshd17:33
myndwire|WFHare they saying to *add* that line as well? it's tough to interpret17:34
myndwire|WFHi added my line for the pam_radius_auth module17:34
myndwire|WFHthen it mentions /etc/raddb/server which i don't have.. isn't that part of freeradius?17:34
nowenI think pam_stack is deprecated17:34
myndwire|WFHah ok, i was thinking that may just be older stuff17:34
nowenfor /etc/raddb/server  use http://freeradius.org/pam_radius_auth/pam_radius_auth.conf17:35
nowenrename to server17:35
myndwire|WFHoh right, i saw that mentioned17:35
myndwire|WFHi guess just toss it into /etc17:36
myndwire|WFHsince i don't have a /etc/raddb/17:36
nowenno - make the raddb dir17:36
nowenat least, that is what I have done17:36
myndwire|WFHthat works for me, yeah17:37
myndwire|WFH127.0.0.1       secret             117:37
myndwire|WFH10.2.21.50      shared_secret      117:37
nowenyes, that should be it17:37
myndwire|WFHi'm guessing i *literally* change 'routeableIPaddress' to the actual address17:38
nowen.50 is your wikid server?17:38
myndwire|WFHyessir17:38
myndwire|WFHwikid and this all run on the same box17:38
myndwire|WFHand all communications will be on 10.x space anyway17:38
nowenmyndwire|WFH: I have yet to root my android17:40
myndwire|WFHoh yeah? noticed the channels i live in hehe17:41
myndwire|WFHwhat device do you have?17:41
nowenyou mentioned it in the emails.  moto cliq17:41
nowenrunning 2.1 now17:41
nowendo you still need the sdk to root?17:41
myndwire|WFHoh that's right..yeah, most moto devices sort of got left in the dust with their crazy bootloader locks. you don't need the sdk to actually *root* the device, but you'll need it to do anything commandline. it's just like having a local terminal / ssh session17:42
myndwire|WFHmainly you grab the sdk for the platform tools... adb mainly17:42
myndwire|WFHi wonder how verbose the cliq is... i'll have to look. i actually have the opportunity to pick up a verizon samsung fascinate for 70 bucks, so i think i'm going for it just to play with17:43
myndwire|WFHnow, i've got two evo's and the viewsonic g tablet, all running cyanogenmod 717:43
nowenwow17:43
myndwire|WFHall open source android, i love it. a good friend of mine is actually the head of the project17:44
nowenwe need to re-write our android token17:44
nowenthe ui is screwy17:44
myndwire|WFHand i'm also part of 'teamwin'.. basically we created hdmi mirroring, wimax (4g) for htc devices, and now a few apps, like kernel manager.17:44
nowensweet17:45
myndwire|WFHyeah, i was messing with the token app for android yesterday, but mainly have been playing with the regular windows one17:45
myndwire|WFHit'll be nice to have that ability, especially when this first step of the vnc stuff is working as a proof of concept.. then i can start creating all sorts of two-factor requirements for the IT staff.17:45
myndwire|WFHi'd love to essentially have this in place for *everything*, or at least all PCI stuff17:46
nowenyes, it's a must have for pci17:46
myndwire|WFHprimarily the whole vnc thing is for POS machines, forcing 2-factor for remote admin by our team.17:46
myndwire|WFHdefinitely going to be nice17:46
nowenI'm a big fan of freenx/nomachine17:47
myndwire|WFHfrom all of this stuff i've read, it sounds absolutely perfect for getting 2-factor into just about everything17:47
myndwire|WFHi was revisiting the stuff from the 'using freenx to sure terminal svcs/vnc with two-factor' doc, and i'm looking at the 'patch' mentioned, as well as the node.conf stuff... anything different with those?17:49
myndwire|WFHi can see right away there's an existing node.conf already, with tons of commented content17:49
nowenthe patch is no longer needed, IIRC17:50
myndwire|WFHoh nice, ok. i'm still adding FORCE_LOGIN_METHOD=SSH to node.conf though17:51
nowenyeah17:52
myndwire|WFHgot it. i left the rest of the file stock, it appears 95% of it is commented out anyway.17:52
myndwire|WFHgrabbing nxclient for windows, although i'm sure there's more i need to do before it works ;)17:54
nowensee how it breaks!  I say!17:55
myndwire|WFHhehe yeah exactly :)17:55
myndwire|WFHi just sort of enabled the radius module in wikid, so thats 'on'.. but i forget if any config was required beyond what i did.17:55
myndwire|WFHodd.. couldn't obtain config info for the domain i created..18:00
nowenfor the radius network clients, you need to run wikidctl restart to get it cached and the fw open18:00
myndwire|WFHoh right18:00
nowentypically, that is a networking issue18:01
myndwire|WFHyeah, i forget, doesnt the client look at the 12-digit number first, then turn it into an ip18:01
myndwire|WFHor isn't it supposed to communicate directly w/ the wikid box, and then it's supposed to understand the 12-digit number and in return communicate with the domain i created18:01
nowenit turns it into an IP or into a wikidsystems.net address18:02
myndwire|WFHoh right, i was going to say, maybe i shouldn't have changed my jw.properties18:02
myndwire|WFHb/c my 'domain suffix' is just set to rmu.edu right now.. that won't help one bit18:02
nowenif your using an IP, you can set it to use an IP first18:03
myndwire|WFHyeah, i've got useIpBeforeDns=true on18:03
myndwire|WFHmaybe the issue is that the 12-digit number i have for that domain is the IP address of that individual server running the vnc client18:03
myndwire|WFHit should be the wikid server's ip huh18:04
nowenyeah18:04
myndwire|WFHthat or localhost, since it's going to use that as transit to nomachine18:04
myndwire|WFHcool18:04
myndwire|WFHahh ok... re-created my domain properly18:10
myndwire|WFHbut creating the network client is sort of confusing... i'm adding the ip of the local machine basically since nomachine runs on this box, protocol is radius, but it wants me to enter a shared secret18:11
nowenyes, we assume that it is on a different box.  use the actual ip.18:11
myndwire|WFHi guess just pick one18:11
myndwire|WFHa random shared secret18:11
nowenthe radius listener is on 127.0.0.118:12
myndwire|WFHah right, i wonder if i have to make it use localhost18:12
myndwire|WFHthat or make it run on the actual ip18:12
nowenjust use the .50 address for the network client18:12
myndwire|WFHk18:12
myndwire|WFHand just make up a shared secret18:12
nowenyes, and put the same secret and in /etc/raddb/server18:13
myndwire|WFHthe actual secret into /etc/raddb/server ?18:16
nowenyes, 10.2.21.50      shared_secret      118:17
nowenshared_secret should be the same in both place18:17
myndwire|WFHoh duh, so swap out shared_secret for my actual secret18:17
nowens18:17
nowenyep18:17
myndwire|WFHhaha, oops. i though that was an auth type18:17
myndwire|WFHshould that line live before 127.0.0.1's entry?18:18
nowenI don't think so.18:18
myndwire|WFHdidn't think so, but wasn't sure since it's on the same box18:18
nowencould be.18:18
nowenbut I say leave it and test first18:18
myndwire|WFHya lets see how this goes. going to fire up the client and try this out18:19
nowenalso, you can test it via ssh18:19
myndwire|WFHwell, not the client, the token client18:19
myndwire|WFHoh yea?18:19
nowenyes, assuming you are using ssh for nx auth18:19
nowenit's the same config18:19
nowenone issue is that you will not be able to login remotely via ssh if the wikid server is down18:20
myndwire|WFHregistration successful18:20
myndwire|WFHon the token client18:20
myndwire|WFHi guess add a user now18:20
myndwire|WFHoh right, yeah18:20
myndwire|WFHthat's fine, this machine lives on a vmware farm18:20
myndwire|WFHsweet, i'm registered18:21
myndwire|WFHnow i'll setup the client18:22
nowenthere you go18:22
myndwire|WFHeven though i need my username actually added to the vnc permissions on that box before it will actually work :)18:22
myndwire|WFHNX> 203 NXSSH running with pid: 520418:28
myndwire|WFHNX> 285 Enabling check on switch command18:28
myndwire|WFHNX> 285 Enabling skip of SSH config files18:28
myndwire|WFHNX> 285 Setting the preferred NX options18:28
myndwire|WFHNX> 200 Connected to address: 10.2.21.50 on port: 2218:28
myndwire|WFHNX> 202 Authenticating user: nx18:28
myndwire|WFHNX> 208 Using auth method: publickey18:28
myndwire|WFHNX> 204 Authentication failed.18:28
myndwire|WFHhmm18:28
myndwire|WFHi'm an idiot, i didnt restart stuff18:30
myndwire|WFHlet me do that before i make myself look dumber :)18:31
nowenhmm - i think you need to update the key in the client with the one on the server18:31
nowenbut I can't remember how to do it18:32
myndwire|WFHdoesn't it pull it automatically when you add the domain?18:32
myndwire|WFHer you mean the nxclient18:32
myndwire|WFHoops18:32
myndwire|WFHtoo many clients/certs/etc hehe18:32
nowenyeah - nxclient18:32
nowenhaha - yes, a lot of moving parts ;)18:32
myndwire|WFHabsolutely, but when it works and is done we're good :)18:33
myndwire|WFHgood luck to the next guy without having my giant notepad doc full of this stuff though hehe18:33
myndwire|WFHyeah, same thing. i'll see if i can figure that part out with the client18:34
myndwire|WFHtheres a 'key' button. i hit it, it shows me a dsa key18:35
myndwire|WFHi can replace it, but the question is which cert haha18:35
myndwire|WFHor i could be completely wrong18:35
nowenthat's the one, I think18:39
myndwire|WFHah ok18:40
myndwire|WFHits the only place i can find any ccerts, but apparently thats just a key18:40
myndwire|WFHyea that's got to be it.. its the only place anything can go18:41
nowenno, where to get the right one..18:42
nowenis it in /etc/nx?18:42
myndwire|WFHlemme see18:42
myndwire|WFHa-ha18:42
myndwire|WFH /etc/nxserver contains:18:42
myndwire|WFH-rw-------  1 nx   root   672 Apr 27 15:48 client.id_dsa.key18:42
myndwire|WFH-rw-------  1 nx   root   604 Apr 27 15:48 server.id_dsa.pub.key18:42
myndwire|WFHbet that 2nd one is it18:42
myndwire|WFHtheres a users.id_dsa and "".pub18:43
nowenhmm18:43
nowenany docs in /share?18:44
myndwire|WFHdoesn't look like there are any docs at all, no18:45
myndwire|WFHhmm18:46
myndwire|WFHhttp://www.nomachine.com/ar/view.php?ar_id=AR01C0012618:46
myndwire|WFHwe want the nomachine key as part of the client right18:47
myndwire|WFHbut i'm guessing the one in there by default was picked up on first connection, like any ssh connection18:47
nowenyeah, I feel like it used to "just work", I guess no one changed the keys18:48
myndwire|WFHweird.. isn't the nxserver process supposed to run?18:54
nowenhmn. yeah, i think it more like a shared library - called and does it's thing18:55
nowenbut i really can't remember18:55
myndwire|WFHah ok.. so it may be normal that its just not running as a server process18:55
nowenyes, I think i remember being spooked by that ;)18:56
myndwire|WFHhehe18:57
myndwire|WFHi wonder if my radius crap isn't set right in wickid18:57
nowenif not, then you will get an error in the WiKIDAdmin logs18:57
nowenif the last thing in the logs is the OTP request, then it is elsewhere18:58
myndwire|WFHwhats the main logfile again?18:58
nowenfor WiKID, it is in the webui18:59
myndwire|WFHopt/WiKID/log/18:59
myndwire|WFHoh ok duh18:59
myndwire|WFHjust an exception from a while ago18:59
myndwire|WFHorg.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/WiKIDAdmin].[jsp]18:59
myndwire|WFH2 of those18:59
myndwire|WFHservlet exception19:00
myndwire|WFHchanged to debug19:00
myndwire|WFHonly thing that happened during my auth attempt was:19:01
myndwire|WFHcom.wikidsystems.server.DeviceTransactionExec19:01
myndwire|WFHIssued passcode to device 159732245876549327119:01
myndwire|WFHoh wow, yeah, nothing related to the pass-off to nx19:02
myndwire|WFHi had multihomed enabled.. turned that off. otherwise the rest is all defaults i think19:03
myndwire|WFHyeah, its definitely failing the publickey auth. i'm gonna try subbing out the key, hopefully its different?19:05
nowenA part of the key that must be distributed to clients is placed in:/usr/NX/share/keysDistribute the private key from the newly generated couple of keys located in the file:/usr/NX/share/keys/default.id_dsa.key19:06
myndwire|WFHneither exact path exist, but i've got:19:07
myndwire|WFHwell... the only keys i have with freenx live in /etc/freenx19:08
myndwire|WFH-rw-------  1 nx   root   672 Apr 27 15:48 client.id_dsa.key19:08
myndwire|WFH-rw-r--r--  1 nx   root 22594 Apr 28 13:52 node.conf19:08
myndwire|WFH-rw-r--r--  1 nx   root 22553 Oct  3  2010 node.conf.sample19:08
myndwire|WFH-rw-------  1 nx   root     0 Apr 27 15:48 passwords19:08
myndwire|WFH-rw-------  1 nx   root     0 Apr 27 15:48 passwords.orig19:08
myndwire|WFH-rw-------  1 nx   root   604 Apr 27 15:48 server.id_dsa.pub.key19:08
myndwire|WFH-rw-------  1 nx   root   668 Apr 27 15:48 users.id_dsa19:08
myndwire|WFH-rw-r--r--  1 nx   root   604 Apr 27 15:48 users.id_dsa.pub19:08
nowenI'm thinking you need to put client.id_dsa.key in the client19:08
myndwire|WFHthats what i'm thinking too19:08
myndwire|WFHi'm going to backup the old one and try it out19:08
myndwire|WFHits workin it seems19:12
myndwire|WFH'waiting authentication'19:12
nowenall they way?19:12
myndwire|WFHoh hell yeah19:12
myndwire|WFHauth failed for user obringer, but thats fine -- i dont have a login19:12
myndwire|WFHi can only test as far as that i think19:12
nowenawesome19:12
myndwire|WFHoh yeah, the logs look verbose now19:13
myndwire|WFHradius receiver started: listening on port 181219:13
myndwire|WFHaccounting logs  set up19:13
myndwire|WFHnice, i think its actually working19:14
myndwire|WFHi'll know tomorrow for sure when we setup another box on the LAN before putting it in place and i setup credentials to test with19:14
nowencool19:14
myndwire|WFHheck yeah, hey i truly appreciate your help man, this is going to be awesome when it's all set up :)19:15
nowennp19:15
myndwire|WFHi'll ttyl, i have to run19:30
*** myndwire|WFH has parted #wikid (None)19:30
*** nowen has parted #wikid (None)22:21
« Wednesday, 2011-04-27 Index Friday, 2011-04-29 »

Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!