Wednesday, 2011-05-04

*** alamarca has quit (Ping timeout: 240 seconds)		05:32
*** alamarca (~alamarca@201.246.122.210) has joined #wikid		05:46
*** perestrelka (~vlad@194.242.5.47) has joined #wikid		06:30
*** alamarca has quit (Ping timeout: 252 seconds)		07:12
*** alamarca (~alamarca@201.246.122.210) has joined #wikid		07:24
*** alamarca has quit (Ping timeout: 240 seconds)		07:40
*** alamarca (~alamarca@201.246.122.210) has joined #wikid		07:53
*** alamarca has quit (Ping timeout: 240 seconds)		11:01
*** alamarca (~alamarca@201.246.122.210) has joined #wikid		11:13
*** sakhi (~sakhi@uwcfw.uwc.ac.za) has joined #wikid		11:19
*** myndwire (myndwire@208.40.196.99) has joined #wikid		12:39
*** myndwire has parted #wikid (None)		12:39
*** myndwire (myndwire@208.40.196.99) has joined #wikid		12:51
myndwire	anyone around? :)	12:52
*** alamarca has quit (Ping timeout: 240 seconds)		15:13
*** alamarca (~alamarca@201.246.122.210) has joined #wikid		15:26
*** nowen (~nowen@adsl-98-66-164-120.asm.bellsouth.net) has joined #wikid		16:08
myndwire	hola	16:09
nowen	hi	16:10
nowen	make any progress?	16:10
myndwire	i actually went ahead and built the 2nd box, configured wikid's network client to be the ip of the new box, and set the server file / pam.d/sshd files on the new one.	16:10
myndwire	the new box that's solely freenx now.. it's essentially going to try to connect to wikid's radius	16:11
myndwire	right?	16:11
nowen	correct	16:11
myndwire	i'm just a bit confused if that's the case, because it's only running on localhost on the old box	16:11
myndwire	so there's no network-possible-path for the new box to touch radius on the wikid box	16:11
myndwire	unless it works via ssh, then calls localhost for radius	16:12
nowen	the new box needs to be able to talk to the WIKID server over 1812 udp	16:12
myndwire	yeah, it should be able to, but radius on the wikid box is only running on 127.0.0.1, so how can i touch it via 10.2.21.51?	16:12
myndwire	i'm nmap'ing from the nx box to the wikid box, but seeing the udp port closed, which makes sens since it runs on localhost	16:13
nowen	did you add the new box as a network client on the WiKID box?	16:14
myndwire	yessir	16:14
myndwire	the new box is the sole network client on the wikid box	16:14
nowen	and does iptables show the port open?	16:14
myndwire	yes	16:15
nowen	what command did you use for nmap?	16:15
myndwire	[root@rmuauth02 ~]# nmap -sU -p1812 10.2.21.50	16:15
myndwire	1812/udp closed radius	16:15
nowen	and if you run that on the wikid server?	16:16
myndwire	wtf..	16:16
myndwire	[root@rmuauth01 ~]# nmap -sU -p1812 10.2.21.50	16:16
myndwire	Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-05-04 12:16 EDT	16:16
myndwire	Interesting ports on rmuauth01 (10.2.21.50):	16:16
myndwire	PORT STATE SERVICE	16:16
myndwire	1812/udp closed radius	16:16
myndwire	yeah	16:16
myndwire	exactly as i'd expect	16:16
myndwire	since:	16:16
myndwire	[root@rmuauth01 ~]# nmap -sU -p1812 10.2.21.50	16:16
myndwire	Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-05-04 12:16 EDT	16:16
myndwire	Interesting ports on rmuauth01 (10.2.21.50):	16:16
myndwire	PORT STATE SERVICE	16:16
myndwire	1812/udp closed radius	16:16
myndwire	oops	16:16
myndwire	sorry	16:16
nowen	and 'netstat -anp \| grep 1812'?	16:16
myndwire	[root@rmuauth01 ~]# netstat -an \|grep 1812	16:16
myndwire	udp 0 0 ::ffff:127.0.0.1:1812 :::*	16:16
myndwire	udp 0 0 ::ffff:127.0.0.1:1812 :::* 15035/java	16:17
myndwire	man, if i could only bind that to an interface ip... the world would rejoice	16:17
nowen	did you setup the networking using WiKID's setup command?	16:18
nowen	b/c this is what I get	16:23
nowen	nmap -v -sU localhost	16:23
nowen	[root@localhost ~]# netstat -anp \| grep 1812	16:23
nowen	udp 0 0 :::1812 :::* 15813/ja	16:23
nowen	I mena	16:23
nowen	mean	16:23
nowen	wow typing is extra hard today :)	16:23
*** alamarca has quit (Ping timeout: 240 seconds)		16:28
myndwire	a-ha	16:31
myndwire	you've got the checkbox checked.	16:32
myndwire	multihomed = binds to all interfaces	16:32
myndwire	this will fix it, as long as it starts	16:32
*** alamarca (~alamarca@201.246.122.210) has joined #wikid		16:40
myndwire	udp 0 0 :::1812 :::*	16:49
myndwire	there we go	16:49
myndwire	1812/udp open\|filtered radius	16:50
nowen	there we go!	16:50
nowen	so, we need to disable the ability to disable multi-home	16:50
myndwire	woah	16:54
myndwire	Access granted for obringer, domain code: 010002021050 client: /10.2.21.51	16:54
myndwire	<184> Access-Accept(2) LEN=89 10.2.21.51:8176 Access-Request by obringer succeeded	16:55
myndwire	yet the client fails	16:55
myndwire	hrm	16:55
nowen	check the logs on the freenx box	16:55
nowen	you may need to add the user to that box	16:55
myndwire	May 4 12:54:31 rmuauth02 nxserver[7158]: (nx) Failed login for user=obringer from IP=10.15.18.174	16:55
myndwire	they're identical os-wise	16:55
myndwire	hmm	16:55
myndwire	ohh	16:55
myndwire	so the user needs to have an actual shell login/pw that matches	16:56
myndwire	in addition to the vnc session	16:56
myndwire	it must...	16:57
nowen	the user needs to be able to meet the freenx login requirements, which are determined by ssh on the freenx box, typically	16:57
myndwire	ahh... so if i can login to this box via ssh (which i am now), and the nx desktop client is configured with that user/pass, it should work	16:58
nowen	yes	16:58
myndwire	gahhhh	17:00
myndwire	May 4 13:00:39 rmuauth02 nxserver[7427]: (nx) Failed login for user=obringer from IP=10.15.18.174	17:01
myndwire	i wonder if nx has some sort of anything anywhere	17:01
myndwire	doesnt appear so... as far as changeable stuff	17:02
nowen	can you login via ssh?	17:02
myndwire	yep	17:02
myndwire	er...	17:02
myndwire	i'm logged in..wtf i cant now though	17:02
myndwire	i must've changed pam	17:02
myndwire	hah	17:02
myndwire	holdon	17:02
myndwire	oh yea i can, nm	17:03
myndwire	client's configured for the .51 ip, port 22, vnc, and the password i set on the vnc host (port 5900, etc).	17:04
myndwire	man, nx hates me	17:37
nowen	still no love?	17:37
myndwire	-- NX SERVER START: -c /usr/bin/nxserver - ORIG_COMMAND=	17:37
myndwire	-- NX SERVER START: - ORIG_COMMAND=	17:37
myndwire	Info: Using fds #4 and #3 for communication with nxnode.	17:37
myndwire	HELLO NXSERVER - Version 3.2.0-74-SVN OS (GPL, using backend: not detected)	17:37
myndwire	NX> 105 hello NXCLIENT - Version 3.2.0	17:37
myndwire	NX> 134 Accepted protocol: 3.2.0	17:37
nowen	did you try creating a user acct for yourself on the nx machine?	17:37
myndwire	NX> 105 SET SHELL_MODE SHELL	17:37
myndwire	NX> 105 SET AUTH_MODE PASSWORD	17:37
myndwire	NX> 105 login	17:37
myndwire	NX> 101 User: obringer	17:37
myndwire	NX> 102 Password:	17:37
myndwire	Info: Closing connection to slave with pid 8499.	17:37
myndwire	NX> 404 ERROR: wrong password or login	17:37
myndwire	NX> 999 Bye	17:37
myndwire	i dont quite get where my unix credentials within the windows client come into play	17:37
myndwire	so far i'm entering my username (which would work at the unix layer), the pin from my token, and within the vnc config, the vnc password	17:38
nowen	that should be it	17:38
myndwire	i even tried swapping over to a test RDP host, same	17:38
nowen	it's not the VNC part, it's the unix login. it could be the nx key	17:39
nowen	did you update the key?	17:39
myndwire	we did that a few days ago, yeah	17:39
nowen	I thought so	17:39
myndwire	we had gotten pretty stuck without it	17:39
nowen	that's right, I remember now	17:39
myndwire	although	17:39
nowen	was freenx working without wikid?	17:39
myndwire	consider this -- the key (if its on auth02)	17:40
myndwire	doesnt match the hostnme of the box anymore	17:40
myndwire	not sure if that mattered or not	17:40
nowen	could be	17:40
myndwire	since all nx / ssh stuff is now on this new one	17:40
myndwire	in that case, what would i have to regenerate?	17:40
myndwire	nothing within wikid i dont think	17:40
nowen	I'm guessing the nx keys.	17:42
nowen	I think there's a command for it	17:42
myndwire	hrm... the key came from the keystore on the wikid box	17:56
myndwire	at least the one we had put there originally	17:56
myndwire	without it, my pins don't generate	17:57
myndwire	er.. no, they do, i just cant even try to login w/ nx	17:57
nowen	no - there is an NX command to create key s for the nx server and clients, is what I mean	17:57
myndwire	ohh ok i gotcha	17:57
nowen	right -the client key we used has the wrong host.. now	17:58
myndwire	http://www.nomachine.com/ar/view.php?ar_id=AR01C00126	17:58
myndwire	aha	17:58
myndwire	[root@rmuauth02 ~]# /usr/bin/nxserver --keygen	17:59
myndwire	NX> 100 NXSERVER - Version 3.2.0-74-SVN OS (GPL, using backend: not detected)	17:59
myndwire	NX> 500 Error: Function --keygen not implemented yet.	17:59
myndwire	NX> 999 Bye	17:59
myndwire	doh'	17:59
myndwire	oh i see ...	17:59
myndwire	/etc/nxserver contains client.id_dsa.key	18:00
myndwire	have to regen those	18:00
nowen	yeah, that's what I was thinking	18:00
myndwire	they look like standard openssl keys	18:01
myndwire	like for keyless auth..hmm	18:01
myndwire	i THINK this was installed with yum	18:02
myndwire	bet i could just reinstall it	18:02
myndwire	Package freenx-0.7.3-6.el5.centos.i386 already installed and latest version	18:02
myndwire	yeah	18:02
nowen	try just typing nx and then tab and see what comes up	18:02
myndwire	i think i found it	18:03
myndwire	[root@rmuauth02 ~]# /usr/bin/nxsetup --install --setup-nomachine-key	18:04
myndwire	Setting up /etc/nxserver ...done	18:04
myndwire	Setting up /var/lib/nxserver/db ...done	18:04
myndwire	Setting up /var/log/nx/nxserver.log ...done	18:04
myndwire	Adding user "nx" to group "utmp" ...done	18:04
myndwire	Setting up known_hosts and authorized_keys2 ...done	18:04
myndwire	Setting up permissions ...done	18:04
myndwire	Setting up cups nxipp backend ...cp: cannot stat `/usr/lib/cups/backend/ipp': No such file or directory	18:04
myndwire	crap, it didnt regen	18:05
myndwire	i wonder if theres an equivilent of dpkg-reconfigure for yum hah	18:05
nowen	http://www.nomachine.com/ar/view.php?ar_id=AR01C00126	18:06
myndwire	yeah thats 2.0.0+ of the non-free	18:06
myndwire	that command doesnt work	18:06
nowen	hmm	18:06
myndwire	i just neeed cups	18:08
myndwire	/var/lib/nxserver/home/.ssh/client.id_dsa.key	18:11
myndwire	got it	18:11
myndwire	i just hope it didnt do a bunch of shit to freenx	18:11
myndwire	shit	18:11
myndwire	'the nx service is not available or the nx access was disabled on host 10.2.21.51'	18:12
myndwire	lame	18:12
myndwire	simple pubkey fail	18:12
myndwire	the key that goes into the client is supposed to be from nx?	18:15
myndwire	i swear we got that from wikid	18:15
nowen	no, it's an nx key	18:32
myndwire	http://wiki.centos.org/HowTos/FreeNX	18:44
myndwire	closest thing to reality i can find	18:44
myndwire	but the key is the big issue	18:44
myndwire	amazing...still works with the key we pulled originally, just password bad.	18:46
nowen	it's possible that the key doesn't check the hostname	18:46
myndwire	probably not	18:46
myndwire	b/c the stock keys that all of the howtos insist on using don't work	18:46
myndwire	the one we've been using works perfect	18:46
myndwire	just cant auth	18:46
myndwire	i wonder if its specific to my own set of keys in my /home/.ssh/	18:47
nowen	I don't think so	18:47
myndwire	every step of this has been insane :(	18:47
myndwire	yeah, i didn't really think so either	18:47
nowen	but are you able to log in without your ssh keys?	18:47
myndwire	login to the box via ssh?	18:48
myndwire	er..	18:48
myndwire	node.conf... tons of stuff that can be ocnfigured in nx	18:50
myndwire	i wonder why they had me install both nx and freenx..	18:50
myndwire	didnt think i required both	18:50
nowen	nx is definitely showing its age. I think the commercial version is a lot easier	18:50
myndwire	yeah seriously	18:51
myndwire	this should be pretty drop-in..	18:51
*** alamarca has quit (Read error: Connection reset by peer)		19:18
myndwire	how ridiculous	19:25
myndwire	if i put my actual server-side username where the PIN goes within the nxclient, it ALMOST displays a vnc window...	19:25
myndwire	heh	19:25
myndwire	it should be enforcing two-factor..	19:26
myndwire	god i'm so lost... i was so close... and i really need to get this going :-\	19:27
nowen	maybe you should first get nx working and then add WiKID	19:27
*** alamarca (~alamarca@201.246.76.78) has joined #wikid		19:34
nowen	anything more in the logs? in /var/log/secure? about the nx failure?	19:34
myndwire	i think there's some sort of disconnect with nx authing with my pins	19:38
myndwire	-- NX SERVER START: - ORIG_COMMAND=	19:38
myndwire	Info: Using fds #4 and #3 for communication with nxnode.	19:38
myndwire	HELLO NXSERVER - Version 3.2.0-74-SVN OS (GPL, using backend: not detected)	19:38
myndwire	NX> 105 hello NXCLIENT - Version 3.2.0	19:38
myndwire	NX> 134 Accepted protocol: 3.2.0	19:38
myndwire	NX> 105 SET SHELL_MODE SHELL	19:38
myndwire	NX> 105 SET AUTH_MODE PASSWORD	19:38
myndwire	NX> 105 login	19:38
myndwire	NX> 101 User: obringer	19:38
myndwire	NX> 102 Password:	19:38
myndwire	NX> 103 Welcome to: rmuauth02 user: obringer	19:38
myndwire	this is me logging in with box credentials in the password field	19:38
myndwire	yeah, i mean, i'd shoot for nx to work at all as a goal a this point	19:40
nowen	and then it dies? what's in your /etc/pam.d/sshd file? feel free to use http://pastebin.org if you prefer	19:41
myndwire	#%PAM-1.0	19:41
myndwire	auth include system-auth	19:41
myndwire	auth required /lib/security/pam_radius_auth.so	19:41
myndwire	yeah true, pastebin would be useful with these	19:41
nowen	is that is? what do you have for session?	19:41
myndwire	thats not it	19:42
myndwire	its just the 2 top lines	19:42
myndwire	the file's stock, same as it was on the other	19:42
myndwire	sec	19:42
nowen	and is obringer an account on the server?	19:42
myndwire	yeah	19:42
myndwire	http://pastebin.com/uL0NdsMi	19:42
nowen	huh. looks like things have changed since i last looked at pam	19:44
myndwire	when i attempt login with my pin	19:44
myndwire	http://pastebin.com/xRcCBSP5	19:44
myndwire	when i nix the pin from the pw field and just put in my unix-layer password for auth2:	19:45
myndwire	http://pastebin.com/gLRwkFw7	19:45
myndwire	(seems it shouldn't get this far done this way, but who knows)	19:45
nowen	i think that if you comment out the first line, only wikid will work	19:46
myndwire	ALMOST pushes a vnc window. who knows, may be designed to not, but it seems it shouldn't get that far.	19:46
myndwire	oh yeah	19:46
myndwire	but local ssh will never work	19:46
nowen	why not?	19:46
myndwire	i was under the impression from my testing and docs i've read off the website that with this:	19:47
myndwire	auth include system-auth	19:47
myndwire	you cant login via normal ssh login	19:47
nowen	not to my knowledge	19:47
myndwire	ah...gotcha	19:52
myndwire	i'll give it a try at some point i guess	19:52
nowen	I'm thinking it is one of the session lines. I assume you can get to the virtual console, so playing with these won't lock you out.	19:53
myndwire	oh yeah, i'd be fine with that	19:53
myndwire	auth include system-auth	19:55
myndwire	you def need this first to be able to login with l/p creds	19:56
nowen	if you have an account on the box, then that should be fine. I think I remember something about needing that line.	19:56
nowen	hmm - I might know how to get a copy of a working file	19:56
myndwire	yeah, it was part of the instructions n whatnot	19:56
myndwire	which file?	19:57
nowen	/etc/pam.d/ssh	19:57
myndwire	ah, so that appears to be the actual problem?	19:57
myndwire	i sort of want to eliminate the top line and try authing again	19:57
myndwire	lemme try that	19:57
myndwire	same crap	19:58
nowen	yes, it is not auth, it is session, IMO	19:59
myndwire	yeah thats what i think	19:59
myndwire	i wish there was a more recent tutorial for the iso	20:00
myndwire	:-\	20:00
nowen	the WiKID iso?	20:01
myndwire	yeah	20:03
myndwire	i guess i mean updated situational tutorials	20:03
myndwire	that's probably more realistics	20:04
myndwire	-s	20:04
nowen	it's very difficult for us to document all the things you can add two-factor auth to	20:04
myndwire	oh absolutely, completely understandable. it just seems that nomachine integration is the most common thing... you'd think someone out there would have a more recent tutorial.. haven't found much yet though	20:05
myndwire	a few specific to centos that don't work	20:05
nowen	no, it's funny. I think it is awesome, but I don't think anyone else cares	20:06
myndwire	a bunch that have you changing nx stuff out the wazoo, limiting ssh to users/group, utilizing the nx user every time, etc	20:06
myndwire	it's a shame, it's an awesome concept, and i see SO many people have it in place..	20:06
myndwire	we could do this environment wide and i'd gratefully buy a ton of site licenses	20:06
myndwire	seat*	20:06
myndwire	maybe once i have it figured out i'll just write the thing	20:07
myndwire	i've seen where some folks have built their nx's on ubuntu/debian and are fine	20:07
myndwire	perhaps thats an idea... not like it has to be the wikid iso	20:07
nowen	you're welcome to do that.	20:07
nowen	exactly, we just want the radius packets	20:08
myndwire	ya exactly	20:08
nowen	my last test box on this is a fedora 10 box	20:23
nowen	it does have: account sufficient /lib/security/pam_radius_auth.so	20:23
myndwire	ah yeah	20:25
myndwire	seems that mechanism works	20:25
nowen	also, I have commented out: #session required pam_loginuid.so	20:26
myndwire	oh nice...yea, that works for me, still can login anyway. i disabled that line too.	20:34
nowen	so nx is working?	20:34
myndwire	oh i just meant i disabled that extra line	20:35
myndwire	nah, saw deal	20:36
myndwire	i've got to head out, i'll talk to ya later. thanks again for your help nick	20:36
myndwire	we'll get this thing working	20:36
nowen	ok.	20:37
*** myndwire has parted #wikid (None)		20:37
*** alamarca has quit (Ping timeout: 240 seconds)		22:16
*** alamarca (~alamarca@201.246.76.78) has joined #wikid		22:27
*** nowen has parted #wikid (None)		22:41
*** alamarca has quit (Ping timeout: 246 seconds)		22:50
*** alamarca (~alamarca@201.246.76.78) has joined #wikid		23:03

Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!