Monday, 2011-07-18

« Saturday, 2011-07-16 Index Tuesday, 2011-07-19 »
*** Lake_Lurker (~Just@h159.79.91.75.dynamic.ip.windstream.net) has joined #wikid11:21
*** Lake_Lurker has parted #wikid (None)11:21
*** nowen (~nowen@adsl-74-176-212-133.asm.bellsouth.net) has joined #wikid12:48
*** Wallyk (4004456e@gateway/web/freenode/ip.64.4.69.110) has joined #wikid13:59
WallykHello13:59
nowenhi13:59
WallykI am trying to setup an apache reverse proxy to go in a dmz and I am wondering what url's I need to forward through the proxy14:00
nowenthe token requests will all go to the /wikid/ directory on your wikid server14:00
Wallykok that is what I wanted to know.  Thanks.14:01
nowennp14:01
WallykI am trying to get "wikidctl start" to run at bootup is this possible?14:57
nowenyes,14:58
WallykI added it to rc.local is that right?14:58
nowencreate a file called /etc/WiKID/security14:58
nowenand put one line it it:  'WAUTH_PASSPHRASE=yourpassphrase'14:58
nowenwithout the quotes, of course14:58
nowenand then, yes, rc.local should do it14:59
Wallykhmm I will keep looking14:59
nowenis it not working?14:59
Wallykno I rebooted the server and it is not working14:59
Wallykwhen I run the command manualy it will start working15:00
nowenI can send you an /etc/init.d script15:00
Wallykok15:00
nowenwhat is your email?15:01
Wallykwallyk@caamanitoba.com15:02
Wallykis the time to renew a hint? : )15:05
nowenhehe - not sure, I just forwarded an email to someone else.  guess I forgot to change the subject :)15:05
WallykWe did buy it last year I really don't kno were we stand15:06
Wallykshould rc.local work have other people done that?15:06
nowenI thought it would, but this guy had troubles.  I thought it would be good to have a full script anyway and this was the start15:07
nowenyou'll purchased in January, plenty of time left :)15:09
Wallykwill you guys send us a reminder?15:12
nowenoh yes :)15:12
Wallykrc.local is working I just needed the full path15:13
nowenyou mean /opt/WiKID/bin?15:13
Wallykyep15:13
nowengood to know15:13
Wallykis there a reason ldap protocol daemon takes such a long time?15:14
WallykWe are not using ldap so I guess I could turn it off15:15
nowenbecause ldap is such a piece of crap?15:15
Wallyk: )15:15
nowenoh yes, do turn it off.15:15
Wallykcan I trun it off from the admin page15:15
nowenyes, under Configuration/Enable Protocols15:15
Wallykhmm it says not initialized15:16
Wallyknot a big deal we should not have to reboot that often15:19
nowenthe WiKIDAdmin says that it isn't enabled?15:20
Wallykright15:20
nowenhmm15:20
Wallykbut when I run wikidctl start it hangs on starting ldap protocol for a long time15:21
Wallykit is also showing me all the protocols 4 times15:24
WallykI recently did an update I don't know if that could have caused the problem15:24
nowenhmm15:25
nowenok15:25
nowenwe can fix this, lemme see if I can find my notes15:25
nowenso, what version are you on now?15:25
Wallykwikid-server-enterprise-3.4.87-b83915:26
nowenok - ready to some psql?15:29
nowen#  su - postgres15:30
nowen$ psql -d wikid15:30
nowenwikid=#  select * from host_type;15:30
nowenlet me know the output.  it should have doubles15:30
Wallykwikid=# select * from host_type;  id_hosttype | type |                        name                        |           creation -------------+------+----------------------------------------------------+-------------------------------            1 |    0 | WAUTH                                              | 2010-09-30 14:37:12.023515-05            2 |    1 | Radius                                             | 2010-09-30 14:37:12.033849-015:32
Wallykyep doubles that was messy15:32
nowenhuh. that looks ok15:32
nowenoh, is that not all of it?15:32
nowen I guess irc limited it15:32
Wallykno it does not want to past in properly I could email you back hang on15:33
nowendon't worry15:33
nowenI'm guessing that 1-5 are legit, correct?15:33
WallykYep15:33
nowenso15:33
nowenwikid=# delete from host_type where id_hosttype > 6;15:33
nowenshould delete any that are higher15:33
Wallykyep that worked15:34
Wallykthough ldap still says not initialized15:35
nowenit should clear up with a restart15:35
Wallykhow do I get out of psql?15:37
nowenctrl-d15:37
nowena couple of times15:37
Wallykrebooting now15:37
nowenoh, you don't have to reboot - sorry - I just meant to restart wikid15:38
Wallykyeah I should have thought of that15:38
Wallykoh well15:38
nowennp15:39
WallykThat is good.  It restarts quick now.  Now I can get on to what I was really wanting to do.  Create an apache reverse proxy to live in a dmz15:42
nowencool.  I need to write that up.15:43
nowenthe only part I don't have is the proxypass rules, though I have re-write rules15:43
WallykWe have been a blackberry shop untill recently and the bes let let our moble clients connect without wikid being internet facing15:44
nowenahh yes15:44
Wallyknow we have ipads and I have an android and I need to get it to work15:44
nowenbut now the xEO has an iphone?15:44
Wallyk: )15:45
Wallykhow did you konw.  he started the whole thing15:45
nowenhehe15:45
nowenlunchtime.  bbl15:59
*** nowen has quit (Quit: Leaving.)15:59
*** nowen (~nowen@adsl-74-176-212-133.asm.bellsouth.net) has joined #wikid17:06
*** Wallyk has quit (Ping timeout: 252 seconds)17:35
asofrankNick17:50
asofrankdo you have a list of return codes from the API17:50
nowenhmm.  let me dig17:51
asofrankim getting a "4" code when trying to add additional registration codes for a user17:51
asofrankbtw, you should update the website to include the updated PHP API that greg has :)17:52
nowenI have it up there for download17:52
asofranksays 3.0-517:53
asofrankthe one I have is 3.1-017:53
nowenoops.17:53
nowenit's on sourceforge but not the homepage17:53
nowenwhich Add additional function are you using?17:56
asofrankadd-no-check17:56
asofrankADDREGUSER17:56
asofrankactually17:56
asofrankI think I see the problem in the code17:57
asofrankits just an annoying way of doing it. let me recode and see if I'm still getting an error17:57
nowenyou see a problem in your code?17:58
asofranka bit of mine and the way the PHP class works17:58
nowenShould be a log message in the server log.17:59
nowenusername exists perhaps?18:00
nowen "Registration of " + uname + " failed.  Username exists in " + domainCode + " domain."18:00
nowenor18:00
nowen"Registration of " + uname + " failed in " + domainCode + " domain.  Passcode failed validation."18:00
nowenare the two 4s18:01
asofrankyeah, i see what it is18:02
asofrankthat particular function just didn't work as I expected it18:02
asofrankbut now that I have findUser() to work with, it makes it easier18:02
asofrankcool. that seemed to work18:04
asofrankbtw, there doesn't seem to be a way to add multiple token clients per user from the web admin18:04
asofrankif you enter the same username it just comes back with duplicate user18:05
nowenno, there isn't.  we added it later and thought it more secure to keep it at the network client layer, specifically for a banking app of a customer18:05
asofrankah18:06
asofrankno matter for me, as all the user stuff is being done over the API anyway18:06
asofranks18:06
asofrankwhile testing it though, I noticed it wasnt possible :)18:07
asofrankI ended up creating username1 username2 username3 for some people while testing18:07
asofrankNick: I got it working18:35
nowenexcellent18:36
asofrankany word on the issues I brought up about the mac client?18:36
asofrankspecifically, the latest version doesn't work if you're a non-admin18:36
nowenhmm. my mind is slipping18:37
noweninstaller jar? or just the jar?18:37
asofrankthe installer jar18:38
asofrankwell, I think it installed fine18:38
asofrankbut you couldnt add a domain18:38
asofranklet me test it again18:39
nowenhmm.  what domain?18:39
asofrankit was an issue with writing to the location where the files were stored18:39
nowenhmm18:39
nowenthere should be an option to install it in a different location during the install process18:39
asofrankok. when you enter the passphrase, it just kicks back to it again18:55
asofrankit doesnt accept it18:55
nowensounds like perms on the directory. can't write the file18:55
nowenwhere is it installed?19:00
asofrankit installs by default into /Applications/wikidtoken19:07
asofrankI can't reproduce the issue19:07
asofrankI'm having our CEO try again19:07
nowenhmm, /Applications is user-owned, right?19:08
asofranki know it asks for privilege escalation when the installer starts19:08
asofrank /Applications is root owned if im not mistaken19:08
asofrankI tried putting it in /User/USERNAME/Applications but it said it couldnt write there19:08
asofrankwhich was weird19:08
asofrankCEO just tried locked version and had the same issue19:09
asofrankhes trying unlocked now19:10
nowenI think it's an issue on our end.19:10
nowenthe token asks for root to install, but the user is the one writing the file19:10
asofrankyeah, thats what I figured when I checked the debugging output with greg19:11
asofrankhm, another user on a mac cant even run the client for some reason19:11
asofrankis 10.5.x not supported?19:11
asofrankok. CEO tried unlocked version19:12
asofrankit worked fine19:12
asofrankso its just the locked version that is having the issue19:12
nowendoes he have java on 10.5?19:14
asofrankthe installer ran19:14
asofranki dont understand why it would be any different19:14
nowenwhat  version of java?19:14
nowenwe require 1.619:14
asofranklet me check19:21
asofrankwhats the option to get the java version19:21
nowenjava -version19:21
*** joshua___ (6264145c@gateway/web/freenode/ip.98.100.20.92) has joined #wikid19:22
joshua___Greetings.19:22
*** joshua___ is now known as hublar19:22
nowenhowdy!19:22
hublarI could use some help -- security and networking are not my forte -- but, I need to put together a solution.19:22
asofrankbah, she signed up19:23
asofrankoff*19:23
asofrankI'll get back with her later and see what it is19:23
nowenok19:23
asofrankand tell her to get off 10.5 cause its old19:23
nowenhehe19:23
hublarI need to setup two-factor authentication with VNC.19:23
asofrankLion should be out any time now I think19:23
hublarI have a bunch of clients who take card holder data -- I'd like to keep them PCI compliant.19:23
hublarI'm not sure where to begin, except for that -- my resources are tight.19:24
nowenhublar: ok, well, VNC typically doesn't have a lot of auth options.  do you run it through something else?19:24
hublarThat's what I thought I would do -- run it over SSH, and -- maybe set something up with tokens.19:24
nowenI'm a big fan of freenx and it's commercial version from Nomachine19:25
hublarAnytime I google two-factor authentication and VNC, wikid server comes up19:25
asofrankheh19:25
hublarCould you tell me more about freenx?19:25
nowenbut if you are looking for hardware tokens, you're in the wrong place :)19:25
asofrankgoogle loves to cache the wikid site, so I've found19:25
hublarI don't need hardware tokens.19:25
hublarI just need to make something PCI compliant.19:25
hublarEssentially -- I want to be able to slid into and service a machine that handles card holder data.19:26
hublar*slide19:26
hublarWe're scaling our operations -- so, the importance of me being able to do this is critical to our growth.19:26
hublarAs it is, I use showmypc and it requires a bunch of yucky user intervention.19:27
nowenfreenx encrypts traffic with ssh and uses the NX protocol to speed VNC19:27
hublarI see.19:27
hublarSo, it is one component of the problem at hand.19:27
nowenit uses pam for authentication19:27
nowenso you can configure pam_radius to talk to the WiKID server19:28
hublarWhat /is/ WiKID, exactly?19:28
nowenit is a two-factor authentication solution19:28
hublarWell, there you go.19:28
hublarhttp://www.wikidsystems.com/support/wikid-support-center/how-to/using-freenx-to-secure-terminal-services-and-vnc-with-two-factor-authentication19:28
nowenso, freenx and wikd gets you what you need19:29
nowenthat is a bit dated.19:29
nowenyou don't have to change the freenx code any more19:29
hublarYes, it does.19:29
hublarOkay -- so, what is the pricepoint of a setup like this?19:29
nowenhere is the pam-radius info for redhat/centos: http://www.wikidsystems.com/support/wikid-support-center/how-to/pam-radius-how-to/?searchterm=pam%20radius19:29
asofranknearly half the price of standard hardware tokens :)19:30
hublarSo, I need to put a box on the next to do PAM.19:30
hublarthat communicates with WiKID.19:30
nowenyes, set up freenx and pam-radius on a box.  it would radius to wikid19:30
nowenyou could do it all in one box, but we recommend that wikid run on it's own server/virtual image19:31
hublarWiKID does whatever it does, authenticates the connection, and establishes the session.19:31
hublarokay, I see.19:31
asofrankit just sends a "login good" or "login bad" back to whatever is communicating with it.19:31
nowenWiKID authenticates the user.  the sessions is all ssh or freenx19:31
hublarSo - does WiKID systems do hosting?19:31
nowenexactly19:31
hublarOr is it simply the technology behind the solution?19:32
nowenwe do not, but you can run it anywhere.  The key question is encrypting the radius traffic19:32
hublarhrm19:32
nowenis most of your infrastructure hosted?19:32
hublarWell, we're a very tight group at the moment.  I have a shared host for web, and the rest is a hodge-podge collection of devices a la battlestar.  Working on it.19:33
hublarSo, yes.19:33
hublarshared hosting for infrastructure.19:33
hublarSounds like I need a VPS.19:33
nowenis the host PCI compliant?19:34
asofrankthats what I was thinking19:34
hublarHostgator.19:34
asofrankshared hosting generally is not.19:34
hublarno, I should think I would have to do a VPS.19:34
hublarGod forbid a colo.19:34
nowenyeah, I think amazon has a pci compliant offering19:34
hublardecent pricepoint?19:34
hublarSounds like i wouldn't need a whole lotta cycles.19:34
nowenno idea19:34
asofrankthe system itself doesn't use much juice19:35
nowenthe WiKID iso is based on centos519:35
asofrankit sits idle 99% of the time19:35
hublarSounds like I could go barebones VPS.19:35
hublarright.19:35
nowenyeah, and it doesn't use much memory.  1 gig should do it19:35
hublarSo, I need 1) VPS.  2) Radius mojo 3)Freenix19:35
nowenand very little traffic19:35
hublarFreenx19:36
hublarWhat is FreeNX, exactly?19:36
nowenfreenx might not be in the centos repos.19:36
hublara PAM authenticator.19:36
nowenno, an open source version of this http://www.nomachine.com/19:37
nowenhaha, I'm looking for a copy of an article I wrote on freenx.19:38
nowencan't find it19:38
nowenbecause it was in print!19:38
nowen:)19:38
nowenI'll have to update the webiste19:39
nowensite19:39
nowenhublar: asofrank can help you out with a VPS19:40
nowenhey , asofrank what gives? http://www.asmallorange.com/hosting/business/  PCI compliance for $25 more?19:41
nowen Y U NO TELL US?19:41
asofrankits scheduled security checks and scans19:41
asofrankit really depends on what level of PCI you need19:41
nowenit is popular?19:41
asofranknot extremely, most people ignore PCI19:42
nowenhaha LOL19:42
nowentrue19:42
hublarThe reddit is strong with you.19:42
hublarI cannot ignore PCI.19:42
hublarI am a Merchant Service Provider.19:42
hublar;_;19:42
nowenno audit, no compliance19:42
asofrankindeed.19:42
nowenfor the record, I spend very little time on reddit19:42
asofrankme either.19:43
hublarNow that google+ is out, amirite?19:43
hublar:E19:43
asofrankhah. yeah, im on google+19:43
nowenhaha19:43
nowenI am too, but I have like two posts.  and it's all twitter people in my circle19:43
hublarI have to bail -- I need to image up a new machine and get it ready for a rapid deployment.19:43
asofrankgood luck.19:44
hublarI'd love to continue this conversation, though.19:44
nowenk - come back19:44
hublarI know my solution is here.19:44
hublarI want, so much, to grok fully.19:44
nowenand if you like IRC, you're our kind of user19:44
hublar<419:44
hublar(<3++)19:44
hublar;)19:44
hublarpeace, fellas.19:44
nowenhaha19:44
nowenlater19:45
asofrankquestion for you. If we change server codes, will we have to reset all the client tokens?20:09
nowenyes20:09
asofrankok20:09
nowenwe can set you up an entry in our dns if you like.  a la our 88888888888 demo domain20:10
asofrankwell, we're downsizing our servers at GNAX, and the IP of that server may be changing20:10
*** hublar has quit (Ping timeout: 252 seconds)20:11
asofrankim not 100% sure it will be changing, but its possible20:11
asofrankwe have several /24's that wont be used anymore20:11
nowenif you use our dns, we can point it to a domain in your dsn20:12
nowenthe downside is that you are relying on our dns20:12
nowenthe next edition will not have this issue20:12
asofrankyeah, we only have ~ 40 employees so it might be a non-issue to reset everyone20:12
asofrankso the server code itself is not used on the client to directly connect to our wikid server, or is it?20:13
nowenthe token client will check the default dns. if that fails, then the ipaddress20:13
nowenthis can be reversed on the java token with a custom jw.properties file and the dns can be changed20:14
asofrankah20:14
asofrankgotcha20:14
nowenby the smartphone tokens do not do that yet20:14
asofrankthe smartphone tokens need some work :)20:16
nowenhehe. yes.  it isn't easy to keep up.20:16
asofranki dont even pretend to know how to code mobile apps, so I'll leave that to you all.20:16
asofrankim sure.20:16
nowentoo many platform20:16
nowens20:16
asofrankyou either need a couple rockstar developers who know everything, or a bunch of developers with various levels of expertise20:17
*** nowen has parted #wikid (None)22:31
« Saturday, 2011-07-16 Index Tuesday, 2011-07-19 »

Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!