| *** CoolAcid (~Jason@2001:470:c025:f00d:8e89:a5ff:fe30:c728) has joined #wikid | 01:14 | |
| *** prowlah has quit (Remote host closed the connection) | 05:15 | |
| *** nowen (~nowen@adsl-74-176-212-133.asm.bellsouth.net) has joined #wikid | 13:18 | |
| *** prowlah (~prowlah@unaffiliated/prowlah) has joined #wikid | 16:12 | |
| *** donnoman_ (404715e2@gateway/web/freenode/ip.64.71.21.226) has joined #wikid | 17:15 | |
| donnoman_ | trying to quickly understand what the pricing model for wikid is | 17:16 |
|---|---|---|
| donnoman_ | it appears you buy by seat | 17:16 |
| nowen | correct | 17:16 |
| donnoman_ | and a seat is an annual user | 17:16 |
| donnoman_ | does the number of servers that the user can connect to matter? | 17:16 |
| nowen | you mean the number of WiKID servers? | 17:17 |
| donnoman_ | we have about 50 servers we ssh to, and about 20 some odd users that need to connect to them | 17:17 |
| donnoman_ | I'm assuming there is at least one central wikid server that processes the authentications | 17:18 |
| nowen | the number of Network clients, ie, the ssh servers do not matter | 17:18 |
| donnoman_ | and the rest of the servers would be using pam? | 17:18 |
| donnoman_ | ok, and can we run dual wikid servers in case one fails? | 17:19 |
| nowen | yes, it might be worthwhile putting a real radius server in the middle | 17:19 |
| donnoman_ | auth servers taht is | 17:19 |
| donnoman_ | yes were considering freeradius anyway | 17:19 |
| donnoman_ | and comparing wikid vs tectia ssh server | 17:19 |
| nowen | is tectia auth a service? | 17:21 |
| donnoman_ | its an ssh server that supports RequiredAuthentications so that we could require key and password auth | 17:21 |
| nowen | I see | 17:21 |
| donnoman_ | openssh doesn't support it | 17:21 |
| donnoman_ | but it's really expensive from what I've seen. and wikid gives us a real two-factor auth, so thats the way I'm leaning | 17:22 |
| donnoman_ | is the communication between the server being logged into via ssh to the wikid server over an encrypted channel? | 17:24 |
| nowen | radius is not encrypted, only encoded | 17:24 |
| donnoman_ | ok my concern is this; we are trying to do multi factor to machines in ec2 | 17:26 |
| donnoman_ | and between regions we can only communicate via public IP. | 17:26 |
| donnoman_ | if we use radsecproxy on the servers we can encrypt radius traffic | 17:27 |
| donnoman_ | that gives us common passwords | 17:27 |
| donnoman_ | we already distribute public keys and disable password auth. | 17:27 |
| donnoman_ | so how would we incorporate wikid. | 17:28 |
| nowen | I've never heard of radsecproxy | 17:31 |
| nowen | what does it do? | 17:31 |
| donnoman_ | tunnels radius over tls | 17:31 |
| donnoman_ | on the radius server you tell it to listen only on localhost | 17:32 |
| nowen | hmm. that's handy | 17:32 |
| donnoman_ | then startup radsecproxy it listens on the public address on both the unencrypted port, and listens on an encrypted port | 17:32 |
| donnoman_ | on the client you run radsecproxy and listen on localhost | 17:32 |
| donnoman_ | configure pam to use radius via localhost | 17:33 |
| nowen | so, could you run on the WiKID server and have all the traffic go to WiKID? | 17:33 |
| donnoman_ | then radsecproxy tunnels all the traffic over tls to the real radius server | 17:33 |
| nowen | and decrypts it at the real radius server? | 17:34 |
| donnoman_ | yeap | 17:35 |
| donnoman_ | just read: http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-secure-ssh-with-two-factor-authentication-from-wikid | 17:36 |
| nowen | so, you could run it on the WiKID server | 17:36 |
| donnoman_ | looks like I'm still left with the same problem of not supporting RequiredAuthentications | 17:36 |
| donnoman_ | because I don't want pw auth being open. | 17:36 |
| donnoman_ | I want it to be key first, then pw | 17:37 |
| donnoman_ | does WikID act as radius? | 17:39 |
| donnoman_ | at the protocol leve? | 17:39 |
| donnoman_ | level? | 17:39 |
| nowen | we talk radius, but it is not meant to replace a radius server, really | 17:39 |
| donnoman_ | so when an ssh auth happens, as described in the document, I attempt to login to ssh, ssh hits pam, pam hits the wikid server, wikid server generates a OTP, sms' me the OTP, and sends an auth key back to pam, I use the OTP on the login, if it matches the pam auth succeeds. | 17:41 |
| donnoman_ | is that correct? | 17:41 |
| nowen | no, the token hits the WiKID server and gets the OTP, the user logs in via ssh and provides the username and otp | 17:42 |
| nowen | pam sends the creds to WiKID to verify | 17:42 |
| donnoman_ | who sent the token to wikid? | 17:43 |
| nowen | the tokens are set up prior to logging. remember token != otp | 17:44 |
| donnoman_ | sorry I don't understand the tokens; who created them when? | 17:44 |
| nowen | they are downloaded from our site and configured | 17:45 |
| nowen | the tokens generate key pairs which are exchanged with the server | 17:46 |
| nowen | http://www.wikidsystems.com/downloads/token-clients | 17:46 |
| donnoman_ | so token is like a private key for each host, the wikid server will create OTP's that the server can authenticate. | 17:47 |
| nowen | yes, the two factors are knowledge of the PIN and possession of the private key embedded in the token | 17:48 |
| nowen | the token can be run in command line mode, too btw | 17:48 |
| donnoman_ | ok, so as a client that wants to ssh, I would hit the wikid server to generate the OTP, for a server that already has established token | 17:49 |
| jY | i pre-registered a user.. but when i try to use the javaclient i get the following | 17:49 |
| jY | http://pastebin.com/L2K5y9dg | 17:49 |
| donnoman_ | and to hit the wikid for the otp is when i supply the pin. | 17:49 |
| nowen | donnoman_: yes | 17:49 |
| donnoman_ | gotchya, I get it now. | 17:49 |
| donnoman_ | thanks so much. | 17:49 |
| jY | http://snapplr.com/yz2j | 17:49 |
| jY | there is my pre-reg list | 17:50 |
| nowen | jY: that looks like it is trying to authenticate rather than reg | 17:50 |
| nowen | what do the WiKIDAdmin logs say? | 17:50 |
| jY | ohh thought that was registering | 17:51 |
| jY | what should i use to register them then? | 17:51 |
| nowen | have you seen the example.jsp? | 17:51 |
| jY | nope | 17:51 |
| nowen | look in /opt/WiKID/tomcat/webapps/WiKIDAdmin | 17:52 |
| nowen | have you manually validated a user already? | 17:52 |
| jY | i just added them to a list i uploaded | 17:52 |
| jY | they are listed in pre-register | 17:52 |
| jY | i'm stuck on that | 17:52 |
| nowen | http://www.wikidsystems.com/support/wikid-support-center/installation-how-tos/how-to-configure-pre-registration-of-users | 17:53 |
| nowen | jY: do you use ldap or AD? | 17:53 |
| jY | nope | 17:53 |
| jY | i'm just trying to get 2 factor auth up and running for pci | 17:54 |
| *** donnoman_ has quit (Ping timeout: 258 seconds) | 17:54 | |
| jY | that's all i need it for | 17:54 |
| nowen | try using the custom jw.properties file and then run the token normally. you will get a prompt for the pre-reg code and double PIN entry | 17:55 |
| nowen | how many users will you have? | 17:55 |
| jY | under 10 | 17:55 |
| nowen | I would just manually validate them then | 17:55 |
| jY | ya | 17:55 |
| jY | that's what i want.. but i know 0 java | 17:56 |
| jY | so figureing out jsp won't help me | 17:56 |
| nowen | you don't need to know jvaa | 17:56 |
| nowen | just have them add the domain to the token client and give you the registration code | 17:56 |
| nowen | then you manually add them as admin | 17:56 |
| jY | which client do you recommend? | 17:57 |
| nowen | I may have to check out for a minute, pidgin is locking up on me | 17:57 |
| nowen | what OS? | 17:57 |
| jY | osx | 17:57 |
| nowen | http://www.wikidsystems.com/webdemo/tokens/j2se/3.1.17/wikidtoken-3.1.17.jar | 17:58 |
| nowen | should work fine | 17:58 |
| jY | ok thanks | 17:58 |
| *** nowen has quit (Quit: Leaving.) | 17:59 | |
| *** nowen (~nowen@adsl-74-176-212-133.asm.bellsouth.net) has joined #wikid | 17:59 | |
| nowen | I'm back :) | 18:00 |
| jY | nowen: thanks.. worked | 18:00 |
| nowen | cool | 18:00 |
| nowen | what version of osx? | 18:00 |
| jY | lion | 18:01 |
| nowen | good to know. | 18:01 |
| jY | was shocked too | 18:01 |
| nowen | can you also try the locked token for me? | 18:01 |
| nowen | http://www.wikidsystems.com/webdemo/tokens/j2se/3.1.17-locked/wikidtoken-3.1.17.jar | 18:01 |
| jY | cause it allowed me to just double click the jar file too | 18:01 |
| jY | that one just keeps popping up a new enter passpharse dialog | 18:02 |
| nowen | hmm | 18:03 |
| jY | nowen: one last question.. when i setup the domain.. for that token client to work.. what port(s) need to be forwarded to the wikid server? | 18:42 |
| nowen | port 80 | 18:42 |
| nowen | all token requests will go to /wikid too | 18:42 |
| jY | ok thanks | 18:43 |
| nowen | the tokens use asymmetric encryption, so no need for 443 | 18:44 |
| *** nowen has quit (Quit: Leaving.) | 21:11 | |
| *** nowen (~nowen@adsl-74-176-212-133.asm.bellsouth.net) has joined #wikid | 21:30 | |
| *** nowen has quit (Quit: Leaving.) | 23:03 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!