| *** Mark___ has quit (Quit: Page closed) | 08:36 | |
| *** Marky_ (50a99e82@gateway/web/freenode/ip.80.169.158.130) has joined #wikid | 09:57 | |
| Marky_ | Hello? | 09:58 |
|---|---|---|
| joevano | hi | 13:44 |
| *** nowen (~nowen@adsl-98-66-183-205.asm.bellsouth.net) has joined #wikid | 14:03 | |
| *** Jim_ (d578dc04@gateway/web/freenode/ip.213.120.220.4) has joined #wikid | 15:04 | |
| Jim_ | Hey Nick | 15:04 |
| nowen | HI | 15:07 |
| Jim_ | hey dude | 15:08 |
| Jim_ | I got a demo together for my boss, worked out well, thanks for the help yesterday | 15:08 |
| nowen | great news! | 15:08 |
| Jim_ | was wondering about licensing costs for initially around 200 seats | 15:09 |
| nowen | $24/per seat per year | 15:10 |
| nowen | http://www.wikidsystems.com/learn-more/financial | 15:10 |
| Jim_ | can't argue with that | 15:11 |
| nowen | no, it's too low. buy now before we raise it ;) | 15:11 |
| Jim_ | haha | 15:15 |
| Jim_ | totally | 15:15 |
| *** Jim_ has quit (Quit: Page closed) | 15:42 | |
| *** nowen has quit (Quit: Leaving.) | 17:37 | |
| *** nowen (~nowen@adsl-98-66-183-205.asm.bellsouth.net) has joined #wikid | 19:47 | |
| *** dystonic (~dystonic@199.255.83.50) has joined #wikid | 20:51 | |
| dystonic | Ello | 20:51 |
| nowen | howdy | 20:51 |
| dystonic | How goes Nick? | 20:51 |
| nowen | good! | 20:51 |
| dystonic | awesome. :) I had a question around using wikid with capistrano | 20:52 |
| dystonic | (or knife, if you speak chef.) | 20:52 |
| nowen | I don't speak either :( | 20:52 |
| dystonic | it's a dual authentication issue. | 20:52 |
| dystonic | wikid = one time passcode. | 20:52 |
| dystonic | chef/cap are datacenter automation/deployment tools that can run as SUDO, with the same credential twice = but that doesn't work with wikid, obviously. | 20:53 |
| nowen | ahh | 20:53 |
| dystonic | (so you enter your cred, but it then goes to use the cred to priv esc and no go.) | 20:53 |
| dystonic | Do you know of any way around it? I don't want to give my admins local accounts if it's possibly avoidable, and what they've been doing is using a shared account to deploy, which my QSA would not love. | 20:53 |
| dystonic | centos boxes. | 20:54 |
| nowen | can you create a 'jump' box that has 2fa on it from which you can run capistrano commands using keys? | 20:54 |
| dystonic | kinda the same shared account issue there. | 20:55 |
| nowen | hmm, i guess not if you have to run sudo on each box | 20:55 |
| dystonic | yeah. they have to enter a credential to use cap, they could use a keyed acconunt, but it'd have to be a local account either way | 20:55 |
| dystonic | pci says no shared, so that leaves me with individual accounts or a shared credential which is nogo | 20:55 |
| nowen | we have a ruby package for the api, so you could require 2fa to run capistrano | 20:56 |
| dystonic | nod. or do a (ugh) sudoers all all nopass. | 20:58 |
| nowen | it's a questions I bet we see a lot more | 20:58 |
| dystonic | yeah. I love me some twofactor, I just have to keep my users happy. | 20:58 |
| dystonic | i don't want my admins to not have to think before they sudo, so it's a catch 22. | 20:58 |
| nowen | yeah | 20:59 |
| dystonic | re: ruby 2factor, in terms of using it to access the application? | 20:59 |
| nowen | not thinking while running commands can be bad | 20:59 |
| dystonic | so no win here -- either sudoers all:all nopass (hey! maybe a SA_username (security admin) account for remote administration only. | 21:00 |
| dystonic | which is a secondary account with that elevated credential, but takes away my local accounts and allows me to segregate out normal admin tasks versus the remote administration. | 21:01 |
| nowen | yeah | 21:01 |
| dystonic | i could probably lock down where that account can log in from. | 21:01 |
| nowen | right, only from the cap box | 21:01 |
| dystonic | so no individual accounts or local accounts, remote authentication works for datacenter automation, but they don't go running around as that. | 21:01 |
| dystonic | I"ll pitch it. | 21:01 |
| dystonic | :) | 21:01 |
| nowen | let me know! | 21:02 |
| dystonic | lol. Thank you! | 21:02 |
| dystonic | talking stuff through = goodtimes. | 21:02 |
| nowen | indeed! | 21:02 |
| dystonic | oh. is there doc on assigning multiple tokens ot the same userid? | 21:05 |
| dystonic | i know you mentioned there was an api. | 21:05 |
| nowen | not really, you just need to set up the example.jsp page: http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-test-if-the-server-is-working-correctly | 21:06 |
| nowen | then look for "Add additional device to existing userid WITHOUT passcode" | 21:07 |
| dystonic | k, I"ll play with it. | 21:07 |
| dystonic | i need to deploy it at home so I've got something to muck about with. | 21:07 |
| nowen | the ADRegister.jsp can do it too | 21:08 |
| nowen | yes, I encourage much mucking | 21:08 |
| dystonic | cool. I'll play. I'll circle back. :) | 21:09 |
| dystonic | Thanks Nick. Till next time - gotta go harass folks. | 21:09 |
| dystonic | ttys. :) | 21:09 |
| nowen | np | 21:09 |
| *** dystonic has parted #wikid (None) | 21:09 | |
| *** vladdy_ (~vladdy@194.242.5.47) has joined #wikid | 22:16 | |
| *** vladdy has quit (Read error: Connection reset by peer) | 22:18 | |
| *** nowen has quit (Quit: Leaving.) | 22:28 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!