Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

application integration requests

Nick Owen
2005-09-29
2012-09-24
1 2 > >> (Page 1 of 2)
  • Nick Owen
    Nick Owen
    2005-09-29

    Greetings. I just wanted to throw open the forum. We're very interested in what specific applications people would like to see WiKID-enabled. openvpn? egroupware? post-nuke?

    Please let us know.

    nick

     
    • chetanjain
      chetanjain
      2007-05-17

      its still WiKID 2.0

       
    • chetanjain
      chetanjain
      2007-05-17

      openssl-0.9.8a-5.4....

       
      • Nick Owen
        Nick Owen
        2007-05-17

        and is the file libcrypto.so.4 on the box? I have on in /lib/

         
    • chetanjain
      chetanjain
      2007-05-18

      Nice to hear that... Let me get a FC4 Machine for my testing too... will wait for a 3.x version... U will have to sign another cert from me :)...

      Chetan

       
      • Nick Owen
        Nick Owen
        2007-05-19

        Not a problem!

         
    • chetanjain
      chetanjain
      2007-05-03

      Hi... I want to use WiKID for Authenticating my internal servers from Outside world using SSH...

            From Internet I will try to Login to my server, before that i auth with WiKID
                                            |
                                        WiKID System
                                           |  |
                                           |  |
               After authenticating to WiKID,it should allow to access my servers.
      
       
    • chetanjain
      chetanjain
      2007-05-16

      Hi Nick,

      Can you explain how will this work on the client end...

      1. I have enabled Tacacs+ on Wikid
      2. Installed Tacacs+ client on a linux based machine. ( Do i need any user/pass on this )
      3. Created a Domain and Validated a User. For Example the username validated on Wikid system is test. I can login from a windows based wikid client, get my passcode.

      Can you explain how will the authentication work. What user/pass should i put in to login and where should i use the passcode from the server which expires in 1minute.

      I know these are basic questions... but it will help in understanding how it works...

      Chetan.

       
    • Nick Owen
      Nick Owen
      2007-05-16

      I suggest you confure SSH to use TACACS+ , then try to remotely log in to your linux box using the username of the validated user and a WiKID one-time passcode. If it doesn't work, check the logs on the WiKIDAdmin and in /var/log/secure.

      hth,

      nick

       
    • chetanjain
      chetanjain
      2007-05-16

      Please check the output of the Network Client /var/log/secure


      May 16 16:51:38 cjain-test sshd[9636]: Deprecated pam_stack module called from service "sshd"
      May 16 16:51:38 cjain-test sshd[9636]: pam_sm_setcred: called (pam_tacplus v1.2.9)
      May 16 16:51:38 cjain-test sshd[9636]: Deprecated pam_stack module called from service "sshd"
      May 16 16:51:59 cjain-test sshd[9704]: Deprecated pam_stack module called from service "sshd"
      May 16 16:51:59 cjain-test sshd[9704]: pam_sm_authenticate: called (pam_tacplus v1.2.9)
      May 16 16:51:59 cjain-test sshd[9704]: pam_sm_authenticate: user [chittu] obtained
      May 16 16:51:59 cjain-test sshd[9704]: tacacs_get_password: called
      May 16 16:51:59 cjain-test sshd[9704]: tacacs_get_password: obtained password [697992]
      May 16 16:51:59 cjain-test sshd[9704]: pam_sm_authenticate: pass [697992] obtained
      May 16 16:51:59 cjain-test sshd[9704]: pam_sm_authenticate: tty [ssh] obtained
      May 16 16:51:59 cjain-test sshd[9704]: pam_sm_authenticate: trying srv 0
      May 16 16:52:00 cjain-test sshd[9704]: tac_authen_pap_read: authentication failed, server reply was 2 (Login incorrect)
      May 16 16:52:00 cjain-test sshd[9704]: Deprecated pam_stack module called from service "sshd"
      May 16 16:52:00 cjain-test sshd[9704]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.11
      5.100.100 user=chittu


      I am typing the user/OTP correctly.... I am not sure why its not authentication... Can you tell me which file on WikidAdmin side should i check...

       
      • Nick Owen
        Nick Owen
        2007-05-16

        Look in the upper right hand corner of the WiKIDAdmin and you will see three links. The middle one says logs.

        Post your pam.d/sshd file too.

        nick

         
    • chetanjain
      chetanjain
      2007-05-16

      Also, do i need to add the Validated user on Wikid to the network client system's pam database ( i mean create a same user on the network client ).

      Chetan

       
    • chetanjain
      chetanjain
      2007-05-16

      cat sshd

      %PAM-1.0

      auth sufficient pam_stack.so service=tacacs
      auth required pam_stack.so service=system-auth
      auth required pam_nologin.so
      account sufficient pam_stack.so service=tacacs
      account required pam_stack.so service=system-auth
      password required pam_stack.so service=system-auth
      session sufficient pam_stack.so service=tacacs
      session required pam_stack.so service=system-auth
      session required pam_limits.so
      session optional pam_console.so

      cat tacacs

      %PAM-1.0

      auth sufficient /lib/security/pam_tacplus.so debug server=netmgr.monitor.com \ secret=test encrypt
      account sufficient /lib/security/pam_tacplus.so debug server=netmgr.monitor.com \ secret=test encrypt service=shell protocol=ssh
      session sufficient /lib/security/pam_tacplus.so debug server=netmgr.monitor.com \ secret=test encrypt service=shell protocol=ssh


      what should i actually look into the WikidAdmin Logs...

       
      • Nick Owen
        Nick Owen
        2007-05-16

        Does the user have an account on both the linux box and the WiKID Server?

        When a user requests a passcode, the log will say: "Passcode Request Successful (128)". Anything after that should be from your linux box, trying to validate the passcode. If there is nothing after that, then the problem is on the linux box - either it can't reach the WiKID server or the user is being rejected before the passcode is sent.

        nick

         
    • chetanjain
      chetanjain
      2007-05-16

      the user doesn't have a account on the Linux system... do i need the user account on the system...

      I have this in my logs....

      2007-05-16 09:07:35.553503-04 Passcode Request Successful (128) monitor.com 8383280560822443201 chittu internal N/A
      2007-05-16 09:00:57.898244-04 Passcode Request Successful (128) monitor.com 8383280560822443201 chittu internal N/A
      2007-05-16 08:59:23.584516-04 Passcode Request Successful (128) monitor.com 8383280560822443201 chittu internal N/A
      2007-05-16 08:52:40.145518-04 Passcode Request Successful (128) monitor.com 8383280560822443201 chittu internal N/A

       
      • Nick Owen
        Nick Owen
        2007-05-16

        Either that or comment out this line:
        auth required pam_stack.so service=system-auth

        which requires a user to have an account on the server.

        nick

         
    • chetanjain
      chetanjain
      2007-05-16

      Actually it was a copy mistake... the 2nd line in pam.d/sshd

      auth required pam_stack.so service=system-auth

      It is already commented... and i don't have the user on the system...

      what could be the issue...

      Chetan

       
    • Nick Owen
      Nick Owen
      2007-05-16

      The passcode authentication request is not getting to the WiKID Server. Here are some thoughts:

      run iptables -L on the WiKID server and make sure there is a port open for tacacs to your linux box. If not, run stop/start to open the port. try testing with iptables off to see if that is the problem

      Check that the WiKID domain is configured for tacacs+.

      Check that you can access the WiKID server from the linux box at all using ssh.

      Try adding a user on the box anyway...

      just some thoughts.

       
    • chetanjain
      chetanjain
      2007-05-16

      Iptables accepting port 49 traffic


      ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:tacacs


      I have enabled TACACS+ on the domain and I can access WiKID server from the linux box. Also i have seen the logs on WiKID and it shows

      2007-05-16 09:07:35.553503-04 Passcode Request Successful (128) monitor.com 8383280560822443201 chittu internal N/A
      2007-05-16 09:00:57.898244-04 Passcode Request Successful (128) monitor.com 8383280560822443201 chittu internal N/A
      2007-05-16 08:59:23.584516-04 Passcode Request Successful (128) monitor.com 8383280560822443201 chittu internal N/A
      2007-05-16 08:52:40.145518-04 Passcode Request Successful (128) monitor.com 8383280560822443201 chittu internal N/A

      That means that the network client is checking for the passcode request...

      Chetan

       
      • Nick Owen
        Nick Owen
        2007-05-16

        No, that means that the server responded to a passcode request successfully. If the user is authorized, you will see "Successful Online Passcode Validation (138)". If the user is rejected, you will see something like "Bad Passcode (137)".

         
    • chetanjain
      chetanjain
      2007-05-16

      I have allowed all connections to both the machines ( WiKID and Network Client )... Is there any configuration on the TACACS+, I have enabled it using ./tac_plus -C /opt/WiKID/private/tacacs.conf...

      On WiKID Server :
      netstat -anp |grep tac
      tcp 0 0 0.0.0.0:49 0.0.0.0:* LISTEN 31211/tac_plus

      I can see Network Client sending traffic to the WiKID Server to Destination TCP Port 49...

      Is there any other way i could test all this...

       
      • Nick Owen
        Nick Owen
        2007-05-16

        Very strange. I'm sorry for the problems you're having.

        Which version of the server are you using? 2.x or 3.x?

        You can test to see if wAuth is able to validate the user. On the wikid server, edit /opt/tomcat/webapps/WiKIDAdmin/example.jsp or /opt/WiKID/tomcat/webapps/WiKIDAdmin/example.jsp on 3.0. Go to line 41 and change the default domain and passphrase for the local host cert. then browse to WiKIDAdmin/example.jsp and test a username/password combo - in the second section of that page.

        Are there any errors in the Application Server Error Log? The link is at the top middle of the logs page.

         
    • chetanjain
      chetanjain
      2007-05-16

      wikid-oss-server-1.0_HEAD-36
      wikid-oss-config-1.0_HEAD-20
      wikid-pwreset-1.0_HEAD-6
      wikid-tac_plus-2.0_HEAD-3
      wikid-oss-webapps-1.0_HEAD-37
      wikid-scripts-1.0_HEAD-77

      Application Server Error Log is full of Some Errors.... Some Java exceptions and everything... Let me try out the new version 3.0-beta.

      Chetan Jain

       
      • Nick Owen
        Nick Owen
        2007-05-16

        So, I'm guessing that you could not get the example.jsp page working? How did you generate your certificates? Did you do it yourself or did you get one from us?

         
1 2 > >> (Page 1 of 2)