Greetings. I just wanted to throw open the forum. We're very interested in what specific applications people would like to see WiKID-enabled. openvpn? egroupware? post-nuke?
Please let us know.
nick
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi... I want to use WiKID for Authenticating my internal servers from Outside world using SSH...
From Internet I will try to Login to my server, before that i auth with WiKID
|
WiKID System
| |
| |
After authenticating to WiKID,it should allow to access my servers.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Can you explain how will this work on the client end...
I have enabled Tacacs+ on Wikid
Installed Tacacs+ client on a linux based machine. ( Do i need any user/pass on this )
Created a Domain and Validated a User. For Example the username validated on Wikid system is test. I can login from a windows based wikid client, get my passcode.
Can you explain how will the authentication work. What user/pass should i put in to login and where should i use the passcode from the server which expires in 1minute.
I know these are basic questions... but it will help in understanding how it works...
Chetan.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I suggest you confure SSH to use TACACS+ , then try to remotely log in to your linux box using the username of the validated user and a WiKID one-time passcode. If it doesn't work, check the logs on the WiKIDAdmin and in /var/log/secure.
hth,
nick
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Please check the output of the Network Client /var/log/secure
May 16 16:51:38 cjain-test sshd[9636]: Deprecated pam_stack module called from service "sshd"
May 16 16:51:38 cjain-test sshd[9636]: pam_sm_setcred: called (pam_tacplus v1.2.9)
May 16 16:51:38 cjain-test sshd[9636]: Deprecated pam_stack module called from service "sshd"
May 16 16:51:59 cjain-test sshd[9704]: Deprecated pam_stack module called from service "sshd"
May 16 16:51:59 cjain-test sshd[9704]: pam_sm_authenticate: called (pam_tacplus v1.2.9)
May 16 16:51:59 cjain-test sshd[9704]: pam_sm_authenticate: user [chittu] obtained
May 16 16:51:59 cjain-test sshd[9704]: tacacs_get_password: called
May 16 16:51:59 cjain-test sshd[9704]: tacacs_get_password: obtained password [697992]
May 16 16:51:59 cjain-test sshd[9704]: pam_sm_authenticate: pass [697992] obtained
May 16 16:51:59 cjain-test sshd[9704]: pam_sm_authenticate: tty [ssh] obtained
May 16 16:51:59 cjain-test sshd[9704]: pam_sm_authenticate: trying srv 0
May 16 16:52:00 cjain-test sshd[9704]: tac_authen_pap_read: authentication failed, server reply was 2 (Login incorrect)
May 16 16:52:00 cjain-test sshd[9704]: Deprecated pam_stack module called from service "sshd"
May 16 16:52:00 cjain-test sshd[9704]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.11
5.100.100 user=chittu
I am typing the user/OTP correctly.... I am not sure why its not authentication... Can you tell me which file on WikidAdmin side should i check...
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Does the user have an account on both the linux box and the WiKID Server?
When a user requests a passcode, the log will say: "Passcode Request Successful (128)". Anything after that should be from your linux box, trying to validate the passcode. If there is nothing after that, then the problem is on the linux box - either it can't reach the WiKID server or the user is being rejected before the passcode is sent.
nick
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The passcode authentication request is not getting to the WiKID Server. Here are some thoughts:
run iptables -L on the WiKID server and make sure there is a port open for tacacs to your linux box. If not, run stop/start to open the port. try testing with iptables off to see if that is the problem
Check that the WiKID domain is configured for tacacs+.
Check that you can access the WiKID server from the linux box at all using ssh.
Try adding a user on the box anyway...
just some thoughts.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
No, that means that the server responded to a passcode request successfully. If the user is authorized, you will see "Successful Online Passcode Validation (138)". If the user is rejected, you will see something like "Bad Passcode (137)".
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have allowed all connections to both the machines ( WiKID and Network Client )... Is there any configuration on the TACACS+, I have enabled it using ./tac_plus -C /opt/WiKID/private/tacacs.conf...
On WiKID Server :
netstat -anp |grep tac
tcp 0 0 0.0.0.0:49 0.0.0.0:* LISTEN 31211/tac_plus
I can see Network Client sending traffic to the WiKID Server to Destination TCP Port 49...
Is there any other way i could test all this...
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Very strange. I'm sorry for the problems you're having.
Which version of the server are you using? 2.x or 3.x?
You can test to see if wAuth is able to validate the user. On the wikid server, edit /opt/tomcat/webapps/WiKIDAdmin/example.jsp or /opt/WiKID/tomcat/webapps/WiKIDAdmin/example.jsp on 3.0. Go to line 41 and change the default domain and passphrase for the local host cert. then browse to WiKIDAdmin/example.jsp and test a username/password combo - in the second section of that page.
Are there any errors in the Application Server Error Log? The link is at the top middle of the logs page.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
So, I'm guessing that you could not get the example.jsp page working? How did you generate your certificates? Did you do it yourself or did you get one from us?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Greetings. I just wanted to throw open the forum. We're very interested in what specific applications people would like to see WiKID-enabled. openvpn? egroupware? post-nuke?
Please let us know.
nick
its still WiKID 2.0
openssl-0.9.8a-5.4....
and is the file libcrypto.so.4 on the box? I have on in /lib/
Nice to hear that... Let me get a FC4 Machine for my testing too... will wait for a 3.x version... U will have to sign another cert from me :)...
Chetan
Not a problem!
Hi... I want to use WiKID for Authenticating my internal servers from Outside world using SSH...
From Internet I will try to Login to my server, before that i auth with WiKID | WiKID System | | | | After authenticating to WiKID,it should allow to access my servers.For the open source version, I recommend using tacacs or ldap. Here is a document on how to for tacacs + PAM + two-factor authentication: http://www.wikidsystems.com/documentation/howtos/tacacs_twofactorauthentication/
hth,
nick
Hi Nick,
Can you explain how will this work on the client end...
Can you explain how will the authentication work. What user/pass should i put in to login and where should i use the passcode from the server which expires in 1minute.
I know these are basic questions... but it will help in understanding how it works...
Chetan.
I suggest you confure SSH to use TACACS+ , then try to remotely log in to your linux box using the username of the validated user and a WiKID one-time passcode. If it doesn't work, check the logs on the WiKIDAdmin and in /var/log/secure.
hth,
nick
Please check the output of the Network Client /var/log/secure
May 16 16:51:38 cjain-test sshd[9636]: Deprecated pam_stack module called from service "sshd"
May 16 16:51:38 cjain-test sshd[9636]: pam_sm_setcred: called (pam_tacplus v1.2.9)
May 16 16:51:38 cjain-test sshd[9636]: Deprecated pam_stack module called from service "sshd"
May 16 16:51:59 cjain-test sshd[9704]: Deprecated pam_stack module called from service "sshd"
May 16 16:51:59 cjain-test sshd[9704]: pam_sm_authenticate: called (pam_tacplus v1.2.9)
May 16 16:51:59 cjain-test sshd[9704]: pam_sm_authenticate: user [chittu] obtained
May 16 16:51:59 cjain-test sshd[9704]: tacacs_get_password: called
May 16 16:51:59 cjain-test sshd[9704]: tacacs_get_password: obtained password [697992]
May 16 16:51:59 cjain-test sshd[9704]: pam_sm_authenticate: pass [697992] obtained
May 16 16:51:59 cjain-test sshd[9704]: pam_sm_authenticate: tty [ssh] obtained
May 16 16:51:59 cjain-test sshd[9704]: pam_sm_authenticate: trying srv 0
May 16 16:52:00 cjain-test sshd[9704]: tac_authen_pap_read: authentication failed, server reply was 2 (Login incorrect)
May 16 16:52:00 cjain-test sshd[9704]: Deprecated pam_stack module called from service "sshd"
May 16 16:52:00 cjain-test sshd[9704]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.11
5.100.100 user=chittu
I am typing the user/OTP correctly.... I am not sure why its not authentication... Can you tell me which file on WikidAdmin side should i check...
Look in the upper right hand corner of the WiKIDAdmin and you will see three links. The middle one says logs.
Post your pam.d/sshd file too.
nick
Also, do i need to add the Validated user on Wikid to the network client system's pam database ( i mean create a same user on the network client ).
Chetan
cat sshd
%PAM-1.0
auth sufficient pam_stack.so service=tacacs
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_stack.so service=tacacs
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session sufficient pam_stack.so service=tacacs
session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so
cat tacacs
%PAM-1.0
auth sufficient /lib/security/pam_tacplus.so debug server=netmgr.monitor.com \ secret=test encrypt
account sufficient /lib/security/pam_tacplus.so debug server=netmgr.monitor.com \ secret=test encrypt service=shell protocol=ssh
session sufficient /lib/security/pam_tacplus.so debug server=netmgr.monitor.com \ secret=test encrypt service=shell protocol=ssh
what should i actually look into the WikidAdmin Logs...
Does the user have an account on both the linux box and the WiKID Server?
When a user requests a passcode, the log will say: "Passcode Request Successful (128)". Anything after that should be from your linux box, trying to validate the passcode. If there is nothing after that, then the problem is on the linux box - either it can't reach the WiKID server or the user is being rejected before the passcode is sent.
nick
the user doesn't have a account on the Linux system... do i need the user account on the system...
I have this in my logs....
2007-05-16 09:07:35.553503-04 Passcode Request Successful (128) monitor.com 8383280560822443201 chittu internal N/A
2007-05-16 09:00:57.898244-04 Passcode Request Successful (128) monitor.com 8383280560822443201 chittu internal N/A
2007-05-16 08:59:23.584516-04 Passcode Request Successful (128) monitor.com 8383280560822443201 chittu internal N/A
2007-05-16 08:52:40.145518-04 Passcode Request Successful (128) monitor.com 8383280560822443201 chittu internal N/A
Either that or comment out this line:
auth required pam_stack.so service=system-auth
which requires a user to have an account on the server.
nick
Actually it was a copy mistake... the 2nd line in pam.d/sshd
auth required pam_stack.so service=system-auth
It is already commented... and i don't have the user on the system...
what could be the issue...
Chetan
The passcode authentication request is not getting to the WiKID Server. Here are some thoughts:
run iptables -L on the WiKID server and make sure there is a port open for tacacs to your linux box. If not, run stop/start to open the port. try testing with iptables off to see if that is the problem
Check that the WiKID domain is configured for tacacs+.
Check that you can access the WiKID server from the linux box at all using ssh.
Try adding a user on the box anyway...
just some thoughts.
Iptables accepting port 49 traffic
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:tacacs
I have enabled TACACS+ on the domain and I can access WiKID server from the linux box. Also i have seen the logs on WiKID and it shows
2007-05-16 09:07:35.553503-04 Passcode Request Successful (128) monitor.com 8383280560822443201 chittu internal N/A
2007-05-16 09:00:57.898244-04 Passcode Request Successful (128) monitor.com 8383280560822443201 chittu internal N/A
2007-05-16 08:59:23.584516-04 Passcode Request Successful (128) monitor.com 8383280560822443201 chittu internal N/A
2007-05-16 08:52:40.145518-04 Passcode Request Successful (128) monitor.com 8383280560822443201 chittu internal N/A
That means that the network client is checking for the passcode request...
Chetan
No, that means that the server responded to a passcode request successfully. If the user is authorized, you will see "Successful Online Passcode Validation (138)". If the user is rejected, you will see something like "Bad Passcode (137)".
I have allowed all connections to both the machines ( WiKID and Network Client )... Is there any configuration on the TACACS+, I have enabled it using ./tac_plus -C /opt/WiKID/private/tacacs.conf...
On WiKID Server :
netstat -anp |grep tac
tcp 0 0 0.0.0.0:49 0.0.0.0:* LISTEN 31211/tac_plus
I can see Network Client sending traffic to the WiKID Server to Destination TCP Port 49...
Is there any other way i could test all this...
Very strange. I'm sorry for the problems you're having.
Which version of the server are you using? 2.x or 3.x?
You can test to see if wAuth is able to validate the user. On the wikid server, edit /opt/tomcat/webapps/WiKIDAdmin/example.jsp or /opt/WiKID/tomcat/webapps/WiKIDAdmin/example.jsp on 3.0. Go to line 41 and change the default domain and passphrase for the local host cert. then browse to WiKIDAdmin/example.jsp and test a username/password combo - in the second section of that page.
Are there any errors in the Application Server Error Log? The link is at the top middle of the logs page.
wikid-oss-server-1.0_HEAD-36
wikid-oss-config-1.0_HEAD-20
wikid-pwreset-1.0_HEAD-6
wikid-tac_plus-2.0_HEAD-3
wikid-oss-webapps-1.0_HEAD-37
wikid-scripts-1.0_HEAD-77
Application Server Error Log is full of Some Errors.... Some Java exceptions and everything... Let me try out the new version 3.0-beta.
Chetan Jain
So, I'm guessing that you could not get the example.jsp page working? How did you generate your certificates? Did you do it yourself or did you get one from us?