application integration requests

Nick Owen
2005-09-29
2012-09-24
1 2 > >> (Page 1 of 2)
  • Nick Owen

    Nick Owen - 2005-09-29

    Greetings. I just wanted to throw open the forum. We're very interested in what specific applications people would like to see WiKID-enabled. openvpn? egroupware? post-nuke?

    Please let us know.

    nick

     
    • chetanjain

      chetanjain - 2007-05-17

      its still WiKID 2.0

       
    • chetanjain

      chetanjain - 2007-05-17

      openssl-0.9.8a-5.4....

       
      • Nick Owen

        Nick Owen - 2007-05-17

        and is the file libcrypto.so.4 on the box? I have on in /lib/

         
    • chetanjain

      chetanjain - 2007-05-18

      Nice to hear that... Let me get a FC4 Machine for my testing too... will wait for a 3.x version... U will have to sign another cert from me :)...

      Chetan

       
      • Nick Owen

        Nick Owen - 2007-05-19

        Not a problem!

         
    • chetanjain

      chetanjain - 2007-05-03

      Hi... I want to use WiKID for Authenticating my internal servers from Outside world using SSH...

            From Internet I will try to Login to my server, before that i auth with WiKID
                                            |
                                        WiKID System
                                           |  |
                                           |  |
               After authenticating to WiKID,it should allow to access my servers.
      
       
    • chetanjain

      chetanjain - 2007-05-16

      Hi Nick,

      Can you explain how will this work on the client end...

      1. I have enabled Tacacs+ on Wikid
      2. Installed Tacacs+ client on a linux based machine. ( Do i need any user/pass on this )
      3. Created a Domain and Validated a User. For Example the username validated on Wikid system is test. I can login from a windows based wikid client, get my passcode.

      Can you explain how will the authentication work. What user/pass should i put in to login and where should i use the passcode from the server which expires in 1minute.

      I know these are basic questions... but it will help in understanding how it works...

      Chetan.

       
    • Nick Owen

      Nick Owen - 2007-05-16

      I suggest you confure SSH to use TACACS+ , then try to remotely log in to your linux box using the username of the validated user and a WiKID one-time passcode. If it doesn't work, check the logs on the WiKIDAdmin and in /var/log/secure.

      hth,

      nick

       
    • chetanjain

      chetanjain - 2007-05-16

      Please check the output of the Network Client /var/log/secure


      May 16 16:51:38 cjain-test sshd[9636]: Deprecated pam_stack module called from service "sshd"
      May 16 16:51:38 cjain-test sshd[9636]: pam_sm_setcred: called (pam_tacplus v1.2.9)
      May 16 16:51:38 cjain-test sshd[9636]: Deprecated pam_stack module called from service "sshd"
      May 16 16:51:59 cjain-test sshd[9704]: Deprecated pam_stack module called from service "sshd"
      May 16 16:51:59 cjain-test sshd[9704]: pam_sm_authenticate: called (pam_tacplus v1.2.9)
      May 16 16:51:59 cjain-test sshd[9704]: pam_sm_authenticate: user [chittu] obtained
      May 16 16:51:59 cjain-test sshd[9704]: tacacs_get_password: called
      May 16 16:51:59 cjain-test sshd[9704]: tacacs_get_password: obtained password [697992]
      May 16 16:51:59 cjain-test sshd[9704]: pam_sm_authenticate: pass [697992] obtained
      May 16 16:51:59 cjain-test sshd[9704]: pam_sm_authenticate: tty [ssh] obtained
      May 16 16:51:59 cjain-test sshd[9704]: pam_sm_authenticate: trying srv 0
      May 16 16:52:00 cjain-test sshd[9704]: tac_authen_pap_read: authentication failed, server reply was 2 (Login incorrect)
      May 16 16:52:00 cjain-test sshd[9704]: Deprecated pam_stack module called from service "sshd"
      May 16 16:52:00 cjain-test sshd[9704]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.11
      5.100.100 user=chittu


      I am typing the user/OTP correctly.... I am not sure why its not authentication... Can you tell me which file on WikidAdmin side should i check...

       
      • Nick Owen

        Nick Owen - 2007-05-16

        Look in the upper right hand corner of the WiKIDAdmin and you will see three links. The middle one says logs.

        Post your pam.d/sshd file too.

        nick

         
    • chetanjain

      chetanjain - 2007-05-16

      Also, do i need to add the Validated user on Wikid to the network client system's pam database ( i mean create a same user on the network client ).

      Chetan

       
    • chetanjain

      chetanjain - 2007-05-16

      cat sshd

      %PAM-1.0

      auth sufficient pam_stack.so service=tacacs
      auth required pam_stack.so service=system-auth
      auth required pam_nologin.so
      account sufficient pam_stack.so service=tacacs
      account required pam_stack.so service=system-auth
      password required pam_stack.so service=system-auth
      session sufficient pam_stack.so service=tacacs
      session required pam_stack.so service=system-auth
      session required pam_limits.so
      session optional pam_console.so

      cat tacacs

      %PAM-1.0

      auth sufficient /lib/security/pam_tacplus.so debug server=netmgr.monitor.com \ secret=test encrypt
      account sufficient /lib/security/pam_tacplus.so debug server=netmgr.monitor.com \ secret=test encrypt service=shell protocol=ssh
      session sufficient /lib/security/pam_tacplus.so debug server=netmgr.monitor.com \ secret=test encrypt service=shell protocol=ssh


      what should i actually look into the WikidAdmin Logs...

       
      • Nick Owen

        Nick Owen - 2007-05-16

        Does the user have an account on both the linux box and the WiKID Server?

        When a user requests a passcode, the log will say: "Passcode Request Successful (128)". Anything after that should be from your linux box, trying to validate the passcode. If there is nothing after that, then the problem is on the linux box - either it can't reach the WiKID server or the user is being rejected before the passcode is sent.

        nick

         
    • chetanjain

      chetanjain - 2007-05-16

      the user doesn't have a account on the Linux system... do i need the user account on the system...

      I have this in my logs....

      2007-05-16 09:07:35.553503-04 Passcode Request Successful (128) monitor.com 8383280560822443201 chittu internal N/A
      2007-05-16 09:00:57.898244-04 Passcode Request Successful (128) monitor.com 8383280560822443201 chittu internal N/A
      2007-05-16 08:59:23.584516-04 Passcode Request Successful (128) monitor.com 8383280560822443201 chittu internal N/A
      2007-05-16 08:52:40.145518-04 Passcode Request Successful (128) monitor.com 8383280560822443201 chittu internal N/A

       
      • Nick Owen

        Nick Owen - 2007-05-16

        Either that or comment out this line:
        auth required pam_stack.so service=system-auth

        which requires a user to have an account on the server.

        nick

         
    • chetanjain

      chetanjain - 2007-05-16

      Actually it was a copy mistake... the 2nd line in pam.d/sshd

      auth required pam_stack.so service=system-auth

      It is already commented... and i don't have the user on the system...

      what could be the issue...

      Chetan

       
    • Nick Owen

      Nick Owen - 2007-05-16

      The passcode authentication request is not getting to the WiKID Server. Here are some thoughts:

      run iptables -L on the WiKID server and make sure there is a port open for tacacs to your linux box. If not, run stop/start to open the port. try testing with iptables off to see if that is the problem

      Check that the WiKID domain is configured for tacacs+.

      Check that you can access the WiKID server from the linux box at all using ssh.

      Try adding a user on the box anyway...

      just some thoughts.

       
    • chetanjain

      chetanjain - 2007-05-16

      Iptables accepting port 49 traffic


      ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:tacacs


      I have enabled TACACS+ on the domain and I can access WiKID server from the linux box. Also i have seen the logs on WiKID and it shows

      2007-05-16 09:07:35.553503-04 Passcode Request Successful (128) monitor.com 8383280560822443201 chittu internal N/A
      2007-05-16 09:00:57.898244-04 Passcode Request Successful (128) monitor.com 8383280560822443201 chittu internal N/A
      2007-05-16 08:59:23.584516-04 Passcode Request Successful (128) monitor.com 8383280560822443201 chittu internal N/A
      2007-05-16 08:52:40.145518-04 Passcode Request Successful (128) monitor.com 8383280560822443201 chittu internal N/A

      That means that the network client is checking for the passcode request...

      Chetan

       
      • Nick Owen

        Nick Owen - 2007-05-16

        No, that means that the server responded to a passcode request successfully. If the user is authorized, you will see "Successful Online Passcode Validation (138)". If the user is rejected, you will see something like "Bad Passcode (137)".

         
    • chetanjain

      chetanjain - 2007-05-16

      I have allowed all connections to both the machines ( WiKID and Network Client )... Is there any configuration on the TACACS+, I have enabled it using ./tac_plus -C /opt/WiKID/private/tacacs.conf...

      On WiKID Server :
      netstat -anp |grep tac
      tcp 0 0 0.0.0.0:49 0.0.0.0:* LISTEN 31211/tac_plus

      I can see Network Client sending traffic to the WiKID Server to Destination TCP Port 49...

      Is there any other way i could test all this...

       
      • Nick Owen

        Nick Owen - 2007-05-16

        Very strange. I'm sorry for the problems you're having.

        Which version of the server are you using? 2.x or 3.x?

        You can test to see if wAuth is able to validate the user. On the wikid server, edit /opt/tomcat/webapps/WiKIDAdmin/example.jsp or /opt/WiKID/tomcat/webapps/WiKIDAdmin/example.jsp on 3.0. Go to line 41 and change the default domain and passphrase for the local host cert. then browse to WiKIDAdmin/example.jsp and test a username/password combo - in the second section of that page.

        Are there any errors in the Application Server Error Log? The link is at the top middle of the logs page.

         
    • chetanjain

      chetanjain - 2007-05-16

      wikid-oss-server-1.0_HEAD-36
      wikid-oss-config-1.0_HEAD-20
      wikid-pwreset-1.0_HEAD-6
      wikid-tac_plus-2.0_HEAD-3
      wikid-oss-webapps-1.0_HEAD-37
      wikid-scripts-1.0_HEAD-77

      Application Server Error Log is full of Some Errors.... Some Java exceptions and everything... Let me try out the new version 3.0-beta.

      Chetan Jain

       
      • Nick Owen

        Nick Owen - 2007-05-16

        So, I'm guessing that you could not get the example.jsp page working? How did you generate your certificates? Did you do it yourself or did you get one from us?

         
1 2 > >> (Page 1 of 2)

Log in to post a comment.