Search Results

Search found 3544 results on 142 pages for 'auth token'.

Page 20/142 | < Previous Page | 16 17 18 19 20 21 22 23 24 25 26 27 | Next Page >

What to do with twitter oauth token once retreived?

- by mcintyre321

I'm writing a web app that will use twitter as its primary log on method. I've written code which gets the oauth token back from Twitter. My plan is now to Find the entry in my Users table for the twitter username retreived using the token, or create the entry if necessary Update the Users.TwitterOAuthToken column with the new OAuth token Create a permanent cookie with a random guid on the site and insert a record into my UserCookies table matching Cookie to User when a request comes in I will look for the browser cookie id in the UserCookies table, then use that to figure out the user, and make twitter requests on their behalf Write the oauth token into some pages as a js variable so that javascript can make requests on behalf of the user If the user clears his/her cookies the user will have to log in again to twitter Is this the correct process? Have I created any massive security holes? thanks!

Read the article
For securing forms, when do I issue the token?

- by AQuestionADayKeepsTheDrAway

So, I have a form, to make it a little more secure and potentially help prevent CSRF attacks I want to add a random token value in a hidden field that value is also stored server side in my session data. When should I issue a new token? Per form? Per page load where there is any form? Per session? I can render it invalid as soon as a form is successfully submitted but I'm wondering when to generate one. I ask as if I issue it per form or per page do I not risk the chance of a duplicate token value overwriting the existing (valid) token if a user opens a separate window but submitting the first form (with the now overwritten value)?

Read the article
Solution - Login failed for user x. Reason Token based server access validation failed and error - 18456

- by simonsabin

Had a very bizarre situation yesterday where a local machine account couldn’t access SQL Server and was getting Login failed for user <user>. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: <client ip>] along with Error: 18456, Severity: 14, State: 11. The user was in the logins even after a refresh, it was in the users for the database. I decided to delete and remove the login and heh presto it worked. I thought you...(read more)

Read the article
WIF, ADFS 2 and WCF–Part 5: Service Client (more Flexibility with WSTrustChannelFactory)

- by Your DisplayName here!

See the previous posts first. WIF includes an API to manually request tokens from a token service. This gives you more control over the request and more flexibility since you can use your own token caching scheme instead of being bound to the channel object lifetime. The API is straightforward. You first request a token from the STS and then use that token to create a channel to the relying party service. I’d recommend using the WS-Trust bindings that ship with WIF to talk to ADFS 2 – they are pre-configured to match the binding configuration of the ADFS 2 endpoints. The following code requests a token for a WCF service from ADFS 2: private static SecurityToken GetToken() { // Windows authentication over transport security var factory = new WSTrustChannelFactory( new WindowsWSTrustBinding(SecurityMode.Transport), stsEndpoint); factory.TrustVersion = TrustVersion.WSTrust13; var rst = new RequestSecurityToken { RequestType = RequestTypes.Issue, AppliesTo = new EndpointAddress(svcEndpoint), KeyType = KeyTypes.Symmetric }; var channel = factory.CreateChannel(); return channel.Issue(rst); } Afterwards, the returned token can be used to create a channel to the service. Again WIF has some helper methods here that make this very easy: private static void CallService(SecurityToken token) { // create binding and turn off sessions var binding = new WS2007FederationHttpBinding( WSFederationHttpSecurityMode.TransportWithMessageCredential); binding.Security.Message.EstablishSecurityContext = false; // create factory and enable WIF plumbing var factory = new ChannelFactory<IService>(binding, new EndpointAddress(svcEndpoint)); factory.ConfigureChannelFactory<IService>(); // turn off CardSpace - we already have the token factory.Credentials.SupportInteractive = false; var channel = factory.CreateChannelWithIssuedToken<IService>(token); channel.GetClaims().ForEach(c => Console.WriteLine("{0}\n {1}\n {2} ({3})\n", c.ClaimType, c.Value, c.Issuer, c.OriginalIssuer)); } Why is this approach more flexible? Well – some don’t like the configuration voodoo. That’s a valid reason for using the manual approach. You also get more control over the token request itself since you have full control over the RST message that gets send to the STS. One common parameter that you may want to set yourself is the appliesTo value. When you use the automatic token support in the WCF federation binding, the appliesTo is always the physical service address. This means in turn that this address will be used as the audience URI value in the SAML token. Well – this in turn means that when you have an application that consists of multiple services, you always have to configure all physical endpoint URLs in ADFS 2 and in the WIF configuration of the service(s). Having control over the appliesTo allows you to use more symbolic realm names, e.g. the base address or a completely logical name. Since the URL is never de-referenced you have some degree of freedom here. In the next post we will look at the necessary code to request multiple tokens in a call chain. This is a common scenario when you first have to acquire a token from an identity provider and have to send that on to a federation gateway or Resource STS. Stay tuned.

Read the article
Which token from a long User-Agent should I use in robots.txt?

- by Gaia

The definition of User-Agent states that several tokens can be included, as deemed necessary by the client. I want to block certain bots via robots.txt and I am confused as to which part of the User-Agent string to use, especially for more obscure bots. For example: Mozilla/5.0 (compatible; uMBot-LN/1.0; mailto: [email protected])" JS-Kit URL Resolver, http://js-kit.com/ Mozilla/5.0 (compatible; SEOkicks-Robot +http://www.seokicks.de/robot.html Do I use the second token? Can tokens contain spaces, or did the SEOkicks folks forget a semicolon after SEOkicks-Robot? I don't actually intend on making my question specific to a couple bots - I want to know the guideline: which part of UA do I place in robots.txt for these exotic bots with UA as long as a haiku? User-agent: uMBot-LN/1.0 Disallow: / PS: Thank you but I do not need to hear that undesirable bots are better blocked with mod_security. I already have commercial mod_sec rules in place.

Read the article
WIF-less claim extraction from ACS: SWT

- by Elton Stoneman

WIF with SAML is solid and flexible, but unless you need the power, it can be overkill for simple claim assertion, and in the REST world WIF doesn’t have support for the latest token formats. Simple Web Token (SWT) may not be around forever, but while it's here it's a nice easy format which you can manipulate in .NET without having to go down the WIF route. Assuming you have set up a Relying Party in ACS, specifying SWT as the token format: When ACS redirects to your login page, it will POST the SWT in the first form variable. It comes through in the BinarySecurityToken element of a RequestSecurityTokenResponse XML payload , the SWT type is specified with a TokenType of http://schemas.xmlsoap.org/ws/2009/11/swt-token-profile-1.0 : <t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"> <t:Lifetime> <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2012-08-31T07:31:18.655Z</wsu:Created> <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2012-08-31T09:11:18.655Z</wsu:Expires> </t:Lifetime> <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <EndpointReference xmlns="http://www.w3.org/2005/08/addressing"> <Address>http://localhost/x.y.z</Address> </EndpointReference> </wsp:AppliesTo> <t:RequestedSecurityToken> <wsse:BinarySecurityToken wsu:Id="uuid:fc8d3332-d501-4bb0-84ba-d31aa95a1a6c" ValueType="http://schemas.xmlsoap.org/ws/2009/11/swt-token-profile-1.0" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> [ base64string ] </wsse:BinarySecurityToken> </t:RequestedSecurityToken> <t:TokenType>http://schemas.xmlsoap.org/ws/2009/11/swt-token-profile-1.0</t:TokenType> <t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType> <t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType> </t:RequestSecurityTokenResponse> Reading the SWT is as simple as base-64 decoding, then URL-decoding the element value: var wrappedToken = XDocument.Parse(HttpContext.Current.Request.Form[1]); var binaryToken = wrappedToken.Root.Descendants("{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken").First(); var tokenBytes = Convert.FromBase64String(binaryToken.Value); var token = Encoding.UTF8.GetString(tokenBytes); var tokenType = wrappedToken.Root.Descendants("{http://schemas.xmlsoap.org/ws/2005/02/trust}TokenType").First().Value; The decoded token contains the claims as key/value pairs, along with the issuer, audience (ACS realm), expiry date and an HMAC hash, which are in query string format. Separate them on the ampersand, and you can write out the claim values in your logged-in page: var decoded = HttpUtility.UrlDecode(token); foreach (var part in decoded.Split('&')) { Response.Write("<pre>" + part + "</pre><br/>"); } - which will produce something like this: http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant=2012-08-31T06:57:01.855Z http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod=http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname=XYZ http://schemas.xmlsoap.org/ws/2005/05/identity/claims/[email protected] http://schemas.xmlsoap.org/ws/2005/05/identity/claims/[email protected] http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider=http://fs.svc.xyz.com/adfs/services/trust Audience=http://localhost/x.y.z ExpiresOn=1346402225 Issuer=https://x-y-z.accesscontrol.windows.net/ HMACSHA256=oDCeEDDAWEC8x+yBnTaCLnzp4L6jI0Z/xNK95PdZTts= The HMAC hash lets you validate the token to ensure it hasn’t been tampered with. You'll need the token signing key from ACS, then you can re-sign the token and compare hashes. There's a full implementation of an SWT parser and validator here: How To Request SWT Token From ACS And How To Validate It At The REST WCF Service Hosted In Windows Azure, and a cut-down claim inspector on my github code gallery: ACS Claim Inspector. Interestingly, ACS lets you have a value for your logged-in page which has no relation to the realm for authentication, so you can put this code into a generic claim inspector page, and set that to be your logged-in page for any relying party where you want to check what's being sent through. Particularly handy with ADFS, when you're modifying the claims provided, and want to quickly see the results.

Read the article
EPM 11.1.2 - Receive Anonymous Level Security token message in IE8 when trying to access Shared Services or Workspace URL

- by Ahmed A

If you get "Receive Anonymous Level Security token" message in IE8 when trying to access Shared Services or Workspace URL.Workaround:a. Go to Start > Run and enter dcomcnfgb. Expand Component Services, Expand Computers and right click on My Computer and select Propertiesc. Click on the Default Properties tab. Change the Default Authentication Level to Connect. Click apply and then OK.d. Launch the IE browser again and you will be able to access the URL.

Read the article
Mpd as pppoe server with authorisation by freeradius2

- by Korjavin Ivan

I install freeradius2, add to raddb/users: test Cleartext-Password := "test1" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 10.36.0.2, Framed-IP-Netmask = 255.255.255.0, start radiusd, and check auth: radtest test test1 127.0.0.1 1002 testing123 Sending Access-Request of id 199 to 127.0.0.1 port 1812 User-Name = "test" User-Password = "test1" NAS-IP-Address = 127.0.0.1 NAS-Port = 1002 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=199, length=44 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 10.36.0.2 Framed-IP-Netmask = 255.255.255.0 Works fine. Next step. Add to mpd.conf: radius: set auth disable internal set auth max-logins 1 CI set auth enable radius-auth set radius timeout 90 set radius retries 2 set radius server 127.0.0.1 testing123 1812 1813 set radius me 127.0.0.1 create link template L pppoe set link action bundle B set link max-children 1000 set link no multilink set link no shortseq set link no pap chap-md5 chap-msv1 chap-msv2 set link enable chap set pppoe acname Internet load radius create link template em1 L set pppoe iface em1 set link enable incoming And trying to connect, auth failed, here is mpd log: mpd: [em1-2] LCP: auth: peer wants nothing, I want CHAP mpd: [em1-2] CHAP: sending CHALLENGE #1 len: 21 mpd: [em1-2] LCP: LayerUp mpd: [em1-2] CHAP: rec'd RESPONSE #1 len: 58 mpd: [em1-2] Name: "test" mpd: [em1-2] AUTH: Trying RADIUS mpd: [em1-2] RADIUS: Authenticating user 'test' mpd: [em1-2] RADIUS: Rec'd RAD_ACCESS_REJECT for user 'test' mpd: [em1-2] AUTH: RADIUS returned: failed mpd: [em1-2] AUTH: ran out of backends mpd: [em1-2] CHAP: Auth return status: failed mpd: [em1-2] CHAP: Reply message: ^AE=691 R=1 mpd: [em1-2] CHAP: sending FAILURE #1 len: 14 mpd: [em1-2] LCP: authorization failed Then i start freeradius as radiusd -fX, and get this log: rad_recv: Access-Request packet from host 127.0.0.1 port 46400, id=223, length=282 NAS-Identifier = "rubin.svyaz-nt.ru" NAS-IP-Address = 127.0.0.1 Message-Authenticator = 0x14d36639bed8074ec2988118125367ea Acct-Session-Id = "815965-em1-2" NAS-Port = 2 NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "00e05290b3e3 / 00:e0:52:90:b3:e3 / em1" NAS-Port-Id = "em1" Vendor-12341-Attr-12 = 0x656d312d32 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Client-Endpoint:0 = "00:e0:52:90:b3:e3" User-Name = "test" MS-CHAP-Challenge = 0xbb1e68d5bbc30f228725a133877de83e MS-CHAP2-Response = 0x010088746ae65b68e435e9d045ad6f9569b60000000000000000b56991b4f20704cb6c68e5982eec5e98a7f4b470c109c1b9 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok Found Auth-Type = MSCHAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: test [mschap] Client is using MS-CHAPv2 for test, we need NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Login incorrect: [test] (from client localhost port 2 cli 00e05290b3e3 / 00:e0:52:90:b3:e3 / em1) Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 223 to 127.0.0.1 port 46400 MS-CHAP-Error = "\001E=691 R=1" Why i have error "[mschap] No Cleartext-Password configured. Cannot create LM-Password." ? I define cleartext-password in users. I check raddb/sites-enabled/default authorize { chap mschap eap { ok = return } files } looks ok for me. Whats wrong with mpd/chap/radius ?

Read the article
How to troubleshoot problem with OpenVpn Appliance Server not able to connect

- by Peter

1) I have a Windows Server 2008 Standard SP2 2) I am running Hyper-V and have the OpenSvn Appliance Server virtual running 3) I have configured it as it said, only issue was that the legacy network adapter does not have a setting the instructions mention "Enable spoofing of MAC Addresses". My understand is that before R2, this was on by default. 4) Server is running, web interfaces look good 5) I am trying to connect from a Vista 64 box and cannot 5a) If I set to UPD I am stuck at Authorizing and client log looks like: 10/11/09 15:00:42: INFO: OvpnConfig: connect... 10/11/09 15:00:42: INFO: Gui listen socket at 34567 10/11/09 15:00:42: INFO: sending start command to instantiator... 10/11/09 15:00:42: INFO: start 34567 ?C:\Users\Peter\AppData\Roaming\OpenVPNTech\config?02369512D0C82A04B88093022DA0226202218022A902264022AE022B? 10/11/09 15:00:42: INFO: Got line from MI->>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info 10/11/09 15:00:42: INFO: Got line from MI->>HOLD:Waiting for hold release 10/11/09 15:00:43: INFO: Got line from MI->SUCCESS: real-time state notification set to ON 10/11/09 15:00:43: INFO: Got line from MI->SUCCESS: bytecount interval changed 10/11/09 15:00:43: INFO: Got line from MI->SUCCESS: hold flag set to OFF 10/11/09 15:00:43: INFO: Got line from MI->SUCCESS: hold release succeeded 10/11/09 15:00:43: INFO: Got line from MI->>PASSWORD:Need 'Auth' username/password 10/11/09 15:00:43: INFO: Processing PASSWORD. 10/11/09 15:00:43: INFO: OvpnClient: setting need auth to true. 10/11/09 15:00:43: INFO: OvpnConfig: Setting need auth to true. 10/11/09 15:00:43: INFO: Got auth request from active_config from 0 10/11/09 15:00:47: INFO: Sending Credentials.... 10/11/09 15:00:47: INFO: Sending 25 bytes for username. 10/11/09 15:00:47: INFO: Sent 25 bytes for username. 10/11/09 15:00:47: INFO: Sending 30 bytes for password. 10/11/09 15:00:47: INFO: Sent 30 bytes for password. 10/11/09 15:00:48: INFO: Got line from MI->SUCCESS: 'Auth' username entered, but not yet verified 10/11/09 15:00:48: INFO: Got line from MI->SUCCESS: 'Auth' password entered, but not yet verified 10/11/09 15:00:48: INFO: Got line from MI->>STATE:1255287647,WAIT,,, 10/11/09 15:00:48: INFO: Got line from MI->>BYTECOUNT:0,42 10/11/09 15:00:48: INFO: Got line from MI->>BYTECOUNT:54,42 10/11/09 15:00:48: INFO: Got line from MI->>STATE:1255287648,AUTH,,, 10/11/09 15:00:50: INFO: Got line from MI->>BYTECOUNT:2560,2868 10/11/09 15:00:52: INFO: Got line from MI->>BYTECOUNT:2560,3378 5b) I setup server for tcp and try to connect, I get a loop of authorizing and reconnecting. Log looks like: 10/11/09 15:00:42: INFO: Got line from MI->>HOLD:Waiting for hold release 10/11/09 15:00:43: INFO: Got line from MI->SUCCESS: real-time state notification set to ON 10/11/09 15:00:43: INFO: Got line from MI->SUCCESS: bytecount interval changed 10/11/09 15:00:43: INFO: Got line from MI->SUCCESS: hold flag set to OFF 10/11/09 15:00:43: INFO: Got line from MI->SUCCESS: hold release succeeded 10/11/09 15:00:43: INFO: Got line from MI->>PASSWORD:Need 'Auth' username/password 10/11/09 15:00:43: INFO: Processing PASSWORD. 10/11/09 15:00:43: INFO: OvpnClient: setting need auth to true. 10/11/09 15:00:43: INFO: OvpnConfig: Setting need auth to true. 10/11/09 15:00:43: INFO: Got auth request from active_config from 0 10/11/09 15:00:47: INFO: Sending Credentials.... 10/11/09 15:00:47: INFO: Sending 25 bytes for username. 10/11/09 15:00:47: INFO: Sent 25 bytes for username. 10/11/09 15:00:47: INFO: Sending 30 bytes for password. 10/11/09 15:00:47: INFO: Sent 30 bytes for password. 10/11/09 15:00:48: INFO: Got line from MI->SUCCESS: 'Auth' username entered, but not yet verified 10/11/09 15:00:48: INFO: Got line from MI->SUCCESS: 'Auth' password entered, but not yet verified 10/11/09 15:00:48: INFO: Got line from MI->>STATE:1255287647,WAIT,,, 10/11/09 15:00:48: INFO: Got line from MI->>BYTECOUNT:0,42 10/11/09 15:00:48: INFO: Got line from MI->>BYTECOUNT:54,42 10/11/09 15:00:48: INFO: Got line from MI->>STATE:1255287648,AUTH,,, 10/11/09 15:00:50: INFO: Got line from MI->>BYTECOUNT:2560,2868 10/11/09 15:00:52: INFO: Got line from MI->>BYTECOUNT:2560,3378 10/11/09 15:00:54: INFO: Got line from MI->>BYTECOUNT:2560,3888 ... Is there anyway to turn on robust logging on the server to understand what is happening? Any ideas on how to hunt this down?

Read the article
Make user home directory at gdm login

- by Lorenzo

I'm trying to make home directory at (RADIUS) user gdm login. The auth is working right, but when I try gdm says that the user hasn't a home directory. I tried to do that with pam_mkhomedir.so but is not working. My /etc/pam.d/gdm file: PAM-1.0 auth sufficient pam_radius_auth.so auth sufficient pam_nologin.so auth sufficient pam_env.so readenv=1 auth sufficient pam_env.so readenv=1 envfile=/etc/default/locale auth sufficient pam_succeed_if.so @include common-auth auth optional pam_gnome_keyring.so account sufficient pam_radius_auth.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session optional pam_limits.so @include common-session session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open session optional pam_gnome_keyring.so auto_start session required pam_mkhomedir.so skel=/etc/skel umask=0022 @include common-password Thanks

Read the article
PostgreSQL user authentication against PAM

- by elmuerte

I am trying to set up authentication via PAM for PostgreSQL 9.3. I already managed to get this working on an Ubuntu 12.04 server, but I am unable to get this working on a Centos-6 install. The relevant pg_hba.conf line: host all all 0.0.0.0/0 pam pamservice=postgresql93 The pam.d/postgressql93 is the default config shipped with the official postgresql 9.3 package: #%PAM-1.0 auth include password-auth account include password-auth When a user tries to authenticate the following is reported in secure log: hostname unix_chkpwd[31807]: check pass; user unknown hostname unix_chkpwd[31808]: check pass; user unknown hostname unix_chkpwd[31808]: password check failed for user (myuser) hostname postgres 10.1.0.1(61459) authentication: pam_unix(postgresql93:auth): authentication failure; logname= uid=26 euid=26 tty= ruser= rhost= user=myuser The relevant content of password-auth config is: auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so The problem is with the pam_unix.so. It is unable to validate the password, and unable to retrieve the user info (when I remove the auth entry of pam_unix.so). The Centos-6 install is only 5 days old, so it does not have a lot of baggage. The unix_chkpwd is suid and has execute rights for everybody, so it should be able to check the shadow file (which has no privileges at all?).

Read the article
su not giving proper message for restricted LDAP groups

- by user1743881

I have configured PAM authentication on Linux box to restrict particular group only to login. I have enabled pam and ldap through authconfig and modified access.conf like below, [root@test root]# tail -1 /etc/security/access.conf - : ALL EXCEPT root test-auth : ALL Also modified sudoers file, to get su for this group <code> [root@test ~]# tail -1 /etc/sudoers %test-auth ALL=/bin/su</code> Now, only this ldap group members can login to system. However when from any of this authorized user, I tried for su, it asks for password and then though I enter correct password it gives message like Incorrect password and login failed. /var/log/secure shows that user is not having permission to get the access, but then it should print message like Access denied.The way it prints for console login. My functionality is working but its no giving proper messages. Could anyone please help on this. My /etc/pam.d/su file, [root@test root]# cat /etc/pam.d/su #%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth include system-auth account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session optional pam_xauth.so

Read the article
"success=n" control syntax in pam.conf / pam.d/* files ...

- by Jamie

After sucessfully configuring Kerberos, this is what I've found in /etc/pam.d/common-auth file: auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass auth requisite pam_deny.so auth required pam_permit.so Does the success=2 control value mean that if the pam_unix.so fails, the authentication skips to the auth requisite pam_deny.so line or to the last line?

Read the article
How to troubleshoot problem with OpenVPN Appliance Server not able to connect

- by Peter

1) I have a Windows Server 2008 Standard SP2 2) I am running Hyper-V and have the OpenVPN Appliance Server virtual running 3) I have configured it as it said, only issue was that the legacy network adapter does not have a setting the instructions mention "Enable spoofing of MAC Addresses". My understand is that before R2, this was on by default. 4) Server is running, web interfaces look good 5) I am trying to connect from a Vista 64 box and cannot 5a) If I set to UPD I am stuck at Authorizing and client log looks like: 10/11/09 15:00:42: INFO: OvpnConfig: connect... 10/11/09 15:00:42: INFO: Gui listen socket at 34567 10/11/09 15:00:42: INFO: sending start command to instantiator... 10/11/09 15:00:42: INFO: start 34567 ?C:\Users\Peter\AppData\Roaming\OpenVPNTech\config?02369512D0C82A04B88093022DA0226202218022A902264022AE022B? 10/11/09 15:00:42: INFO: Got line from MI->>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info 10/11/09 15:00:42: INFO: Got line from MI->>HOLD:Waiting for hold release 10/11/09 15:00:43: INFO: Got line from MI->SUCCESS: real-time state notification set to ON 10/11/09 15:00:43: INFO: Got line from MI->SUCCESS: bytecount interval changed 10/11/09 15:00:43: INFO: Got line from MI->SUCCESS: hold flag set to OFF 10/11/09 15:00:43: INFO: Got line from MI->SUCCESS: hold release succeeded 10/11/09 15:00:43: INFO: Got line from MI->>PASSWORD:Need 'Auth' username/password 10/11/09 15:00:43: INFO: Processing PASSWORD. 10/11/09 15:00:43: INFO: OvpnClient: setting need auth to true. 10/11/09 15:00:43: INFO: OvpnConfig: Setting need auth to true. 10/11/09 15:00:43: INFO: Got auth request from active_config from 0 10/11/09 15:00:47: INFO: Sending Credentials.... 10/11/09 15:00:47: INFO: Sending 25 bytes for username. 10/11/09 15:00:47: INFO: Sent 25 bytes for username. 10/11/09 15:00:47: INFO: Sending 30 bytes for password. 10/11/09 15:00:47: INFO: Sent 30 bytes for password. 10/11/09 15:00:48: INFO: Got line from MI->SUCCESS: 'Auth' username entered, but not yet verified 10/11/09 15:00:48: INFO: Got line from MI->SUCCESS: 'Auth' password entered, but not yet verified 10/11/09 15:00:48: INFO: Got line from MI->>STATE:1255287647,WAIT,,, 10/11/09 15:00:48: INFO: Got line from MI->>BYTECOUNT:0,42 10/11/09 15:00:48: INFO: Got line from MI->>BYTECOUNT:54,42 10/11/09 15:00:48: INFO: Got line from MI->>STATE:1255287648,AUTH,,, 10/11/09 15:00:50: INFO: Got line from MI->>BYTECOUNT:2560,2868 10/11/09 15:00:52: INFO: Got line from MI->>BYTECOUNT:2560,3378 5b) I setup server for tcp and try to connect, I get a loop of authorizing and reconnecting. Log looks like: 10/11/09 15:00:42: INFO: Got line from MI->>HOLD:Waiting for hold release 10/11/09 15:00:43: INFO: Got line from MI->SUCCESS: real-time state notification set to ON 10/11/09 15:00:43: INFO: Got line from MI->SUCCESS: bytecount interval changed 10/11/09 15:00:43: INFO: Got line from MI->SUCCESS: hold flag set to OFF 10/11/09 15:00:43: INFO: Got line from MI->SUCCESS: hold release succeeded 10/11/09 15:00:43: INFO: Got line from MI->>PASSWORD:Need 'Auth' username/password 10/11/09 15:00:43: INFO: Processing PASSWORD. 10/11/09 15:00:43: INFO: OvpnClient: setting need auth to true. 10/11/09 15:00:43: INFO: OvpnConfig: Setting need auth to true. 10/11/09 15:00:43: INFO: Got auth request from active_config from 0 10/11/09 15:00:47: INFO: Sending Credentials.... 10/11/09 15:00:47: INFO: Sending 25 bytes for username. 10/11/09 15:00:47: INFO: Sent 25 bytes for username. 10/11/09 15:00:47: INFO: Sending 30 bytes for password. 10/11/09 15:00:47: INFO: Sent 30 bytes for password. 10/11/09 15:00:48: INFO: Got line from MI->SUCCESS: 'Auth' username entered, but not yet verified 10/11/09 15:00:48: INFO: Got line from MI->SUCCESS: 'Auth' password entered, but not yet verified 10/11/09 15:00:48: INFO: Got line from MI->>STATE:1255287647,WAIT,,, 10/11/09 15:00:48: INFO: Got line from MI->>BYTECOUNT:0,42 10/11/09 15:00:48: INFO: Got line from MI->>BYTECOUNT:54,42 10/11/09 15:00:48: INFO: Got line from MI->>STATE:1255287648,AUTH,,, 10/11/09 15:00:50: INFO: Got line from MI->>BYTECOUNT:2560,2868 10/11/09 15:00:52: INFO: Got line from MI->>BYTECOUNT:2560,3378 10/11/09 15:00:54: INFO: Got line from MI->>BYTECOUNT:2560,3888 ... Is there anyway to turn on robust logging on the server to understand what is happening? Any ideas on how to hunt this down?

Read the article
login as rsh in rhel 6 without entering password

- by cartmancakes

I need to be able to login to a RHEL 6 server using rsh (please don't flame me about security, it's irrelevant in this particular instance) as root without having to enter a password. My procedure for setting this up works great in RHEL 5.x, but does not work in RHEL 6. I suspect this has something to do with PAM, but I'm inexperienced with how to use PAM. Can someone help me with this? /etc/pam.d/rsh auth required pam_rhosts.so auth required pam_nologin.so account include common-account password include common-password session required pam_loginuid.so session include common-session /etc/pam.d/rlogin auth required pam_nologin.so auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so auth sufficient pam_rhosts.so auth include common-auth auth required pam_mail.so account include common-account password include common-password session required pam_loginuid.so session include common-session Thanks!

Read the article
Cannot SSH anymore, what went wrong?

- by lbwtz2

I use to ssh to a remote server (no rsa-key, just password). Now the server do not accept the connection any more and throw me this error: ssh_exchange_identification: Connection closed by remote host While I can google a little to find a fix I can't figure out what went wrong since I haven't touched anything on the machine since last login. Can you help me find the cause? EDIT: Inspecting the logs I've found these: /var/auth.log /var/log/auth.log:Dec 26 16:40:32 vps sshd[15567]: error: fork: Cannot allocate memory /var/log/auth.log:Dec 26 16:41:05 vps sshd[15567]: error: fork: Cannot allocate memory /var/log/auth.log:Dec 26 16:43:47 vps sshd[15567]: error: fork: Cannot allocate memory /var/log/auth.log:Dec 27 03:20:06 vps sshd[15567]: error: fork: Cannot allocate memory /var/log/auth.log:Dec 27 16:15:02 vps sshd[15567]: error: fork: Cannot allocate memory And in the same span-time I've also found a lot of these: /var/log/auth.log:Dec 26 13:00:01 vps CRON[1716]: PAM unable to dlopen(/lib/security/pam_unix.so): libcrypt.so.1: cannot map zero-fill pages: Cannot allocate memory /var/log/auth.log:Dec 26 13:00:01 vps CRON[1716]: PAM adding faulty module: /lib/security/pam_unix.so What are these?

Read the article
pam_ldap.so before pam_unix.so? Is it ever possible?

- by user1075993

we have a couple of servers with PAM+LDAP. The configuration is standard (see http://arthurdejong.org/nss-pam-ldapd/setup or http://wiki.debian.org/LDAP/PAM). For example, /etc/pam.d/common-auth contains: auth sufficient pam_unix.so nullok_secure auth requisite pam_succeed_if.so uid >= 1000 quiet auth sufficient pam_ldap.so use_first_pass auth requiered pam_deny.so And, of course, it works for both ldap and local users. But every login goes first to pam_unix.so, fails, and only then tries pam_ldap.so successfully. As a result, we have a well-known failure message for every single ldap user login: pam_unix(<some_service>:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<some_host> user=<some_user> I have up to 60000 of such log messages per day and I want to change the configuration so, that PAM will try ldap authentication first, and only if it fails - try pam_unix.so (I think it can improve the i/o performance of the server). But if I change common-auth to the following: auth sufficient pam_ldap.so use_first_pass auth sufficient pam_unix.so nullok_secure auth requiered pam_deny.so Then I simply can't login anymore with local (non-ldap) user (e.g., via ssh). Does somebody knows the right configuration? Why Debian and nss-pam-ldapd have pam_unix.so at first by default? Is there really no way to change it? Thank you in advance. P.S. I don't want to disable logs, but want to set ldap authentication on the first place.

Read the article
Suspending my laptop breaks ethernet over firewire, are there commands which can fix it?

- by Josh

As mentioned in this question I am using a firewire cable to provide a private network between my laptop and my desktop, because it makes using the screen sharing program synergy much nicer than using WIFI. However when I leave my office for the day and I suspend my laptop, when I return the next day, the desktop and the laptop cannot communicate over firewire anymore. The firewire0 device still has an IP address. but when I try and ping the desktop I get no route to host I'm using kernel 2.6.35-24-generic #42-Ubuntu SMP x86_64 on Ubuntu 10.10. Is there some way I can remedy this without a reboot? Like, removing some kernel modules and re-inserting them? Here's what I have tried so far and the results: root@token:~# dmesg|tail -n 1 [592525.204024] firewire_core: phy config: card 0, new root=ffc1, gap_count=5 root@token:~# modprobe -r firewire_net firewire_ohci firewire_core root@token:~# modprobe -v firewire_ohci insmod /lib/modules/2.6.35-24-generic/kernel/lib/crc-itu-t.ko insmod /lib/modules/2.6.35-24-generic/kernel/drivers/firewire/firewire-core.ko insmod /lib/modules/2.6.35-24-generic/kernel/drivers/firewire/firewire-ohci.ko root@token:~# dmesg|tail [592525.204024] firewire_core: phy config: card 0, new root=ffc1, gap_count=5 [592563.410868] firewire_ohci: Removed fw-ohci device. [592579.160086] firewire_ohci: Added fw-ohci device 0000:02:00.0, OHCI v1.10, 4 IR + 8 IT contexts, quirks 0x2 [592579.160137] firewire_ohci: isochronous cycle inconsistent [592579.660294] firewire_core: created device fw0: GUID 0000000000000000, S400 [592579.663805] firewire_core: created device fw1: GUID 0017f2fffe89bce6, S400 [592579.663813] firewire_core: phy config: card 0, new root=ffc1, gap_count=5 [592579.700720] firewire_core: phy config: card 0, new root=ffc1, gap_count=5 [592579.700842] firewire_core: refreshed device fw0 [592579.702603] firewire_net: firewire0: IPv4 over FireWire on device 0000000000000000 root@token:~# ping stan.firewire PING stan.firewire (192.168.100.1) 56(84) bytes of data. From token.local (192.168.100.3) icmp_seq=1 Destination Host Unreachable From token.local (192.168.100.3) icmp_seq=2 Destination Host Unreachable From token.local (192.168.100.3) icmp_seq=3 Destination Host Unreachable I also tried removing the modules prior to suspending, and re-inserting after resuming. This did not work either :-(

Read the article
550 5.7.1 our Bulk Email Senders Guidelines

- by darkandcold

Hello, I moved to a new server with integrated merak mail. since I forgot merak(used before), i missed to configure security options. So before I realize the issue, my smtp server was used by spammers for 2 days, hundreds times I configured security settings as what it should be (at least i hope) then i realize, i can't send e-mail to gmail or hotmail. gmail says "550 5.7.1 see our Bulk Email Senders Guidelines" yes, I saw its guidelines. first, I creat SPF records via msn senderID wizard. it completed very well. then as gmail says, I created DKIM dns records. (in Merak mail, there is option to create DKIM, i created it and save it to DNS as TXT record) it's been 2 days after doing the fixes above. but still i can't send mail gmail or hotmail. (P.S, some of my domain in merak is forwarded to my gmail account i mean when a mail arrives to [email protected] it will forward to my gmail. and the surprise it, merak mail can forward them very vell :S but can't still send mail from outlook etc.)

Read the article
what is the openid url of facebook ???

- by zjm1126

i made my openid in my site like this : livejournal: { name: 'LiveJournal', label: 'Enter your Livejournal username.', url: 'http://{username}.livejournal.com/' }, wordpress: { name: 'Wordpress', label: 'Enter your Wordpress.com username.', url: 'http://{username}.wordpress.com/' }, blogger: { name: 'Blogger', label: 'Your Blogger account', url: 'http://{username}.blogspot.com/' }, and i want add facebook on my openid provide, so what is the url of facebook openid ?? thanks but this can login use facebook: https://www.gigya.com/site/LogIn.aspx you can try it by yourself use facebook login.

Read the article
Is there any way to force authentication with Zend_Auth?

- by Ben Dauphinee

I am working with Zend_Auth and cookie/session persistence. I can't seem to figure out how to force an authentication with this class. Is there any way to force Zend_Auth to believe it has authenticated as a user?

Read the article
management users with Zend_Auth and Zend_Session

- by user1400

I want to Zend_Auth and Zend_Session to save user sessions and logins information whats the easy and best way for implements following items: 1-Disallow multiple concurrent logins for the specific user 2-List all of all user currently logged in 3-Admin could logout of specific user or destroy specific session Is there any special ZF or PHP API or library that can do the above? thanks

Read the article
shadow password

- by LinuxGeek

I'm trying to compare shadow password with php cli but not work ! i use this function so i can create password like shadow function shadow ($input){ for ($n = 0; $n < 9; $n++){ $s .= chr(rand(64,126)); } $seed = "$1$".$s."$"; $return = crypt($input,$seed); return $return; } when i replace the result in shadow it's work with the password but it's have different character how i can compare it . thanks

Read the article
using mod_auth_mysql and mod_auth together

- by sirrobin

is it possible to use a database and a flatfile to authenticate a user for a directory. for example, if the requested user is not found in the database, apache should check the flatfile via mod_auth for the user. this is my current .htaccess files AuthMYSQLEnable On AuthName "Restricted" AuthType Basic AuthGroupFile /dev/null AuthMySQLHost localhost AuthMySQLDB members AuthMySQLUser admin AuthMySQLPassword admin123 AuthMySQLUserTable members AuthMySQLNameField username AuthMySQLPasswordField password AuthMySQLPwEncryption md5 require valid-user

Read the article
Zend_Auth using multiple tables

- by Christian

What I'm trying to do is use Zend_Auth for authentication with the issuing being that the 'identity' is stored in a different table then then 'credential.' I'm able to pass an array for the credential and the identity but when it comes to the actual tables I'm not able to get it to accept the array. It ignores the 2nd table name. I was wondering if anyone has ever made this work in this way without extending the Zend_Auth class or if I will need to do so. Thanks in advance.

Read the article

< Previous Page | 16 17 18 19 20 21 22 23 24 25 26 27 | Next Page >