Archive for the ‘Security Related’ Category

Install CCA Agent on All Domain Machines & Map Drives Thru Scripts

Tags: , , , , , , ,
Posted in Network Management / Monitoring, Security Related, Server Management / Monitoring on February 19th, 2009

Project Primary Goal(s):

Allow for mapping drives without adding exceptions to an unauthenticated role.

Secondary Goal(s):

Develop method for rolling out CCA Agent using group policy or login scripts that will not impact ability to map drives.

 

I’m starting out with the secondary goal first in this write up.

In order to install the CCA Agent without errors on all domain machines without user intervention I had to use a msiexec command.  The reason is that if I just push the msi package thru group policy users will encounter errors when the application first installs (something about already in task bar) and then the program exits.  It may also result in the machine attempting to use log in with the machine active directory account rather than the user account (for Active Directory Single Sign-On).

In order to ensure the installation section only ran once I check for the existence of the CCAAgent.exe file. 

Now once the application installations part of the logon script is in place I moved on to the Primary Goal of the project.

It is unlikely you would want users in an unauthenticated role to be able to access your fileserver.

The issue is that any script run to map network drives would fail unless the CCA Agent has placed the user into a role where access to the fileshare is allowed first.

A solution to this is create a section in the vbs script that is run at login time verifying the CCA Agent is running before attempting to map a network drive.  In order to accomplish this I use a check and wait script. 

The below example would install the CCA Agent if it is not installed and map a user drive only after verifying the CCA Agent is running.  It gives the CCA Agent 30 seconds after verification of  running to perform any sign in activities (I use Active Directory Single Sign-On but it would not change for radius, Kerberos, etc).  Set this script in group policy for a domain or OU (Specifically when editing the group policy you would add it to User Configuration > Policies > Windows Settings > Scripts > Logon).  

‘——————————————————————-

‘CCAAgent.vbs

‘Install CCA Agent if not installed first.

‘Verify CCA Agent is running.

‘Map network drives.

 

Dim ADSysInfo

Dim CurrentUser

Dim strGroups

Dim wshNet

Dim fserver

 

Dim AllProcess

Dim Process

Dim strFoundProcess

Dim numWaits

 

Dim objFSO

Dim ccainstalledfile

Dim wshShell

 

ccainstalledfile = “c:\program files\cisco systems\clean access agent\ccaagent.exe”

strFoundProcess = False

numWaits = 0

fserver = “\\servername\homedirectory\”

 

Set objFSO = CreateObject(”Scripting.FileSystemObject”)

If not (objFSO.FileExists(ccainstalledfile)) then

            Set wshShell = Wscript.CreateObject (”WSCript.shell”)

            wshShell.Run “%windir%\system32\msiexec.exe /package \\domaincontroller\netlogon\ccaagent.msi /qn”

            Set wshShell = nothing

End If

 

Do While (strFoundProcess = False and numWaits < 20)

            Set AllProcess = getobject(”winmgmts:”)

            For Each Process In AllProcess.InstancesOf(”Win32_process”)

                        If (Instr(Ucase(Process.Name),”CCAAGENT.EXE”) = 1) Then

                                    strFoundProcess = True

                                    Exit For

                        End If

            Next

            Wscript.Sleep 30000

            numWaits = numWaits + 1

Loop

 

Set wshNet = CreateObject(”WScript.Network”)

Set ADSysInfo = CreateObject(”ADSystemInfo”)

Set CurrentUser = GetObject(”LDAP://” & ADSysInfo.UserName)

strGroups = LCase(Join(CurrentUser.MemberOf))

 

If (InStr(strGroups, “faculty”) or InStr(strGroups, “staff”)) Then

            wshNet.MapNetworkDrive “U:”, fserver & “facstaff\” & wshNet.UserName

End If

If (InStr(strGroups, “students”)) Then

            wshNet.MapNetworkDrive “U:”, fserver & “students\” & wshNet.UserName

End If

 

‘——————————————————————-

No Comments »

Using Publickey Authentication with Openssh

Tags: , , ,
Posted in Security Related on January 9th, 2009

The steps needed to use public key to authenticate a user to a server with openssh is detailed below.  There are a ton of additional things that can be configured but my primary goal was to make a quick howto on the basic steps to get it up and running.

On client:

In your home folder make a directory .ssh “mkdir ~/.ssh”

chmod the new directory to better privileges “chmod 700 ~/.ssh”

create public private key for the user “ssh-keygen -q -f ~/.ssh/id_rsa –t rsa” (make a ridiculously tough password)

On Server:

Make sure you are logged in as the user you want to log in as from the client (if you need to create the user then “useradd johndoe” and then “passwd johndoe”)

In your home folder make a directory .ssh “mkdir ~/.ssh” (if the folder doesn’t already exist which it often does)

chmod the new directory to better privileges “chmod 700 ~/.ssh” (if they are not already correct)

Upload the public key to the Server (for example – “vi ~/.ssh/id_rsa” and just insert the full text with no spaces of the id_rsa.pub key created on the client in ~/.ssh folder) (you could just as easily scp or any other method to get a copy of the file over to the server)

Check to see if ~/.ssh/authorized_keys exists “ls -al ~/.ssh/authorized*”

If it doesn’t you could move the id_rsa.pub key to the new file “mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys”

But if it does exist or if you just want to take the safe approach (and I recommend this) just append the new key to the authorized key list “cat ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys”

To test the connection from the client try “ssh -o PubkeyAuthentication=yes destinationhost.domain.com” where “destinationhost.domain.com” is the FQDN or IP address of the Server you wish to connect with.

An example of a good use for this is “scp -o PubkeyAuthentication=yes testfile destinationhost.domain.com:testfile”  That would copy testfile from the clients current directory to the server (in your home directory by default) with no further password prompts or interaction.

No Comments »

freeRadius 2.1.3 on Fedora 10

Tags: , , , , , ,
Posted in Security Related on January 7th, 2009

 freeradius 2.1.3 on Fedora 10

Project Primary Goal:
To install freeradius 2.1.3 on a Fedora 10 system and authenticate users from a Cisco 2950 switch 

Secondary Goal(s):
Join the Fedora system to an active directory.
Authenticate users via radius passing credentials thru to active directory server

Alot of the commands below require root privileges. I usually just start my terminal session by “su –login” to make things simplier for test lab configuration.

Steps Taken:
1.) Install Fedora 10 on a fresh box – I went with desktop standard install as it’s quick but for production I would recommend a more hardened minimized server install.

2.) As with pretty much any project involving Fedora 10 (and other older versions as well) fix the network. Assign the static route by either disabling network manager and setting it in conf files or disable selinux use network manager and double check your interfaces are coming up correctly and netmask is correct after a reboot.

3.) I went ahead and joined the Fedora system to active directory here. This has gotten way simplier in the new version. Go to system | adminsitration | authentication and then check the winbind option “enable winbind support”. Click configure winbind. Use the pre-windows 2000 name for you winbind domain. Security model set to ads, winbind ads real = your actual domain name (for my test that was GWNET.LOCAL), enter a valid fqdn of an active directory server for winbind domain controllers (more than one if you like), template shell as /bin/sh, and check the “allow offline login” – Click “Join Domain” – Assuming you don’t have firewall or network issues that should work pretty well with no additional effort. This was gonna be necessary for a secondary project goal so I figured I’d knock it out early. Easy secondary checkmark that used to seem way more complicated before the new interface.

4.) Install a c compiler and make (i.e. “yum install make”)

5.) Download and compile / install freeradius. I recommend the built in packages from the add/remove software for easiest implementation and maintanence.

6.) There’s probably gonna be a permission problem with your /etc/raddb/certs folder and it’s contents. “chmod 744 /etc/raddb/certs” takes care of that issue.

7.) Ensure firewall allows ports 1812 and 1813 – assuming you want to use the default radius authentication and accounting ports.

8.) Modify clients.conf to include the device you want to use with radius (i.e. Cisco Switch) For me that would be something like adding the following to the beginning or somewhere within the conf file:
client 10.1.1.3 {
secret = somesecretpassword
shortname = 10.1.1.3
nastype = cisco
login = someusername
login = someusername2
}
That’s just an example and this is for clear text authentication. Later I’ll work on verifying AD authentication.

9.) Modify /etc/raddb/users file. Add something like the following to the top of the file:
$enable15$ Cleartext-Password := “enablepasswordhere”
Service-Type = NAS-Prompt-User,
gw Cleartext-Password := “gwpasswordhere”
Service-Type = NAS-Prompt-User,
cisco-avpair = “shell:priv-lvl=15″
someusername2 Cleartext-Password := “someusers2passwordhere”
Service-Type = NAS-Prompt-User,

Basically you are just setting enable level 15 password, gw with enable level 15 at login and someusername2 with non-privileged login. You could set other enable level passwords as well and it’s probably not a bad idea for different support levels.

10.) Ok at this point I had made a lot of changes I wanted to make sure they stuck (especially related to services starting, domain status and networking being correct) so I went ahead and rebooted and checked everything was working as expected before continuing.

11.) Stop the radiusd server “service radiusd stop”.

12.) Configure the switch. Here’s an example to go with the above config.
enable
config t
aaa new-model
aaa authentication login gwlist group radius local
radius-server host 192.168.7.2
radius-server key somesecretpassword
line vty 0 4
login authentication gwlist
end
write mem

If you run your radius server on non-default ports just change the “radius-server host 192.168.7.2″ to something like “radius-server host 192.168.7.2 auth-port 2812 acct-port 2813″. But the default will be port 1812 and 1813 as mentiooned above.
I would also recommend enabling network time sync with the same server as the radius server.

13.) I went ahead and started the radiusd service in debug mode here so I could watch the traffic. “radiusd -X”. Then from a seperate admin laptop that was allowed access to the router I started telnet (testing only in production I would recommend disable telnet and enable ssh only). It asks for username (choose one you put in the users file) and password (associated users password). You should see information about the login attempt on your Fedora system where you started radiusd with the debug option “radiusd -X”. If you see it work and were authenticated on the switch to the correct enable level go ahead and ctrl-c your radiusd -X terminal and issue “service radiusd start”

I never got the active directory authentication working but I plan to come back to this soon. Especially since I have the fedora already set up on the domain and I verified I could use “ntlm_auth” to get tokens. I know the next step is to modify the /etc/raddb/mschap file. At the bottom of the file add or modify the existing ntlm_auth section.
ntlm_auth = “/usr/bin/ntlm_auth –request-nt-key –username=%{mschap:User-Name:-None} –domain=%{mschap:NT-Domain:-GWNET.LOCAL} –challenge=%{mschap:Challenge:-00} –nt-response=%{mschap:NT-Response:-00}”
If you know the remaining steps please leave a comment or send me an email and I’ll finish the project and this document.

As with most of my projects I do in GWLab I include a network diagram.

Freeradius 2.1.3 on Fedora 10

Freeradius 2.1.3 on Fedora 10

No Comments »


SetPageWidth