From sverma at sfsu.edu Tue Jul 1 01:55:17 2003 From: sverma at sfsu.edu (Sameer Verma) Date: Mon, 30 Jun 2003 17:55:17 -0700 Subject: [NoCat] freeradius vs openradius Message-ID: <3F00DBF5.3070701@sfsu.edu> for folks who have implemented or are working with radius, does anyone have an opinion on freeradius vs openradius? Sameer -- Dr. Sameer Verma, Ph.D. Asst. Professor of Information Systems San Francisco State University San Francisco CA 94132 USA http://verma.sfsu.edu/ From pachai at pachai.net Tue Jul 1 03:35:47 2003 From: pachai at pachai.net (pachai@pachai.net) Date: Mon, 30 Jun 2003 22:35:47 -0400 Subject: [NoCat] Nocat Auth config? Message-ID: <38ebe3d783.3d78338ebe@optonline.net> Greetings. Since I posted, I did not receive a reply, but I did seemingly make some progress. An Inch or 2. I restored the default httpd.conf, copied all the nocat html and cgi stuff into the default places, and now at least I am getting an error in the ssl error logs...Oh, and I copied all the .pm's to the site_perl tree, so I am not getting lib errors anymore. Just runtime errors in perl. File ....LoginForm: No such file or directory I searched with google for a How To, see that there is none. I'd be willing to make one, but it may take me time to figure out this problem. Has anyone experienced this before? Or, has anyone NOT experienced this? I'd be grateful for a pointer. Thanks Seth From jnebrera at jazzfree.com Tue Jul 1 18:45:55 2003 From: jnebrera at jazzfree.com (Jaime Nebrera Herrera) Date: Tue, 1 Jul 2003 19:45:55 +0200 Subject: [NoCat] Weird behaviour Message-ID: <200307011945.55601.jnebrera@jazzfree.com> Hi all, We have discovered a very strange behaviour in NoCat. Please advise. First some ASCII art (remember this is just a test lab, not real): Internet | 192.168.100.1 NoCat Gateway 192.168.0.1 | Hub / \ 192.168.0.5 192.168.0.10 Client Auth Server We were downloading heavely on the Internet link (gentoo :))) and discovered the client had problems to complete the auth process correctly. To simulate the saturation of the internet link we have proved to disconect the gateway from the Internet and the problem persists. Why this? Does NoCat need a "free" Internet connection even when granting acces to "local" websites? I guess NoCat is designed to have the auth server in the same interface as the Internet connection, but heck this is strange. Any ideas? Very thankfully. Regards. -- Jaime Nebrera - jnebrera@jazzfree.com From rob at capband.net Wed Jul 2 15:57:14 2003 From: rob at capband.net (Rob Nelson) Date: Wed, 02 Jul 2003 10:57:14 -0400 Subject: [NoCat] allow all radius clients Message-ID: <5.2.1.1.0.20030702105537.00b73660@mail.capband.net> Hi, We're using a fatpipe that round-robins one connection with static addresses and three connections with dynamic addresses. How can you tell freeradius (since a lot of people seem to use it) to accept connections from ALL hosts as long as they have the right password? Since 3 of 4 connections are dynamic, this is vital to getting it all running properly. Rob Nelson Network Administrator, Capitol Broadband C: 919-369-1874 rob@capband.net From jbarrett at amduat.net Wed Jul 2 16:34:19 2003 From: jbarrett at amduat.net (Jacob S. Barrett) Date: Wed, 02 Jul 2003 08:34:19 -0700 Subject: [NoCat] allow all radius clients In-Reply-To: <5.2.1.1.0.20030702105537.00b73660@mail.capband.net> References: <5.2.1.1.0.20030702105537.00b73660@mail.capband.net> Message-ID: <3F02FB7B.7070102@amduat.net> My guess would be: client 0.0.0.0/0 { secret = mysecret shortname = myshortname } You might want to email freeradius-users@lists.cistron.nl though for more help. Also, be sure to pick a very strong password then. -Jake Rob Nelson wrote: > Hi, > > We're using a fatpipe that round-robins one connection with static > addresses and three connections with dynamic addresses. How can you tell > freeradius (since a lot of people seem to use it) to accept connections > from ALL hosts as long as they have the right password? Since 3 of 4 > connections are dynamic, this is vital to getting it all running properly. > > Rob Nelson > Network Administrator, Capitol Broadband > C: 919-369-1874 > rob@capband.net > > _______________________________________________ > NoCat mailing list > NoCat@lists.nocat.net > http://lists.nocat.net/mailman/listinfo/nocat -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it." From halmi at acv.com.my Wed Jul 2 14:14:20 2003 From: halmi at acv.com.my (Halmi Yasin) Date: Wed, 2 Jul 2003 21:14:20 +0800 Subject: [NoCat] gateway interfaces on same subnet? In-Reply-To: <200307011945.55601.jnebrera@jazzfree.com> References: <200307011945.55601.jnebrera@jazzfree.com> Message-ID: <20030702211420.4e5d5154.halmi@acv.com.my> hi i realized that the two interface on the gateway cant have IPs in the same subnet. when i first started out, eth0 (ext) is 192.168.0.10 and eth1 (int) is 192.168.0.11. gw didnt work! after 4 days of 'research', i figured out, whut the heck, and and changed eth0 to 172.1.1.51 (my fake internal network IP) and BANG! it worked! is this a feature, or a bug? neways, now i have a perfectly running nocatauth and gw :) cool stuff. btw, ive been using icam (http://www.wabbiter.com/icam/). does anyone know/created any web client (with php, maybe?)? i can see that it is very easy to do, but im too lazy. hehehe... but my boss is insisting on it! halms/ From halmi at applikasi.net Wed Jul 2 20:49:14 2003 From: halmi at applikasi.net (Halmi Yasin) Date: Thu, 3 Jul 2003 03:49:14 +0800 Subject: [NoCat] gateway interfaces on same subnet? In-Reply-To: <8c79c89d1e.89d1e8c79c@optonline.net> References: <8c79c89d1e.89d1e8c79c@optonline.net> Message-ID: <20030703034914.4afe15a6.halmi@applikasi.net> heyyah, owh, sent using the wrong mail account... yeah, i ran my own authserv. it took days, but it pays off. send me your error log, maybe i can help. no promise though :) halms/ On Wed, 02 Jul 2003 14:27:04 -0400 pachai@optonline.net wrote: > halms, > Glad to hear that it works > > > i realized that the two interface on the gateway cant have IPs in the > > same subnet. > > > > is this a feature, or a bug? > > Yes, it is a feature. Nocat gateway runs netstat to see > the environment. You should see 2 separate entries. > One of them is a default route. Nocat figures out > that the default route is your external (ISP) connection. > > > neways, now i have a perfectly running nocatauth and gw :) cool stuff. > > Would you be able to tell me more about how you got > nocatauth working? Are you using your own authserver, > or just authenticating against auth.nocat.net ? > > I installed the S/W and I got erors in my apache log files. > Thanks > Seth > > > > From sverma at sfsu.edu Sun Jul 6 00:26:38 2003 From: sverma at sfsu.edu (Sameer Verma) Date: Sat, 05 Jul 2003 16:26:38 -0700 Subject: [NoCat] limitting login to one instance In-Reply-To: References: Message-ID: <3F075EAE.50007@sfsu.edu> Schuyler Erle wrote: > On Thu, 12 Jun 2003 md@republicomm.com wrote: > > >>I know this has been brought up before, but I don't think it was ever >>answered: Is there a way to limit users to one active session at a time? > > > Not at present. It would require adding statefulness on the authserver, > which we've (probably foolishly) tried to avoid. I'm willing to alter > behavior to be altered if someone wants to send patches. > > SDE > > > _______________________________________________ > NoCat mailing list > NoCat@lists.nocat.net > http://lists.nocat.net/mailman/listinfo/nocat I am picking up on an older thread... Schuyler, how would you propose maintaining statefulness? Were you suggesting some sort of a session that is maintained, as it is in shopping cart-type applications? Sameer -- Dr. Sameer Verma, Ph.D. Asst. Professor of Information Systems San Francisco State University San Francisco CA 94132 USA http://verma.sfsu.edu/ From Zachary.M.Berke at Dartmouth.edu Mon Jul 7 05:19:23 2003 From: Zachary.M.Berke at Dartmouth.edu (Zachary M. Berke) Date: Mon, 7 Jul 2003 00:19:23 -0400 Subject: [NoCat] GPG: not trusted signature. Bad token match results. Message-ID: <3004A1E6-B032-11D7-9A18-000A959B423A@Dartmouth.edu> Hi, My servers got attacked, forcing me to wipe clean and reinstall NoCat. I'm all set except I'm getting GPG issues which are causing logins to fail. I've noticed previous recommendations to downgrade from 1.0.7 to 1.0.6. I'm using 1.0.7 and before I downgrade I'm hoping someone could tell me whether or not my problem is/could be caused by this version issue. I redid the make pgpkey and recopied the trustedkeys.gpg file to my gateways. The error persisted. The error message is on the gateway. When a user attempts to log in, we get: [2003-07-06 23:52:56] gpg --decrypt --homedir=/usr/local/nocat-gw/bin/../pgp --keyring trustedkeys.gpg --no-tty -o- returned error message: gpg: Signature made Sun Jul 6 23:54:01 2003 EDT using DSA key ID E4B18567 gpg: Good signature from "PGP Key (PGP Key) " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Fingerprint: 0259 1CCD 191B 034C 047E 66E5 8171 65A3 E4B1 8567 then a few lines further down a token mismatch occurs: [2003-07-06 23:52:56] Bad token match from 10.1.7.239: $1$1$0lNxnJty74zlVmF2/t/Mx/ != $1$91764397$RNSysC7xcLzZKERQNFpSn/ The user is not logged in and is redirected to the login page again. Is this caused by using gpg 1.0.7 instead of 1.0.6? I'm running 1.0.7 on both gateway and authserv. I'm unsure which version was being used before the attack. I'd really rather not downgrade, since I think doing so would break up2date and therefore leave me more vulnerable to future security problems. Thanks, Zach From email-peyman at comcast.net Mon Jul 7 07:23:02 2003 From: email-peyman at comcast.net (Peyman Pourkermani) Date: 07 Jul 2003 01:23:02 -0500 Subject: [NoCat] GPG: not trusted signature. Bad token match results. In-Reply-To: <3004A1E6-B032-11D7-9A18-000A959B423A@Dartmouth.edu> References: <3004A1E6-B032-11D7-9A18-000A959B423A@Dartmouth.edu> Message-ID: <1057558982.4996.1.camel@raptor> Zach, 1.0.7 does not work but you can upgrade to 1.2.1-1 on both auth server and gateway. I use gnupg-1.2.1-1 on both and it works fine. Peyman On Sun, 2003-07-06 at 23:19, Zachary M. Berke wrote: > Hi, > > My servers got attacked, forcing me to wipe clean and reinstall NoCat. > I'm all set except I'm getting GPG issues which are causing logins to > fail. I've noticed previous recommendations to downgrade from 1.0.7 to > 1.0.6. I'm using 1.0.7 and before I downgrade I'm hoping someone could > tell me whether or not my problem is/could be caused by this version > issue. > > I redid the make pgpkey and recopied the trustedkeys.gpg file to my > gateways. The error persisted. > > The error message is on the gateway. When a user attempts to log in, > we get: > > [2003-07-06 23:52:56] gpg --decrypt > --homedir=/usr/local/nocat-gw/bin/../pgp --keyring trustedkeys.gpg > --no-tty -o- returned error message: > gpg: Signature made Sun Jul 6 23:54:01 2003 EDT using DSA key ID > E4B18567 > gpg: Good signature from "PGP Key (PGP Key) " > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Fingerprint: 0259 1CCD 191B 034C 047E 66E5 8171 65A3 E4B1 8567 > > then a few lines further down a token mismatch occurs: > > [2003-07-06 23:52:56] Bad token match from 10.1.7.239: > $1$1$0lNxnJty74zlVmF2/t/Mx/ != $1$91764397$RNSysC7xcLzZKERQNFpSn/ > > The user is not logged in and is redirected to the login page again. > > Is this caused by using gpg 1.0.7 instead of 1.0.6? I'm running 1.0.7 > on both gateway and authserv. I'm unsure which version was being used > before the attack. I'd really rather not downgrade, since I think > doing so would break up2date and therefore leave me more vulnerable to > future security problems. > > Thanks, > Zach > > > _______________________________________________ > NoCat mailing list > NoCat@lists.nocat.net > http://lists.nocat.net/mailman/listinfo/nocat From woof at woof.lu Mon Jul 7 08:18:39 2003 From: woof at woof.lu (Arnaud Willem) Date: Mon, 7 Jul 2003 09:18:39 +0200 Subject: [NoCat] GPG: not trusted signature. Bad token match results. In-Reply-To: <3004A1E6-B032-11D7-9A18-000A959B423A@Dartmouth.edu> Message-ID: <3B38A8D0-B04B-11D7-B9CF-000393AECC7E@woof.lu> --Apple-Mail-3--201773233 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Zachary, I think the problem is that your key doesn't have a trusted status, which isn't related to any version of gpg (: Just run `gpg --edit-key e4b18567` and use the "trust" command. You can then set its trust level, and gpg won't complain again. /!\ /!\ /!\ NOTE: you have to be able to _really_ trust the key in order to alter its trust level, don't use it as a hack to keep gpg silent! /!\ /!\ /!\ I hope this helps, Arnaud On Monday, July 7, 2003, at 06:19 AM, Zachary M. Berke wrote: > [...] > The error message is on the gateway. When a user attempts to log in, > we get: > > [2003-07-06 23:52:56] gpg --decrypt > --homedir=/usr/local/nocat-gw/bin/../pgp --keyring trustedkeys.gpg > --no-tty -o- returned error message: > gpg: Signature made Sun Jul 6 23:54:01 2003 EDT using DSA key ID > E4B18567 > gpg: Good signature from "PGP Key (PGP Key) " > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Fingerprint: 0259 1CCD 191B 034C 047E 66E5 8171 65A3 E4B1 8567 > [...] > -- Arnaud Willem woof@woof.lu GPG KeyID: 0x20DF792A Please read before sending any e-mail: http://expita.com/nomime.html --Apple-Mail-3--201773233 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-disposition: inline content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iD8DBQE/CR7Sgv7AoyDfeSoRAqfKAKDdmS2HDdBuemJ9bY2g58dxacvmPQCg42ZI yAb2kk2MCK7rYKQoyAodMwg= =WFU6 -----END PGP SIGNATURE----- --Apple-Mail-3--201773233-- From Zachary.M.Berke at Dartmouth.edu Tue Jul 8 06:10:08 2003 From: Zachary.M.Berke at Dartmouth.edu (Zachary M. Berke) Date: Tue, 8 Jul 2003 01:10:08 -0400 Subject: [NoCat] PGP error gone? Bad Token persists. Message-ID: <71D257B8-B102-11D7-ADD1-000A959B423A@Dartmouth.edu> Thanks to Arnaud and Peyman I seem to have partially defeated the PGP problem, but the token matching problem still persists. This PGP stuff is driving me up a wall! I've got GnuPG 1.2.1 running now. - I copied my authservers trustedkeys.gpg to my gateway into the nocat-gw/pgp folder i generated a secret key for my gateway gpg --homedir=/usr/local/nocat-gw/pgp --keyring trustedkeys.gpg --gen-key i trusted and signed the key from my auth serv (50ae8579 is the uid of my auth key) gpg --homedir=/usr/local/nocat-gw/pgp --keyring trustedkeys.gpg --edit-key 50AE8579 trust sign The "not a trusted signature" error is gone now, but the log still reports that gpg "returned error message:" The bad token match is still there. Following is the log. Thanks in advance for any help. When I get this working, I will try to submit a good how-to so no one else has to go through this pain. Zach [2003-07-08 00:45:17] Spawning child process 9017. [2003-07-08 00:45:17] Connection to 10.1.4.1 from 10.1.5.232 [2003-07-08 00:45:17] Received notify from 10.1.5.232 [2003-07-08 00:45:17] gpg --decrypt --homedir=/usr/local/nocat-gw/bin/../pgp --keyring trustedkeys.gpg --no-tty -o- returned error message: gpg: Signature made Tue Jul 8 00:46:12 2003 EDT using DSA key ID 50AE8579 gpg: Good signature from "NoCat Auth (nocat auth server) " [2003-07-08 00:45:17] Got auth msg: Mac 10.1.5.232 User Zachary M. Berke Token $1$1$p9TAlujssGMVUSXUhkncD. Mode_login.y 1 Redirect http://10.1.4.1:5280/ ?ticket=owGbwMvMwCQYf6dtScC61krG0wdMkxjsuXym%2bCYmcxoa6BnqmeoZGRtxhRanFn FGJSZnJBZVKvjqKTilFmWncoXkZ6fmcaoYqpiYmVkamZiaqUT4FJdXJpeGRaXkOOaZ6lflh4 eVB%2bpx%2beanpMbn5Kdn5ulVchpyBaWmZBalJpdwZpSUFFjp6xfnJBZnpOSX6OUXpetzOS aXZObncQakFuVmlnC55iUXVRaUFCQWF3MamCVp56Ymp1WFR2YVJGcZG1bmBJQ4gk3nBJvO5Z KXAnRpGdCxKXkpeimJRSW5%2baUlGXqpKaVcIZm5qUAOp5mBAbKDKjhNjLk67JlZwf6GhYQg 0wMbhvn5%2b4TuPDp8pTVYPNXQ%2fUOkSmjP2esMC9qmz9ibfDvi7u4rD258P1EjmrhumgkA %3dXYBY Action Permit Encryptpass 06b+mecfzWYjpcj31ylPtA Mode login Dndserver dnd.dartmouth.edu Timeout 600 Mode_login.x 43 [2003-07-08 00:45:17] Bad token match from 10.1.5.232: $1$1$p9TAlujssGMVUSXUhkncD. != $1$46692456$XLswycuVZdlAn5/zoWVwQ. [2003-07-08 00:45:17] Capturing 10.1.5.232 for http://10.1.4.1:5280/ ?ticket=owFN0ktr1FAUB%2fCxRTBBwW5cCGIX7UrITGYm6QNsmcw0oUnTzCuZJBu5ubkzed 2bO5lkHkWXiksXggsFEUSoSJd%2bARdduHLjyi%2fQrXvB6YAgB87u8P%2fD%2bb26s15a23 jy68XH9sXzxY3vV17pkD15rQPI8BWO5wSuWquy5gRljAtgALLFps5tSiiLEdtPY0SYLX45dK %2ffSIpoMlF0y%2bzZZhAT2OJYPfXRkyQdhYRbMDzbRX6YIZgzQZ7T%2fXJ5lVDn%2bH2hul spH%2bYhjFH%2bOJ0p3kyf6rNmxxmKft6DTZGPM6Uy8%2fV4Hk0Ke4G3q17TwXCeAlEiY4xS V%2bnm86ALiExkRe25RJVcS5tGY60fJjIeEJjasSsOMQSpM6ahg60YYDcEY7Nfl1XfVilSus CODQO4YjJMgjqypGUMnS8XAoTqHhE0nwhFYsGALiQwwK4EEpX6M5f2TFmOqDgfXucSavRs0T BtivIzowds1%2fAI7IBYLiyckKYghKZtdYEpNzsDuaYD3LSoIDqY8gO5W3UsVYGuwntYUjv1 UVwjkjo1BFezG6RLFb851%2byYohCr3d5AWLYDZqLYY6oBCx67WBibDYMKWGp4WkuLgtPoJB Z31MSdDUUlcDqjykz3gim5vqz3i3aL7tK%2b5bRP7c52dWh%2bMuIejtpVNNGbe2N8thd6w9 Y03CnqWasq7Lb5owhnQYFHcWO75tuO5LANmIcpYdoow2HOHhGYLWhOwWTCVETvEUZweDZwIg qjGr9I2nljxYJZsWBbxF%2fami55%2bcTnfJDlOC3ygEN%2bwfbD5WOLnBErlf8lzZl6jX15 sH5zJfUf3Y219GHpzVPn9Oefr%2b3P5dqxdvH74P7VJV96%2f%2bxH%2bcPttw%2b2zm%2fV %2bctv7%2b5unt%2f78hc%3d%3d1n1Q [2003-07-08 00:45:17] Notifying parent of Capture on peer 10.1.5.232 [2003-07-08 00:45:17] Got notification Capture of peer 10.1.5.232 [2003-07-08 00:45:17] Child process returned 1 From sverma at sfsu.edu Tue Jul 8 07:10:16 2003 From: sverma at sfsu.edu (Sameer Verma) Date: Mon, 07 Jul 2003 23:10:16 -0700 Subject: [NoCat] PGP error gone? Bad Token persists. In-Reply-To: <71D257B8-B102-11D7-ADD1-000A959B423A@Dartmouth.edu> References: <71D257B8-B102-11D7-ADD1-000A959B423A@Dartmouth.edu> Message-ID: <3F0A6048.4090709@sfsu.edu> Zachary M. Berke wrote: > Thanks to Arnaud and Peyman I seem to have partially defeated the PGP > problem, but the token matching problem still persists. This PGP stuff > is driving me up a wall! > > I've got GnuPG 1.2.1 running now. > > - I copied my authservers trustedkeys.gpg to my gateway into the > nocat-gw/pgp folder > > i generated a secret key for my gateway > gpg --homedir=/usr/local/nocat-gw/pgp --keyring trustedkeys.gpg --gen-key > > i trusted and signed the key from my auth serv (50ae8579 is the uid of > my auth key) > gpg --homedir=/usr/local/nocat-gw/pgp --keyring trustedkeys.gpg > --edit-key 50AE8579 > trust > sign > > The "not a trusted signature" error is gone now, but the log still > reports that gpg "returned error message:" > The bad token match is still there. > [...snipped...] Who own the trustedkeys.gpg on the gateway? Sameer -- Dr. Sameer Verma, Ph.D. Asst. Professor of Information Systems San Francisco State University San Francisco CA 94132 USA http://verma.sfsu.edu/ From olivier.page at esm2.imt-mrs.fr Tue Jul 8 09:42:02 2003 From: olivier.page at esm2.imt-mrs.fr (Olivier PAGE) Date: Tue, 08 Jul 2003 10:42:02 +0200 Subject: [NoCat] LocalNetwork / authserv / bug ? Message-ID: <3F0A83DA.6040401@esm2.imt-mrs.fr> I had the following error : [2003-07-08 09:42:50] could not parse at ../lib//NoCat/AuthService.pm line 77 this line is as follow: my $local_net = new Net::Netmask( $self->{LocalNetwork} ); so it seems that LocalNetwork is not known I've changed the begining of AuthService as follow (added LocalNetwork): @REQUIRED = qw( GatewayPort NotifyTimeout LoginTimeout RenewTimeout HomePage LocalNetwork ); and added a LocalNetwork = a.b.c.d/x in nocat.conf it seems ok. did i found a bug ? did i taint something in the code ? o.p. -- Olivier PAGE Ingenieur Systemes (D) & reseaux Tel : (33) 4.91.05.44.35 email : Olivier.Page@esm2.imt-mrs.fr Fax : (33) 4.91.05.45.98 ESM2:Ecole Sup. de Meca. Marseille Institut Mediterraneen de Technologie http://esm2.imt-mrs.fr From llee at aedon.com Wed Jul 9 01:22:48 2003 From: llee at aedon.com (llee) Date: Tue, 8 Jul 2003 17:22:48 -0700 Subject: [NoCat] GPG: not trusted signature. Bad token match results. Message-ID: <4F9A4FF6A0056542B0620E74A619C5420C8EF1@gian.aedon.com> Guys,=20 I want to join the group and flash my smc2652w and try out the openap kit.. Wonder who in the SF area have a linear flash card I can borrow.. My old newton card just can't be read or formated... Any help is greatly appreciated : ) -----Original Message----- From: Peyman Pourkermani [mailto:email-peyman@comcast.net]=20 Sent: Sunday, July 06, 2003 11:23 PM To: Zachary M. Berke Cc: nocat@lists.nocat.net Subject: Re: [NoCat] GPG: not trusted signature. Bad token match results. Zach, 1.0.7 does not work but you can upgrade to 1.2.1-1 on both auth server and gateway. I use gnupg-1.2.1-1 on both and it works fine. Peyman On Sun, 2003-07-06 at 23:19, Zachary M. Berke wrote: > Hi, >=20 > My servers got attacked, forcing me to wipe clean and reinstall NoCat. > I'm all set except I'm getting GPG issues which are causing logins to=20 > fail. I've noticed previous recommendations to downgrade from 1.0.7 to=20 > 1.0.6. I'm using 1.0.7 and before I downgrade I'm hoping someone could=20 > tell me whether or not my problem is/could be caused by this version=20 > issue. >=20 > I redid the make pgpkey and recopied the trustedkeys.gpg file to my > gateways. The error persisted. >=20 > The error message is on the gateway. When a user attempts to log in, > we get: >=20 > [2003-07-06 23:52:56] gpg --decrypt > --homedir=3D/usr/local/nocat-gw/bin/../pgp --keyring trustedkeys.gpg=20 > --no-tty -o- returned error message: > gpg: Signature made Sun Jul 6 23:54:01 2003 EDT using DSA key ID=20 > E4B18567 > gpg: Good signature from "PGP Key (PGP Key) " > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Fingerprint: 0259 1CCD 191B 034C 047E 66E5 8171 65A3 E4B1 8567 >=20 > then a few lines further down a token mismatch occurs: >=20 > [2003-07-06 23:52:56] Bad token match from 10.1.7.239: > $1$1$0lNxnJty74zlVmF2/t/Mx/ !=3D $1$91764397$RNSysC7xcLzZKERQNFpSn/ >=20 > The user is not logged in and is redirected to the login page again. >=20 > Is this caused by using gpg 1.0.7 instead of 1.0.6? I'm running 1.0.7 > on both gateway and authserv. I'm unsure which version was being used > before the attack. I'd really rather not downgrade, since I think=20 > doing so would break up2date and therefore leave me more vulnerable to > future security problems. >=20 > Thanks, > Zach >=20 >=20 > _______________________________________________ > NoCat mailing list > NoCat@lists.nocat.net http://lists.nocat.net/mailman/listinfo/nocat _______________________________________________ NoCat mailing list NoCat@lists.nocat.net http://lists.nocat.net/mailman/listinfo/nocat From mr at i-st.net Wed Jul 9 08:25:02 2003 From: mr at i-st.net (mr@i-st.net) Date: 09 Jul 2003 07:25:02 UT Subject: [NoCat] Radius MySQL Accounting Time Message-ID: This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_0000706B.3F0BDF6D Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7Bit I need to close a gradual solution around users after a certain time the account. The user may do for example one hour in the InterNet and afterwards must the account be closed. The whole should run with a MySQL data base, NoCat and radius. Regards Marc ------_=_NextPart_000_0000706B.3F0BDF6D Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable
I need to close a gradual solution around users after a certain time
the account. The user may do for example one hour in the InterNet and
afterwards must the account be closed. The whole should run with a
MySQL data base, NoCat and radius.
 
Regards Marc
------_=_NextPart_000_0000706B.3F0BDF6D-- From ulrich.schwarz at rz.uni-ulm.de Wed Jul 9 13:12:26 2003 From: ulrich.schwarz at rz.uni-ulm.de (ulrich schwarz) Date: Wed, 09 Jul 2003 14:12:26 +0200 Subject: [NoCat] RADIUS.pm patch Message-ID: <3F0C06AA.6040603@rz.uni-ulm.de> This is a multi-part message in MIME format. --------------010107020600050002080902 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit hello everyone, we have upgraded from 0.81 to 0.82 and found the radius-authentication broken. the attached patch fixes this (at least, in our case). greetings, ulric -- ulrich schwarz, computing center, university of ulm, germany --------------010107020600050002080902 Content-Type: text/plain; name="RADIUS.pm.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="RADIUS.pm.patch" --- RADIUS.pm.org Wed Jul 9 09:56:16 2003 +++ RADIUS.pm Wed Jul 9 09:58:37 2003 @@ -85,8 +85,8 @@ # mimic the check_pwd from Authen::Radius $radius->clear_attributes; $radius->add_attributes ( - { Name => 1, Value => $user->id }, - { Name => 2, Value => $user_pw } + { Name => 1, Value => $user->id, Type => 'string' }, + { Name => 2, Value => $user_pw, Type => 'string' } ); my $radiuscheckok = 0; --------------010107020600050002080902-- From jbarrett at amduat.net Wed Jul 9 16:06:55 2003 From: jbarrett at amduat.net (Jacob S. Barrett) Date: Wed, 09 Jul 2003 08:06:55 -0700 Subject: [NoCat] Radius MySQL Accounting Time In-Reply-To: References: Message-ID: <3F0C2F8F.2070401@amduat.net> Look into rlm_sqlcounter. With NoCatAuth 0.82 you should be able to take advantage of rlm_sqlcounter at the re-authentication point. It won't kick them off at exactly the time they consume all their time, but it deny them re-authentication when NoCatAuth does that pop-up window thing. Your other option is to wait a week for my latest patches. I am working on a scheme that does the NoCatAuth re-auth (with or without popups) at the individuals Session-Timeout value. So if the use only has 400 seconds left, the re-auth is tried at 400 seconds and will be denied and logged off. I am including a whole bunch of changes. It is all exciting stuff... :) I would tell you all about it but I have to get my butt back to work. -Jake mr@i-st.net wrote: > I need to close a gradual solution around users after a certain time > the account. The user may do for example one hour in the InterNet and > afterwards must the account be closed. The whole should run with a > MySQL data base, NoCat and radius. > > Regards Marc -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it." From junk at darieus.com Wed Jul 9 21:54:18 2003 From: junk at darieus.com (Darieus Oni) Date: Wed, 9 Jul 2003 13:54:18 -0700 (PDT) Subject: [NoCat] NoCat won't make Message-ID: <20030709205418.34381445A@sitemail.everyone.net> a user posted the same problem I am having but never got a response. Im on the latest Slackware Distro and when I run ./configure all is well but when I run make I get this; gcc -g -O2 -I/usr/include/glib-1.2 -I/usr/lib/glib/include -D_REENTRANT -Wa ll -o splashd splashd.o libsplash.a open.c -L/usr/lib -lgthread -lglib -lpthread libsplash.a(tpool.o): In function `tpool_add_work': /root/NoCatSplash-nightly/src/tpool.c:123: undefined reference to `g_debug' /root/NoCatSplash-nightly/src/tpool.c:128: undefined reference to `g_debug' libsplash.a(tpool.o): In function `tpool_thread': /root/NoCatSplash-nightly/src/tpool.c:241: undefined reference to `g_debug' collect2: ld returned 1 exit status make[2]: *** [splashd] Error 1 make[2]: Leaving directory `/root/NoCatSplash-nightly/src' make[1]: *** [all] Error 2 make[1]: Leaving directory `/root/NoCatSplash-nightly/src' make: *** [all-recursive] Error 1 ----------------------------------------- The last entry in the NoCat's change log is related to my problem: 2003-05-20 00:13 sderle * src/tpool.c: Added g_debug and g_info, altered tpool to use g_debug for pool reporting. I would really love to get this program up and running, but I need some help Darieus. From rob at torenware.com Thu Jul 10 01:58:27 2003 From: rob at torenware.com (Rob Thorne) Date: Wed, 09 Jul 2003 17:58:27 -0700 Subject: [NoCat] NoCat won't make In-Reply-To: <20030709205418.34381445A@sitemail.everyone.net> References: <20030709205418.34381445A@sitemail.everyone.net> Message-ID: <3F0CBA33.8070502@torenware.com> I'd be curious if there is some library that is being assumed here that isn't standard; the current sources for NoCatSplash get this error on RedHat 8.0 as well. This is pretty easy to fix, though: just scan the sources for "g_debug" and "g_info" and comment out the lines with t "//" . All of the instances of these items are in log comments, and the software will work without them. I'm guessing that Schyler either implemented these functions himself and forgot to add them to the tar ball, or that he is assuming a version or build of glibc different from what people typically have in their Linux distributions. If it's the former, then the tar ball needs updating; if the latter, then autoconf probably needs a test for the g_* functions that are being used here. Cheers, Rob Darieus Oni wrote: >a user posted the same problem I am having but never got a response. >Im on the latest Slackware Distro and when I run ./configure all is well but when I run make I get this; > > >gcc -g -O2 -I/usr/include/glib-1.2 -I/usr/lib/glib/include -D_REENTRANT -Wa >ll -o splashd splashd.o libsplash.a >open.c -L/usr/lib -lgthread -lglib -lpthread >libsplash.a(tpool.o): In function `tpool_add_work': >/root/NoCatSplash-nightly/src/tpool.c:123: undefined reference to `g_debug' >/root/NoCatSplash-nightly/src/tpool.c:128: undefined reference to `g_debug' >libsplash.a(tpool.o): In function `tpool_thread': >/root/NoCatSplash-nightly/src/tpool.c:241: undefined reference to `g_debug' >collect2: ld returned 1 exit status >make[2]: *** [splashd] Error 1 >make[2]: Leaving directory `/root/NoCatSplash-nightly/src' >make[1]: *** [all] Error 2 >make[1]: Leaving directory `/root/NoCatSplash-nightly/src' >make: *** [all-recursive] Error 1 > >----------------------------------------- > >The last entry in the NoCat's change log is related to my problem: > >2003-05-20 00:13 sderle > > * src/tpool.c: Added g_debug and g_info, altered tpool to use > g_debug for pool reporting. > > > >I would really love to get this program up and running, but I need some help > >Darieus. > >_______________________________________________ >NoCat mailing list >NoCat@lists.nocat.net >http://lists.nocat.net/mailman/listinfo/nocat > > -- Rob Thorne Torenware Networks http://www.torenware.com From aklougbo at yahoo.com Thu Jul 10 11:04:22 2003 From: aklougbo at yahoo.com (Aime) Date: Thu, 10 Jul 2003 03:04:22 -0700 (PDT) Subject: [NoCat] NoCat and cgi-script debbugging - In which file ,the output goes ? Message-ID: <20030710100422.7390.qmail@web11008.mail.yahoo.com> Hello All, Let assume someone puts : $authserv->log( 8, " We entered function login " ); in the login cgiscript for instance. In which file the output is redirected ? I put such statements in my login cgi script for debugging purpose , but could not figure out where the output goes. Any idesa ? --Thanks in advance. __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com From jbarrett at amduat.net Thu Jul 10 14:20:04 2003 From: jbarrett at amduat.net (Jacob S. Barrett) Date: Thu, 10 Jul 2003 06:20:04 -0700 Subject: [NoCat] NoCat and cgi-script debbugging - In which file ,the output goes ? Message-ID: <3F0D6804.8070602@amduat.net> Aime wrote: > Let assume someone puts : > $authserv->log( 8, " We entered function login " ); > in the login cgiscript for instance. > In which file the output is redirected ? > I put such statements in my login cgi script for > debugging purpose , but could not figure out where the > output goes. If you are running apache it will show up in your error log, for me that is /var/log/http-error.log. -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it." From rob at torenware.com Thu Jul 10 19:08:23 2003 From: rob at torenware.com (Rob Thorne) Date: Thu, 10 Jul 2003 11:08:23 -0700 Subject: [NoCat] NoCat and cgi-script debbugging - In which file ,the output goes ? In-Reply-To: <20030710100422.7390.qmail@web11008.mail.yahoo.com> References: <20030710100422.7390.qmail@web11008.mail.yahoo.com> Message-ID: <3F0DAB97.4040804@torenware.com> Aime, For reasons that are unclear to me, the standard nocat.conf file for the auth server doesn't include the log related settings you find in the gateway's nocat.conf file. But this is not a problem; the same settings work for the auth server as well. You can either use a regular file, or you can use the "syslog" option, which by default on my RedHat Linux boxes will place NoCat comments in the /var/log/messages file. Regards, Rob Aime wrote: >Hello All, > >Let assume someone puts : > >$authserv->log( 8, " We entered function login " ); > >in the login cgiscript for instance. > > >In which file the output is redirected ? >I put such statements in my login cgi script for >debugging purpose , but could not figure out where the >output goes. > >Any idesa ? > >--Thanks in advance. > > -- Rob Thorne Torenware Networks http://www.torenware.com From pashdown at xmission.com Thu Jul 10 19:30:01 2003 From: pashdown at xmission.com (Pete Ashdown) Date: Thu, 10 Jul 2003 12:30:01 -0600 Subject: [NoCat] Nocat restart loop Message-ID: <20030710183001.GA7739@xmission.com> I'm still having problems with nocat dying periodically. Is there a way I could get nocat to not fork into the background? Then I could just have a loop or inittab restart it if it dies. What is the purpose of the fork? From aklougbo at yahoo.com Thu Jul 10 20:22:04 2003 From: aklougbo at yahoo.com (Aime) Date: Thu, 10 Jul 2003 12:22:04 -0700 (PDT) Subject: [NoCat] NoCat and cgi-script debbugging - In which file ,the output goes ? In-Reply-To: <3F0DAB97.4040804@torenware.com> Message-ID: <20030710192204.91774.qmail@web11002.mail.yahoo.com> Hello, On my system (pebble distro) I have : -in /etc/apache/httpd.conf ErrorLog /var/log/apache/error.log -in somewhere in my cgi-script login : $authserv->log( 7, sprintf( "User %s from %s requests %s", $params->{user} || "UNKNOWN", $cgi->remote_host, lc( $params->{mode} ) || "form" ) ); But i cannot see any "User xxx from xxx requested xxx" in my /var/log/apache/error.log , NEITHER in /usr/local/nocat/gateway/nocat.log --- Rob Thorne wrote: > Aime, > > For reasons that are unclear to me, the standard > nocat.conf file for the > auth server doesn't include the log related settings > you find in the > gateway's nocat.conf file. > > But this is not a problem; the same settings work > for the auth server as > well. You can either use a regular file, or you can > use the "syslog" > option, which by default on my RedHat Linux boxes > will place NoCat > comments in the /var/log/messages file. > > Regards, > Rob > > Aime wrote: > > >Hello All, > > > >Let assume someone puts : > > > >$authserv->log( 8, " We entered function login " ); > > > >in the login cgiscript for instance. > > > > > >In which file the output is redirected ? > >I put such statements in my login cgi script for > >debugging purpose , but could not figure out where > the > >output goes. > > > >Any idesa ? > > > >--Thanks in advance. > > > > > > -- > Rob Thorne > Torenware Networks > http://www.torenware.com > > __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com From rjw at sonic.net Thu Jul 10 20:35:23 2003 From: rjw at sonic.net (Roger Weeks) Date: Thu, 10 Jul 2003 12:35:23 -0700 (PDT) Subject: [NoCat] Nocat restart loop In-Reply-To: <20030710190001.21463.88490.Mailman@mouse> from "nocat-request@lists.nocat.net" at Jul 10, 2003 12:00:01 PM Message-ID: <200307101935.h6AJZNdS016361@bolt.sonic.net> Don't know if you've checked out pebble, a micro-linux developed by the NYC Wireless guys - http://www.nycwireless.net/pebble - but they have experienced the same problems with nocat dying, and start it in inittab at the very end: NC:23:respawn:start-stop-daemon -S -c nocat --exec /usr/local/nocat/bin/gateway -- -F Roger Weeks From pashdown at xmission.com Thu Jul 10 22:03:53 2003 From: pashdown at xmission.com (Pete Ashdown) Date: Thu, 10 Jul 2003 15:03:53 -0600 Subject: [NoCat] Nocat restart loop In-Reply-To: <200307101935.h6AJZNdS016361@bolt.sonic.net> References: <20030710190001.21463.88490.Mailman@mouse> <200307101935.h6AJZNdS016361@bolt.sonic.net> Message-ID: <20030710210353.GA19019@xmission.com> On Thu, Jul 10, 2003 at 12:35:23PM -0700, Roger Weeks wrote: > Don't know if you've checked out pebble, a micro-linux developed by the NYC Wireless guys - http://www.nycwireless.net/pebble - but they have experienced the same problems with nocat dying, and start it in inittab at the very end: > > NC:23:respawn:start-stop-daemon -S -c nocat --exec /usr/local/nocat/bin/gateway > -- -F Tried this, but due to the forking, init believes it is respawning too rapidly and stops restarting it. I'm using 0.81, do later versions not fork based on -F? From karl.gaissmaier at kiz.uni-ulm.de Thu Jul 10 22:13:17 2003 From: karl.gaissmaier at kiz.uni-ulm.de (Karl Gaissmaier) Date: Thu, 10 Jul 2003 23:13:17 +0200 Subject: [NoCat] Nocat restart loop In-Reply-To: <20030710210353.GA19019@xmission.com> References: <20030710190001.21463.88490.Mailman@mouse> <200307101935.h6AJZNdS016361@bolt.sonic.net> <20030710210353.GA19019@xmission.com> Message-ID: <200307102313.17668.karl.gaissmaier@kiz.uni-ulm.de> Hi Pete, On Thursday 10 July 2003 20:30, Pete Ashdown wrote: > I'm still having problems with nocat dying periodically. Is there a wa= y I > could get nocat to not fork into the background? Then I could just hav= e a > loop or inittab restart it if it dies. What is the purpose of the fork= ? I'm quite new to NoCatAuth, but anyway already deep in debugging and adjusting for my needs. Try this statement in the nocat.conf file for the gateway and maybe use the -F flag on the cmdline for debugging purposes: ForkOff 1 hope this helps Regards Charly --=20 Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network From pashdown at xmission.com Thu Jul 10 22:38:52 2003 From: pashdown at xmission.com (Pete Ashdown) Date: Thu, 10 Jul 2003 15:38:52 -0600 Subject: [NoCat] Nocat restart loop In-Reply-To: <20030710210353.GA19019@xmission.com> References: <20030710190001.21463.88490.Mailman@mouse> <200307101935.h6AJZNdS016361@bolt.sonic.net> <20030710210353.GA19019@xmission.com> Message-ID: <20030710213852.GA21006@xmission.com> On Thu, Jul 10, 2003 at 03:03:53PM -0600, Pete Ashdown wrote: > > NC:23:respawn:start-stop-daemon -S -c nocat --exec /usr/local/nocat/bin/gateway > > -- -F > > Tried this, but due to the forking, init believes it is respawning too rapidly > and stops restarting it. I'm using 0.81, do later versions not fork based on > -F? I just answered my own question. The flag "-F" was new as of 0.82. From karl.gaissmaier at rz.uni-ulm.de Thu Jul 10 22:09:09 2003 From: karl.gaissmaier at rz.uni-ulm.de (Karl Gaissmaier) Date: Thu, 10 Jul 2003 23:09:09 +0200 Subject: [NoCat] Nocat restart loop In-Reply-To: <20030710183001.GA7739@xmission.com> References: <20030710183001.GA7739@xmission.com> Message-ID: <200307102309.09221.karl.gaissmaier@rz.uni-ulm.de> Hi Pete, On Thursday 10 July 2003 20:30, Pete Ashdown wrote: > I'm still having problems with nocat dying periodically. Is there a wa= y I > could get nocat to not fork into the background? Then I could just hav= e a > loop or inittab restart it if it dies. What is the purpose of the fork= ? I'm quite new to NoCatAuth, but anyway already deep in debugging and adjusting for my needs. Try this statement in the nocat.conf file for the gateway and maybe use the -F flag on the cmdline for debugging purposes: ForkOff 1 hope this helps Regards =09Charly --=20 Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network From karl.gaissmaier at kiz.uni-ulm.de Thu Jul 10 22:29:25 2003 From: karl.gaissmaier at kiz.uni-ulm.de (Karl Gaissmaier) Date: Thu, 10 Jul 2003 23:29:25 +0200 Subject: [NoCat] Nocat restart loop In-Reply-To: <200307102313.17668.karl.gaissmaier@kiz.uni-ulm.de> References: <20030710190001.21463.88490.Mailman@mouse> <20030710210353.GA19019@xmission.com> <200307102313.17668.karl.gaissmaier@kiz.uni-ulm.de> Message-ID: <200307102329.25424.karl.gaissmaier@kiz.uni-ulm.de> uups, I meant:=20 ForkOff 0 here is the relevant code snippet: # Don't spawn a child process if ForkOff is false. $is_parent =3D $self->spawn_child if $self->{ForkOff}; Regards =09Charly --=20 Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network From karl.gaissmaier at kiz.uni-ulm.de Thu Jul 10 23:02:06 2003 From: karl.gaissmaier at kiz.uni-ulm.de (Karl Gaissmaier) Date: Fri, 11 Jul 2003 00:02:06 +0200 Subject: [NoCat] Nocat restart loop In-Reply-To: <200307102329.25424.karl.gaissmaier@kiz.uni-ulm.de> References: <20030710190001.21463.88490.Mailman@mouse> <200307102313.17668.karl.gaissmaier@kiz.uni-ulm.de> <200307102329.25424.karl.gaissmaier@kiz.uni-ulm.de> Message-ID: <200307110002.06003.karl.gaissmaier@kiz.uni-ulm.de> Hi Pete and NoCatAuth developers, here is a bad code snippet what makes problems when the handle times out: sub accept_client { my ($self, $sock) =3D @_; my $peer =3D $self->peer( $sock ); my $peerhost =3D $sock->peerhost; $self->log( 8, "Connection to " . $sock->sockhost . " from $peerhost"= ); # Set the UNIX alarm clock. alarm( $self->{HandleTimeout} ) if $self->{HandleTimeout}; # Wrap the call to handle() in eval{}, so we catch the # exception when the alarm goes off. # # Then turn the alarm off, Schuyler, you moron! eval { $self->handle( $peer ); alarm 0 if $self->{HandleTimeout}; }; # Note the warning if the call to handle() threw an exception. $self->log( 1, "$peerhost: $@" ) if $@; } should be rewritten to: sub accept_client { my ($self, $sock) =3D @_; my $peer =3D $self->peer( $sock ); my $peerhost =3D $sock->peerhost; $self->log( 8, "Connection to " . $sock->sockhost . " from $peerhost"= ); # Wrap the call to handle() in eval{}, so we catch the # exception when the alarm goes off. # # Then turn the alarm off, Schuyler, you moron! eval { # localize signal handler local $SIG{ALRM} =3D sub {die "handle timeout for peer $peerhost\= n"; # Set the UNIX alarm clock. alarm( $self->{HandleTimeout} ) if $self->{HandleTimeout}; $self->handle( $peer ); alarm 0; }; # Note the warning if the call to handle() threw an exception. $self->log( 1, "$peerhost: $@" ) if $@; } without a signal handler for SIGALRM the child get's killed unconditionally, and if you use -F and ForkOff 0 your gateway daemon get's killed on any read timeout. Hope this helps. Regards =09Charly --=20 Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network From karl.gaissmaier at kiz.uni-ulm.de Thu Jul 10 23:22:05 2003 From: karl.gaissmaier at kiz.uni-ulm.de (Karl Gaissmaier) Date: Fri, 11 Jul 2003 00:22:05 +0200 Subject: [NoCat] NoCat and cgi-script debbugging - In which file ,the output goes ? In-Reply-To: <20030710192204.91774.qmail@web11002.mail.yahoo.com> References: <20030710192204.91774.qmail@web11002.mail.yahoo.com> Message-ID: <200307110022.05760.karl.gaissmaier@kiz.uni-ulm.de> Hi Aime, On Thursday 10 July 2003 21:22, Aime wrote: > -in somewhere in my cgi-script login : > $authserv->log( 7, sprintf( "User %s from %s requests > %s", > $params->{user} || "UNKNOWN", $cgi->remote_host, > lc( $params->{mode} ) || "form" ) > ); the problem is the Verbosity level. If you don't configure it in the config file for the authserver, the default is 5: ### Default log level. Verbosity =3D> 5, LogFacility =3D> "internal", SyslogSocket =3D> "unix", SyslogOptions =3D> "pid,cons,nowait", SyslogPriority =3D> "info", SyslogFacility =3D> "user", SyslogIdent =3D> "NoCat", and when you use the log() method with verbosity 7 this message get's discarded by the following code snippet: sub log { my ( $self, $level, @msg ) =3D @_; # Bag if this message is too verbose. # if ( not ref $self or $level <=3D $self->{Verbosity} ) { if(ref $self and $self->{LogFacility} eq "syslog") { $self->syslog_log(@msg); } else { $self->internal_log(@msg); } } } Configure your Verbosity in your config (also for the authserver) or use a lower verbosity in the log() method. Regards =09Charly --=20 Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network From christian-koch at gmx.net Fri Jul 11 14:12:44 2003 From: christian-koch at gmx.net (Christian Koch) Date: Fri, 11 Jul 2003 15:12:44 +0200 Subject: [NoCat] OpenBSD 3.3 and NoCat Message-ID: <200307111512.44603.christian-koch@gmx.net> Hi, did somebody bring up the gateway on OpenBSD correctly with pf? I tried Version 0.82. When I try to start the gateway it runs but with errors in the initialize.fw script. I would be grateful for someone providing me with working .fw scripts for OpenBSD.Here my output... [root@globefish /usr/local/nocat]# bin/gateway [2003-07-11 15:57:17] Resetting firewall. rules cleared nat cleared altq cleared states cleared pf: statistics cleared 0 tables deleted. pfctl: unknown command line argument: - ... usage: pfctl [-AdeghnNqrROvz] [-a anchor[:ruleset]] [-D macro=value] [-f file] [-F modifier] [-k host] [-s modifier] [-t table] [-T command [address ...]] [-x level] pfctl: unknown command line argument: - ... usage: pfctl [-AdeghnNqrROvz] [-a anchor[:ruleset]] [-D macro=value] [-f file] [-F modifier] [-k host] [-s modifier] [-t table] [-T command [address ...]] [-x level] [2003-07-11 15:57:17] Binding listener socket to 0.0.0.0 [root@globefish /usr/local/nocat]# Thanks Christian From ulrich.schwarz at rz.uni-ulm.de Fri Jul 11 14:19:37 2003 From: ulrich.schwarz at rz.uni-ulm.de (ulrich schwarz) Date: Fri, 11 Jul 2003 15:19:37 +0200 Subject: [NoCat] netscape problem with 0.82? Message-ID: <3F0EB969.4050107@rz.uni-ulm.de> hello everyone, we have been testing nocat 0.81 for a quite long time and did not encounter browser specific problems. now we have 0.82 running and it works fine with mozilla and IE, but not with netscape (versions 6.2 and 7.01 running on W2K and winXP). the problem accurs shortly after the renewal popup box opened and brings up the login screen again. this happens before the normal 5 sec redirect should take us to the original destination website. nevertheless, the client gets authenticated and correctly and permitted access in iptables. here is an excerpt from the log: Jul 11 12:55:07 pa-gw NoCat-gw[14577]: Got notification Capture of peer 00:02:2D:0E:AA:E0 Jul 11 12:55:07 pa-gw NoCat-gw[14577]: Child process returned 1 Jul 11 12:55:08 pa-gw NoCat-auth[14638]: User UNKNOWN from 134.60.237.19 requests form Jul 11 12:56:42 pa-gw NoCat-auth[14667]: User nocat from 134.60.237.19 requests form Jul 11 12:56:42 pa-gw NoCat-auth[14667]: Connecting to RADIUS server radius.rz.uni-ulm.de with Timeout 5 Jul 11 12:56:42 pa-gw NoCat-auth[14667]: Request from local ip 134.60.237.19, directing to local gateway 134.60.237.254. Jul 11 12:56:42 pa-gw NoCat-gw[14577]: Ready in poll_socket: IO::Socket::INET=GLOB(0x8306c80) Jul 11 12:56:42 pa-gw NoCat-gw[14577]: Spawning child process 14668. Jul 11 12:56:43 pa-gw NoCat-gw[14668]: Peer::user called: NoCat::Peer=HASH(0x8343694)=[] (NoCat::Peer=HASH(0x8343694) ) Jul 11 12:56:43 pa-gw NoCat-gw[14668]: Connection to 134.60.237.254 from 134.60.237.254 Jul 11 12:56:43 pa-gw NoCat-auth[14667]: gpg --clearsign --homedir=/usr/local/nocat/authserv/cgi-bin/../pgp --keyring trustedkeys.gpg --no-tty -o- returned error message: gpg: Warning: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information Jul 11 12:56:43 pa-gw NoCat-gw[14668]: Received notify 00:02:2D:0E:AA:E0 from 134.60.237.254 Jul 11 12:56:43 pa-gw NoCat-gw[14668]: Got auth msg Redirect^Ihttp://www.google.de/ Mac^I00:02:2D:0E:AA:E0 User^Inocat Timeout^I28800 Token^I$1$03665104$ixgADUr77wj00lgQIahuP1 Mode^Ilogin Action^IPermit Member^IANY Jul 11 12:56:43 pa-gw NoCat-gw[14668]: Peer::user called: NoCat::Peer=HASH(0x8355160)=[] (NoCat::Peer=HASH(0x8355160)) Jul 11 12:56:43 pa-gw NoCat-gw[14668]: Peer::user called: NoCat::Peer=HASH(0x8355160)=[] (NoCat::Peer=HASH(0x8355160) nocat) Jul 11 12:56:43 pa-gw NoCat-gw[14668]: Peer::user called: NoCat::Peer=HASH(0x8355160)=[nocat] (NoCat::Peer=HASH(0x8355160)) Jul 11 12:56:43 pa-gw NoCat-gw[14668]: User (ANY Any) v. trusted (Any) Jul 11 12:56:43 pa-gw NoCat-gw[14668]: Peer::user called: NoCat::Peer=HASH(0x8355160)=[nocat] (NoCat::Peer=HASH(0x8355160)) Jul 11 12:56:43 pa-gw NoCat-gw[14668]: User nocat permitted in class Member Jul 11 12:56:43 pa-gw NoCat-gw[14668]: Notifying parent of Permit on peer 00:02:2D:0E:AA:E0 Jul 11 12:56:43 pa-gw NoCat-gw[14668]: Available MACs: 00:02:2D:0E:AA:E0 Jul 11 12:56:43 pa-gw NoCat-gw[14668]: Peer::user called: NoCat::Peer=HASH(0x8355160)=[nocat] (NoCat::Peer=HASH(0x8355160)) Jul 11 12:56:43 pa-gw NoCat-gw[14668]: Responding with: User^Inocat Token^I$1$gQIahuP2$3M1jxEbr.mxaem3u6E5ch. Timeout^I28800 Jul 11 12:56:43 pa-gw NoCat-auth[14667]: Request from local ip 134.60.237.19, directing to local gateway 134.60.237.254. Jul 11 12:56:43 pa-gw NoCat-gw[14577]: Ready in poll_socket: IO::Pipe::End=GLOB(0x8314984) Jul 11 12:56:44 pa-gw NoCat-gw[14577]: Got notification Permit of peer 00:02:2D:0E:AA:E0 Jul 11 12:56:44 pa-gw NoCat-gw[14577]: Child process returned 1 Jul 11 12:56:45 pa-gw NoCat-auth[14675]: User UNKNOWN from 134.60.237.19 requests form ##### this line differs Jul 11 12:56:45 pa-gw NoCat-auth[14674]: User nocat from 134.60.237.19 requests popup Jul 11 12:56:45 pa-gw NoCat-auth[14674]: Request from local ip 134.60.237.19, directing to local gateway 134.60.237.254. the marked line (third from bottom) does not appear with other browsers than netscape and seems to have to do with the improper second appearance of the login page. does anyone have this effect too? thanks in advance, greetings ulric -- ulrich schwarz, computing center, university of ulm, germany From karl.gaissmaier at kiz.uni-ulm.de Fri Jul 11 16:41:21 2003 From: karl.gaissmaier at kiz.uni-ulm.de (Karl Gaissmaier) Date: Fri, 11 Jul 2003 17:41:21 +0200 Subject: [NoCat] netscape problem with 0.82? References: <3F0EB969.4050107@rz.uni-ulm.de> Message-ID: <3F0EDAA1.209D736@kiz.uni-ulm.de> Hi Ulrich, ulrich schwarz schrieb: > > hello everyone, > > we have been testing nocat 0.81 for a quite long time and did not > encounter browser specific problems. > > now we have 0.82 running and it works fine with mozilla and IE, but not > with netscape (versions 6.2 and 7.01 running on W2K and winXP). > > the problem accurs shortly after the renewal popup box opened and brings > up the login screen again. > > this happens before the normal 5 sec redirect should take us to the > original destination website. nevertheless, the client gets > authenticated and correctly and permitted access in iptables. solved, you misconfigured the login.html template and netscape is more fussy here than the other browsers as it seems. Sorry for the noise on the list for a local problem. Regards Charly -- Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network Tel.: ++49 731 50-22499 From rob at capband.net Fri Jul 11 19:16:21 2003 From: rob at capband.net (Rob Nelson) Date: Fri, 11 Jul 2003 14:16:21 -0400 Subject: [NoCat] Nocat without NAT Message-ID: <5.2.1.1.0.20030711141226.018029c8@mail.capband.net> Hello, In our situation, we're using NoCat with NAT talking directly to T1's. However, we're introducing a box that does bandwidth aggregation on multiple lines (i.e. 2 cable, 2 DSL, 1 T1) and uses NAT. This is killing VPN's as well as causing problems with each connection from a client being treated as a different connection. Ex: If two machines are connected directly to the aggregator, each connection to a web site gets round-robin'ed on a per-page basis. If they're behind a NAT box, each individual GET command is round-robin'ed separately, killing some web sites that are denying because the second GET came from a different IP. We think we can remedy this by having Nocat do routing. In our case it would be routing 10.10.0.0/16 on the inside to 192.168.0.0/30 on the outside (one IP for NoCat, one for the aggregator). Has anyone tried this? Other than adding a route to 10.10.0.0/16 on the one box, I can't imagine any difficulties. Just not sure how much of NoCat is tied to NAT. Thanks, Rob Nelson Network Administrator, Capitol Broadband C: 919-369-1874 rob@capband.net From jbarrett at amduat.net Fri Jul 11 19:34:49 2003 From: jbarrett at amduat.net (Jacob S. Barrett) Date: Fri, 11 Jul 2003 11:34:49 -0700 Subject: [NoCat] Nocat without NAT Message-ID: <3F0F0349.7010004@amduat.net> Rob Nelson wrote: > We think we can remedy this by having Nocat do routing. In our case it > would be routing 10.10.0.0/16 on the inside to 192.168.0.0/30 on the > outside (one IP for NoCat, one for the aggregator). Has anyone tried > this? Other than adding a route to 10.10.0.0/16 on the one box, I can't > imagine any difficulties. Just not sure how much of NoCat is tied to NAT. I am doing that with FreeBSD and IPFW2. It works great too. You will just have to change the accept.fw and probably initialize.fw scripts you use. Rather than adding a NAT rule for an ip/mac, add an accept rule so that none of that traffic passes through NAT. -Jake -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it." From karl.gaissmaier at kiz.uni-ulm.de Sun Jul 13 21:26:57 2003 From: karl.gaissmaier at kiz.uni-ulm.de (Karl Gaissmaier) Date: Sun, 13 Jul 2003 22:26:57 +0200 Subject: [NoCat] Patch: CypherSecret.patch stops clear text passwords in the html source ... Message-ID: <200307132226.57417.karl.gaissmaier@kiz.uni-ulm.de> --------------Boundary-00=_XSCZGL3JLVG02YYETVDU Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi NoCat Users/Developers, I enhanced NoCatAuth to use a symmetric cypher for password exchanges during the renewal. Sure we use https but the passwords are in cleartext in the html source, in the browser cache, in the browser history, the red= irect urls with cleartext password pops up with smart browsing, ... ... The password is encrypted with the same algorithm used in the radius protocol. Indeed I copied the algorithm nearly literally from Authen::Rad= ius. In short: The new 'CypherSecret' config param and the current token are used together and hashed with Digest::MD5. This string is xor'd with the password generating the new 'cryptpwd'. Thi= s cryptpwd is used in the renew and popup urls instead of the cleartext passwd. Would be nice if this enhancement finds the way to the regular distributi= on. Regards =09Charly --=20 Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network --------------Boundary-00=_XSCZGL3JLVG02YYETVDU Content-Type: text/x-diff; charset="us-ascii"; name="CypherSecret.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="CypherSecret.patch" diff -Naur --exclude-from diff-exclude NoCatAuth-nightly120703/authserv.conf nocat-modified/authserv.conf --- NoCatAuth-nightly120703/authserv.conf 2003-03-17 23:46:11.000000000 +0100 +++ nocat-modified/authserv.conf 2003-07-13 21:30:29.000000000 +0200 @@ -12,6 +12,13 @@ # Verbosity 10 +# +# CypherSecret -- used for symmetric encryption of the +# user password. Without a CypherSecret the cleartext password is +# viewable in the html sources, the browser cache, the history, the ... +# +CypherSecret mysecret + ## # PGPKeyPath -- The directory in which PGP keys are stored. # NoCat tries to find this in the pgp/ directory above diff -Naur --exclude-from diff-exclude NoCatAuth-nightly120703/cgi-bin/login nocat-modified/cgi-bin/login --- NoCatAuth-nightly120703/cgi-bin/login 2002-08-15 04:05:18.000000000 +0200 +++ nocat-modified/cgi-bin/login 2003-07-13 21:23:10.000000000 +0200 @@ -52,6 +52,13 @@ $authserv->display( FatalForm => "Your gateway token is undefined. Problem with the gateway?" ) unless $params->{token}; +# did we get a crypted password, generate the cleartext for authentication +if ($authserv->{CypherSecret} and not $params->{pass}) { + my $salt = $params->{token}; + $params->{pass} = $authserv->encrypt_pwd($params->{cryptpwd}, $salt) + if $params->{cryptpwd}; +}; + # If the user skipped authentication... if ( $params->{user} eq ANONYMOUS or $params->{mode} =~ /^skip/io ) { $params->{user} = ANONYMOUS; @@ -84,6 +91,15 @@ # Or we're either logging in, or renewing, in which case, notify the gateway. } elsif ($gw = $authserv->notify( Permit => $params )) { + + # create cryptpwd with new token as salt + if ($authserv->{CypherSecret} and not $gw->{Error}) { + my $salt = $gw->{Token} || $gw->{token}; + $params->{cryptpwd} = $authserv->encrypt_pwd($params->{pass}, $salt); + # be sure no cleartext password can be in the html forms or url's + delete $params->{pass}; + }; + if ( $gw->{Error} ) { # Oddly enough, this isn't really success. $form = "ExpiredForm"; diff -Naur --exclude-from diff-exclude NoCatAuth-nightly120703/lib/NoCat.pm nocat-modified/lib/NoCat.pm --- NoCatAuth-nightly120703/lib/NoCat.pm 2003-07-12 12:00:04.000000000 +0200 +++ nocat-modified/lib/NoCat.pm 2003-07-13 21:22:38.000000000 +0200 @@ -14,6 +14,7 @@ use FindBin; use Exporter; use Carp; +use Digest::MD5 qw(); use vars qw( @ISA @EXPORT_OK *FILE ); use strict; @@ -378,6 +379,26 @@ return NoCat::Peer->new( Parent => $self, @_ ); } +sub encrypt_pwd { + # based on the algorithm used in the radius protocol + croak "parameter(s) missing" unless scalar @_ == 3; + my ($self, $pwd, $token) = @_; + my ($i, $ct, @pwdp, @xor); + + # algorithm copied nearly literally from Authen::Radius by kg + # this only works for passwords <= 16 chars + $pwd .= "\0" x (16 - length($pwd) % 16); + @pwdp = unpack('C16', pack('a16', $pwd)); + $ct = Digest::MD5->new; + $ct->add ($self->{CypherSecret}, $token); + @xor = unpack('C16', $ct->digest()); + for $i (0..15) { + $pwdp[$i] ^= $xor[$i]; + } + + pack('C' . length($pwd), @pwdp); +} + 1; __END__ @@ -477,6 +498,8 @@ =item template() Pass a template, and optional hashref, and it returns the filled template. +=item encrypt_pwd() Symmetrically encrypts a string. Algorithm copied from Authen::Radius() + =item gateway() Returns a NoCat::Gateway object =item firewall() Returns a NoCat::Firewall object --------------Boundary-00=_XSCZGL3JLVG02YYETVDU-- From jbarrett at amduat.net Mon Jul 14 17:51:11 2003 From: jbarrett at amduat.net (Jacob S. Barrett) Date: Mon, 14 Jul 2003 09:51:11 -0700 Subject: [NoCat] Latest Accouting, RADIUS and IPFW2 Patches Message-ID: <3F12DF7F.9080107@amduat.net> I have started a little web page with all the latest and greatest patches and some other goodies. Check there regularly for the latest patches and help. I just published some new patches from all my work this weekend. http://www.pogozone.net/projects/nocat/ -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it." From sverma at sfsu.edu Mon Jul 14 05:32:16 2003 From: sverma at sfsu.edu (Sameer Verma) Date: Sun, 13 Jul 2003 21:32:16 -0700 Subject: [NoCat] gnupg versions... Message-ID: <3F123250.1060500@sfsu.edu> Folks, I had heard of some incompatibility issues with respect to stock nocat relying on gnupg 1.0.6 and folks upgrading to gnupg 1.0.7 I have seen problems with 1.2.1 on Auth and 1.0.6 on the gw. gnupg's list has some info on this as well [http://lists.gnupg.org/pipermail/gnupg-announce/2003q2/000267.html]. So there's definitely some incompatibility between pre 1.0.7 and post 1.0.7 What about 1.2.1 or 1.2.2? Has anyone upgraded both auth and gw to these versions? Are there any strong reasons to do this? Sameer -- Dr. Sameer Verma, Ph.D. Asst. Professor of Information Systems San Francisco State University San Francisco CA 94132 USA http://verma.sfsu.edu/ From eb2bjx at hispavista.com Mon Jul 14 20:11:43 2003 From: eb2bjx at hispavista.com (eb2bjx@hispavista.com) Date: Mon, 14 Jul 2003 21:11:43 +0200 Subject: [NoCat] Premature end of script Message-ID: Hi all, I'm having problems with AuthService.pm. After a succesfull login, I get and error page. Apache error log says ----------------------------------------------------------- Can't call method "text" on an undefined value at ../lib//NoCat/AuthService.pm line 134. [Mon Jul 14 20:46:52 2003] [error] [client 10.0.0.100] Premature end of script headers: /usr/local/nocat/auth/cgi-bin/login ----------------------------------------------------------- Any help? Thank you in advance! -------------------------------------------------------------------------= ------------------------------- =BFQuieres conocer tu futuro? Te leemos las cartas de forma personalizada= en el 906 150 305 http://www.miwebcam.com/dialers/hispatarot/ -------------------------------------------------------------------------= ------------------------------- =BFConoces eBay, el mayor centro de compra y venta en internet? M=F3viles, port=E1tiles, pda=B4s, cd=B4s, c=E1maras digitales, videocamar= as... =A1Compra ahora a los mejores precios! http://ebay.hispavista.com/ From email-peyman at comcast.net Mon Jul 14 22:55:35 2003 From: email-peyman at comcast.net (Peyman Pourkermani) Date: 14 Jul 2003 16:55:35 -0500 Subject: [NoCat] gnupg versions... In-Reply-To: <3F123250.1060500@sfsu.edu> References: <3F123250.1060500@sfsu.edu> Message-ID: <1058219735.9394.8.camel@raptor> Dr. Verma, I just checked my configuration and I have 1.2.0 on the gateway and 1.2.1 on the auth server and everything works. Other than security fixes and/or future compatibility issues I don't see why you would need to upgrade. Personally I would use the latest stable versions if work. Regards, Peyman On Sun, 2003-07-13 at 23:32, Sameer Verma wrote: > Folks, > I had heard of some incompatibility issues with respect to stock nocat > relying on gnupg 1.0.6 and folks upgrading to gnupg 1.0.7 > > I have seen problems with 1.2.1 on Auth and 1.0.6 on the gw. gnupg's > list has some info on this as well > [http://lists.gnupg.org/pipermail/gnupg-announce/2003q2/000267.html]. > So there's definitely some incompatibility between pre 1.0.7 and post 1.0.7 > > What about 1.2.1 or 1.2.2? Has anyone upgraded both auth and gw to these > versions? > Are there any strong reasons to do this? > > Sameer From Nathaniel McMullin" Authserver? Message-ID: <001001c34b44$d4dd7b50$8301a8c0@orion> This is a multi-part message in MIME format. ------=_NextPart_000_000D_01C34B23.4D892D00 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi there, I was able to get NoCatAuth to compile and install. I am = running the gateway now and was able to create a new account and login, = and also try to use the Web w/o signing on, seems to work great. My = questions (hopefully easy) are: 1. How do I run my own user account backend? (i.e. for a local = community network where I can see the master user list, modify account, = etc,etc) 2. Are their any backend management modules for the above question? 3. If I left the auth server as auth.nocat.net that would in effect = allow any user that registered on my location, the ability to in turn = user any other nocat network that also used that auth server = (auth.nocat.net) correct? (thus creating roaming?). I want to implement a solution where I can have free 128k access to = everyone, and then throttle higher rates to paying users and track the = users via a backend management system. Any suggestions? Thanks! nate@mailblocks.com Nathaniel McMullin ------=_NextPart_000_000D_01C34B23.4D892D00 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi there, I was able to get NoCatAuth = to compile=20 and install.  I am running the gateway now and was able to create a = new=20 account and login, and also try to use the Web w/o signing on, seems to = work=20 great.  My questions (hopefully easy) are:
 
1. How do I run my=20 own user account backend?  (i.e. for a local community network = where I can=20 see the master user list, modify account, etc,etc)
 
2. Are their any backend management = modules for the=20 above question?
 
3. If I left the auth server as = auth.nocat.net that=20 would in effect allow any user that registered on my location, the = ability to in=20 turn user any other nocat network that also used that auth server=20 (auth.nocat.net) correct?  (thus creating roaming?).
 
I want to implement a solution where I = can have=20 free 128k access to everyone, and then throttle higher rates to paying = users and=20 track the users via a backend management system.  Any=20 suggestions?
 
Thanks!
nate@mailblocks.com
 
 
Nathaniel = McMullin
------=_NextPart_000_000D_01C34B23.4D892D00-- From buettnerp at web.de Wed Jul 16 19:31:58 2003 From: buettnerp at web.de (Peter Buettner) Date: Wed, 16 Jul 2003 20:31:58 +0200 Subject: [NoCat] Patches from Jacob S. Barret Message-ID: <200307161831.h6GIVwQ22850@mailgate5.cinetic.de> Hallo, last week i installed the latest Pebble and authserv+freeradius on seperat= e machines. This system worked fine. To get some accounting and security, i installed the patches from Jacob S.= Barret and cyphersecret.patch. Accountingmethod None in nocat.conf on the gateway, because stats.fw is fo= r BSD only. The gateway starts up without error. My client gets an IP from DHCP. The l= ogin appears. The logout appears for a fraction of a second in its popup and then an err= ormessage. radius.log says authentication OK. https error.log: [ client 1.2.3.4 ] script not found or unable to stat: /u= sr/local/nocat/cgi-bin/450; https access.log: "GET /cgi-bin/450; HTTP 1.1" 404 303 "-" "Moz......." nocat.log: Gateway running on port 5280 Spawning child process 187 Connection to 10.0.1.1 from 10.0.1.12 Capturing 10.0.1.12 for http://nocat.net/ Notifying parent of Capture on peer macaddress Got notification Capture of peer macaddress Child process returned 1 Has someboby an idea what is going wrong=3F Thank you for any help. Peter B=FCttner =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F Nur bei WEB.DE Testsieger FreeMail testen und damit 1 qm Regenwald schuetzen. Jetzt anmelden und mithelfen! http://user.web.de/Regenwald From jbarrett at amduat.net Wed Jul 16 20:18:58 2003 From: jbarrett at amduat.net (Jacob S. Barrett) Date: Wed, 16 Jul 2003 12:18:58 -0700 Subject: [NoCat] Patches from Jacob S. Barret Message-ID: <3F15A522.7060702@amduat.net> I bet it has something to do with my changes to the meta refresh headers= to get the "here" link to work. The $redirect variable used to be set to "5; URL=3Dhttp://foo.bar", so when you clicked on "here" on login_ok.html it would try to go to "http://[authserv]/cgi-bin/5". I added another variable, $redirecttime, with the time in it and left the url in $redirect. Then I modified the templates to use that, but only the login_ok templates. So you will need to update the others with: There might also be some places in cgi-bin/login that need updating. I don't use the pop window thing, I use the login_ok_nopopup.html. Peter Buettner wrote: > Hallo, > > last week i installed the latest Pebble and authserv+freeradius on sep= erate machines. > This system worked fine. > > To get some accounting and security, i installed the patches from Jaco= b S. Barret and > cyphersecret.patch. > > Accountingmethod None in nocat.conf on the gateway, because stats.fw i= s for BSD only. > > The gateway starts up without error. My client gets an IP from DHCP. T= he login appears. > The logout appears for a fraction of a second in its popup and then an= errormessage. > > radius.log says authentication OK. > > https error.log: [ client 1.2.3.4 ] script not found or unable to stat= : /usr/local/nocat/cgi-bin/450; > https access.log: "GET /cgi-bin/450; HTTP 1.1" 404 303 "-" "Moz.......= " > nocat.log: Gateway running on port 5280 > Spawning child process 187 > Connection to 10.0.1.1 from 10.0.1.12 > Capturing 10.0.1.12 for http://nocat.net/ > Notifying parent of Capture on peer macaddress > Got notification Capture of peer macaddress > Child process returned 1 > > Has someboby an idea what is going wrong? > > Thank you for any help. > > Peter B=FCttner > > ______________________________________________________________________= ______ > Nur bei WEB.DE Testsieger FreeMail testen und damit 1 qm Regenwald > schuetzen. Jetzt anmelden und mithelfen! http://user.web.de/Regenwald > > > _______________________________________________ > NoCat mailing list > NoCat@lists.nocat.net > http://lists.nocat.net/mailman/listinfo/nocat -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it." From chs at 23.org Wed Jul 16 20:30:08 2003 From: chs at 23.org (CHS) Date: Wed, 16 Jul 2003 12:30:08 -0700 (PDT) Subject: [NoCat] Problem getting nocatauth+gateway working on same machine. Message-ID: I've got a single machine, eth0 is 192.168.5.X, and eth1 is 192.168.6.X, this is a standalone machine. there will be no internet access available to it. I've got a linksys wireless bridge connected directly to eth1, and it is serving up DHCP requests to wireless clients. I followed to documentation for authserv and gateway, and have both up and running and (I think) configured properly. one or both appears to be mostly working properly. when I disconnect my laptop from the internet, and plug in a wireless card and associate it with the AP, it gets DHCP from the machine and puts me on the eth1/6.X network. then, if I open mozilla, which automatically tries to hit google, it does in fact redirect me to the login page. I log in, and it says: Error Your MAC address is undefined. Problem with the gateway? the other (smaller) problem is that all of the image links appear broken. and as far as I can tell, all paths are setup properly in all configuration files. I'm using apache 1.3.27, the latest nocat authserv and gw. I've followed all documentation from the website, including the single machine documentation. unfortunately, none of the documents are clear enough in exactly WHAT nocat does, and the sequence of events, etc.. so it's very hard for me to troubleshoot this. any and all assistance would be greatly appreciated.. Thanks! --Christian ---- -- http://www.23.org/~chs/ -- AIM/AOL: bdsmchs ----------------------------------------------------------------------------- "Among the many misdeeds of the British rule in India, history will look upon the act of depriving a whole nation of arms, as the blackest." Mahatma Gandhi ----------------------------------------------------------------------------- From buettnerp at web.de Thu Jul 17 09:05:59 2003 From: buettnerp at web.de (Peter Buettner) Date: Thu, 17 Jul 2003 10:05:59 +0200 Subject: [NoCat] Problem getting nocatauth+gateway working on same machine. Message-ID: <200307170805.h6H85xQ17948@mailgate5.cinetic.de> Apache can not handle your SET env properly. Try to uncomment the line #Load Module env=5Fmodule in httpd.conf. This should solve your problem. Peter B=FCttner CHS schrieb am 16.07.03 21:36:55: >=20 >=20 > I've got a single machine, eth0 is 192.168.5.X, and eth1 is 192.168.6.X,= > this is a standalone machine. there will be no internet access available= > to it. >=20 > I've got a linksys wireless bridge connected directly to eth1, and it is= > serving up DHCP requests to wireless clients. >=20 > I followed to documentation for authserv and gateway, and have both up a= nd > running and (I think) configured properly. >=20 > one or both appears to be mostly working properly. when I disconnect my > laptop from the internet, and plug in a wireless card and associate it > with the AP, it gets DHCP from the machine and puts me on the eth1/6.X > network. then, if I open mozilla, which automatically tries to hit googl= e, > it does in fact redirect me to the login page. I log in, and it says: > Error >=20 > Your MAC address is undefined. Problem with the gateway=3F >=20 >=20 > the other (smaller) problem is that all of the image links appear broken= . > and as far as I can tell, all paths are setup properly in all > configuration files. >=20 > I'm using apache 1.3.27, the latest nocat authserv and gw. I've followe= d > all documentation from the website, including the single machine > documentation. unfortunately, none of the documents are clear enough in > exactly WHAT nocat does, and the sequence of events, etc.. so it's very > hard for me to troubleshoot this. >=20 > any and all assistance would be greatly appreciated.. >=20 > Thanks! >=20 > --Christian >=20 > ---- > -- http://www.23.org/~chs/ -- AIM/AOL: bdsmchs > ------------------------------------------------------------------------= ----- > "Among the many misdeeds of the British rule in India, history will look= upon > the act of depriving a whole nation of arms, as the blackest." > Mahatma Gandhi > ------------------------------------------------------------------------= ----- >=20 >=20 > =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F > NoCat mailing list > NoCat@lists.nocat.net > http://lists.nocat.net/mailman/listinfo/nocat =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F Wenn POP fur Sie mehr als nur Musik ist. Senden Sie Ihre SMS direkt aus Outlook oder Netscape! http://freemail.web.de/features/=3Fmc=3D021177 From karl.gaissmaier at kiz.uni-ulm.de Thu Jul 17 11:08:28 2003 From: karl.gaissmaier at kiz.uni-ulm.de (Karl Gaissmaier) Date: Thu, 17 Jul 2003 12:08:28 +0200 Subject: [NoCat] Patch handling is in disorder for the NoCatAuth developers community Message-ID: <3F16759C.F95BDBE9@kiz.uni-ulm.de> Hi developers, I have a bunch of patches waiting to get sent to the list, but I'm disappointed of the patch handling for this project. I miss very hard a CVS server for the NoCatAuth project. Following patches are waiting in my devel folder to be sent: alarm-02.patch handles proper setting of the handle alarm CypherSecret-02.patch CyperSecret-02, cryptpwd, corrects a small glitch in the popup window I forgot in patch 01 gpg-secmem-01.patch get rid of the following warning: gpg: Warning: using insecure memory!... http_redirect-01.patch a patch for handling the wrong redirect after a successful login. href and http headers use different formats (similar patch exists, but I had no luck searching for it) proxy-capture-03.patch detects clients with proxy enabled and inform them to disable it radius-01.patch small patch already posted by my co-worker ulric at least it would be nice to have a process for sending patches and the patches should be stored in a repository that we don't have to seach in the list archive. Any suggestions? Regards Charly -- Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network Tel.: ++49 731 50-22499 From karl.gaissmaier at kiz.uni-ulm.de Fri Jul 18 15:59:12 2003 From: karl.gaissmaier at kiz.uni-ulm.de (Karl Gaissmaier) Date: Fri, 18 Jul 2003 16:59:12 +0200 Subject: [NoCat] small annoyance: browser keep-alive and missing FIN/RST packets Message-ID: <3F180B40.90DCC04@kiz.uni-ulm.de> Hi NoCatAuth developers or iptables wizards, I've a small problem. A user authenticates to the AuthServ, gets within 5 sec the redirect to his requested page and decides within few seconds to logout from the gateway. The browser requestet the page from www-host with the http option "keep-alive". If the user now hits the reload button on his browser to reauthenticate, the browser sends no SYN tcp packet (since it will use the existing connection) and therefore the iptable rule can't redir to the local 5280 port. This lasts approx. 1min and then the browser starts with a new SYN packet and every thing goes well. Has someone an idea where in the chains we could reject with a tcp RST flag on this case? Regards Charly -- Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network Tel.: ++49 731 50-22499 From dloomis at fpceldorado.org Fri Jul 18 17:01:14 2003 From: dloomis at fpceldorado.org (Dr. Daniel Loomis) Date: 18 Jul 2003 11:01:14 -0500 Subject: [NoCat] SSL Certficates Message-ID: <1058544046.5782.55.camel@toshiba> I am looking into setting up a community wireless system based on our church with the bell tower as primary antenna site. I plan to use NoCatAuth for user authentication. I have successfully setup a testbed using NoCatAuth with it accessing the nocat.net server, but plan to setup a local authorization server for obvious reasons (we are in Arkansas, not California!). The salient features will be as follows: 1.Gateway will run on a Soekris 4521 equipped with two radio cards running Wisp-Dist in Access Point mode (if I can get NoCat gateway to install and run in that rather specialized environment). 2.Authorization server will be a separate file server in our computer lab running RedHat 9 and the current stable Apache with mod-ssl. Q1.Do I need an SSL certificate for a strictly internal web server? Q2.If yes, how do I get an SSL certificate for our Apache web server. Q3.What happens if I upgrade the server/Apache/etc? Do I get a new certificate? Please bear with me if my questions appear a bit elementary. While I am fairly competent with setting Linux as a file, print or terminal server,I am still on the steep part of the learning curve for for setting up community wireless networks. Dan ----------- Dr. Daniel Loomis First Presbyterian Church El Dorado, AR From bh at nt.is Fri Jul 18 17:48:45 2003 From: bh at nt.is (Brynjar Hauksson) Date: Fri, 18 Jul 2003 23:48:45 +0700 Subject: [NoCat] SSL Certficates In-Reply-To: <1058544046.5782.55.camel@toshiba> Message-ID: <000501c34d4c$75f8aab0$6500a8c0@natuamia> This is a multi-part message in MIME format. ------=_NextPart_000_0006_01C34D87.225782B0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Q1.Do I need an SSL certificate for a strictly internal web server? A. Not really, but your users will be annoyed with a security popup = window every time they try to login to the system. I recommend it =20 Q2.If yes, how do I get an SSL certificate for our Apache web server. A. Last time I shopped around these were cheapest: http://www.comodogroup.com/products/certificate_services/index.html 49$ / year=20 ( remind me to post my affiliate code here next time ) =20 Q3.What happens if I upgrade the server/Apache/etc? Do I get a new certificate? A. You can use the same certificate until it expires. =20 Kve=C3=B0ja / Best regards / = =E0=B8=94=E0=B9=89=E0=B8=A7=E0=B8=A2=E0=B8=84=E0=B8=A7=E0=B8=B2=E0=B8=A1=E0= =B8=84=E0=B8=B4=E0=B8=94=E0=B8=96=E0=B8=B6=E0=B8=87 =20 Brynjar Hauksson ------=_NextPart_000_0006_01C34D87.225782B0 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable

Q1.Do I need an SSL certificate for a = strictly internal web server?

A. =C2=A0=C2=A0 Not really, but your users will be annoyed with a security popup window every time = they try to login to the system. =C2=A0I = recommend it

 

Q2.If yes, how do I get an SSL certificate = for our Apache web server.

A.=C2=A0=C2=A0=C2=A0 Last time I shopped around these were cheapest:

http://www.comodogroup.com/products/certificate_services/index.html

49$ / year =

( remind me to post my affiliate = code here next time )

 

Q3.What happens if I upgrade the server/Apache/etc?=C2=A0 Do I = get a new

certificate?

A.=C2=A0=C2=A0=C2=A0 You can use the same certificate until it = expires.

 

Kve=C3=B0ja / Best regards / = =E0=B8=94=E0=B9=89=E0=B8=A7=E0=B8=A2=E0=B8=84=E0=B8= =A7=E0=B8=B2=E0=B8=A1=E0=B8=84=E0=B8=B4=E0=B8=94=E0=B8=96=E0=B8=B6=E0=B8=87=

 

Brynjar Hauksson

------=_NextPart_000_0006_01C34D87.225782B0-- From wireless at verma.sfsu.edu Fri Jul 18 18:59:45 2003 From: wireless at verma.sfsu.edu (Sameer Verma) Date: Fri, 18 Jul 2003 10:59:45 -0700 Subject: [NoCat] SSL Certficates In-Reply-To: <1058544046.5782.55.camel@toshiba> References: <1058544046.5782.55.camel@toshiba> Message-ID: <3F183591.8000805@verma.sfsu.edu> Dr. Daniel Loomis wrote: >I am looking into setting up a community wireless system based on our >church with the bell tower as primary antenna site. I plan to use >NoCatAuth for user authentication. I have successfully setup a testbed >using NoCatAuth with it accessing the nocat.net server, but plan to >setup a local authorization server for obvious reasons (we are in >Arkansas, not California!). The salient features will be as follows: > > Daniel, While location doesn't really matter (you are on the Intenret) running your own auth server gives you more control on how you want to do things. >1.Gateway will run on a Soekris 4521 equipped with two radio cards >running Wisp-Dist in Access Point mode (if I can get NoCat gateway to >install and run in that rather specialized environment). > > To run NoCat on the Soekris unit, you might want to look into Pebble. It works well on Soekris and other non CF based systems. http://www.nycwireless.net/pebble/ >2.Authorization server will be a separate file server in our computer >lab running RedHat 9 and the current stable Apache with mod-ssl. > >Q1.Do I need an SSL certificate for a strictly internal web server? > >Q2.If yes, how do I get an SSL certificate for our Apache web server. > > To make your own, see http://www.tldp.org/HOWTO/SSL-RedHat-HOWTO-3.html >Q3.What happens if I upgrade the server/Apache/etc? Do I get a new >certificate? > >Please bear with me if my questions appear a bit elementary. While I am >fairly competent with setting Linux as a file, print or terminal >server,I am still on the steep part of the learning curve for for >setting up community wireless networks. > >Dan >----------- >Dr. Daniel Loomis >First Presbyterian Church >El Dorado, AR > Sameer -- Dr. Sameer Verma, Ph.D. Asst. Professor of Information Systems San Francisco State University San Francisco CA 94132 USA http://verma.sfsu.edu/ From dloomis at fpceldorado.org Fri Jul 18 22:04:48 2003 From: dloomis at fpceldorado.org (Dr. Daniel Loomis) Date: 18 Jul 2003 16:04:48 -0500 Subject: [NoCat] SSL Certificates Message-ID: <1058562287.3180.38.camel@toshiba> Thanks to all for the info on getting a certificate for our Apache server. I will check out both the do-it-yourself and commercial options. I have a working setup running on a small partition on my laptop running under RedHat 9 (which I understand fairly well). NoCatAuth in gateway mode works just fine. I know how to setup RedHat as a router and even do some rudimentary bandwidth shaping. I tried setting up Pebble on my testbed setup (laptop), but could not get it to work right. It booted ok, but I could never get the networking and wireless quite right. That is partly to do with my lack of familiarity with Debian. I tried four different installs. Each time I had to disable the serial terminal and NoCat in inittab while I tried to get things setup (kept interrupting with error messages). In frustration, I finally wiped the partition and installed RedHat. After removing everything I could think of to remove it was still over 400 mb. But at least NoCatAuth installed as it should! While I still plan to use the Soekris board, I may end up getting a 512mb CF and install RH! An IBM 1gig microdrive would be nice too! I will try the Pebble install again once my Soekris board arrives. I am also looking at some commercial alternatives to NoCat, but don't know if my budget can stand any more just now! thanks to all Dan ---------- Dr. Daniel Loomis First Presbyterian Church El Dorado, Ar From csrle at eiu.edu Thu Jul 17 19:18:41 2003 From: csrle at eiu.edu (Randy Ethridge) Date: Thu, 17 Jul 2003 13:18:41 -0500 Subject: [NoCat] [NoCatNet] RADIUS Message-ID: <3F16E881.1080708@eiu.edu> I am having a problem with Radius authenticaton. The AUTHEN::RADIUS mod worked when make test was run but all I get when I try to logon through NoCat is the username and password doesnt match...any ideas? Thanks Randy _______________________________________________ NoCatNet mailing list NoCatNet@lists.nocat.net http://lists.nocat.net/mailman/listinfo/nocatnet From matt at mattsmith.net Sat Jul 19 15:09:41 2003 From: matt at mattsmith.net (Matt Smith) Date: Sat, 19 Jul 2003 10:09:41 -0400 (EDT) Subject: [NoCat] NoCatAuth & XP/IE6.0 Message-ID: <55769.66.23.199.178.1058623781.squirrel@www.mattsmith.net> Has anybody run into weird problems when using XP w/ IE6 and going through a NoCatAuth gateway 0.81? I don't have XP personally, so I'm going mostly off of reports, but I have seen it happen personally, and seen weirdness in the logs, but basically after a while a person with this config will get "denied" on a renew attempt, and forever be locked out of the gateway until it is bounced.. I can't find a example in the logs for sure right now, so hopefully somebody has seen this first hand and has an idea? This same box also just stops redirecting people to the login page when they first get captured.. gateway process is still running, just out to lunch. --Matt From recompiler at hacksrus.com Mon Jul 21 20:13:08 2003 From: recompiler at hacksrus.com (Vlad G.) Date: Mon, 21 Jul 2003 15:13:08 -0400 (EDT) Subject: [NoCat] A simple way around needing a hard drive, or an expansive compact flash Message-ID: <10865.64.253.49.129.1058814788.squirrel@www.omnistep.com> Hello, Does anyone remember about a linux project at the linux world expo where they took network cards, put eeprom chips in them and were able to boot over the network? Why not put $12 hardwired cards into all NoCat PCs, run the wire down stairs to a PC that has the boot image, and upon connection the PC that has the boot image can even download the newer boot image for next time. Booting over the network is nothing new. If you were to boot over network you won't need a hard drive that can fail, or an expansive compact flash, or a MOBO that supports it. This seems like a good way to implememnt auto build as well. Coments? -- Vlad G. The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. From matt at engsoc.org Mon Jul 21 21:00:20 2003 From: matt at engsoc.org (Matt McParland) Date: Mon, 21 Jul 2003 16:00:20 -0400 (EDT) Subject: [NoCat] SSL Certificates In-Reply-To: <1058562287.3180.38.camel@toshiba> Message-ID: On 18 Jul 2003, Dr. Daniel Loomis wrote: > Thanks to all for the info on getting a certificate for our Apache > server. I will check out both the do-it-yourself and commercial > options. If you want a free SSL cert but don't want to create your own CA, check out www.certainfree.com. Free certs for uses like yours, and no messing w/ openssl. You will have to visit certainfree.com/install.php to avoid SSL warnings in your browser. -- Matt McParland From essamabd at pacbell.net Mon Jul 21 21:27:30 2003 From: essamabd at pacbell.net (Essam Abdelazim) Date: Mon, 21 Jul 2003 13:27:30 -0700 Subject: [NoCat] Authserve and Ports Message-ID: Hey guys, Does any one know what ports that i need to have open if i'm running a NoCat Authentication server behind a router? in order to get the gateway to connect to it and authenticate. Any help appreciated Essam Azeem From essamabd at pacbell.net Tue Jul 22 00:34:03 2003 From: essamabd at pacbell.net (Essam Abdelazim) Date: Mon, 21 Jul 2003 16:34:03 -0700 Subject: [NoCat] Captive and Passive mods Message-ID: Hi every one, Does anyone has an idea about the main difference between captive and passive mode as far as port usage? I know that passive is for your gateway if its running behind a NAT but i want to know why exactly. a response would be appreciated. Essam Azeem From jim at netgate.com Tue Jul 22 00:41:55 2003 From: jim at netgate.com (Jim Thompson) Date: Mon, 21 Jul 2003 16:41:55 -0700 Subject: [NoCat] A simple way around needing a hard drive, or an expansive compact flash In-Reply-To: <10865.64.253.49.129.1058814788.squirrel@www.omnistep.com> References: <10865.64.253.49.129.1058814788.squirrel@www.omnistep.com> Message-ID: <16156.31299.936794.976041@zaphod.netgate.com> Most modern machines support PXE, which makes this even more trivial. -- "Speed, it seems to me, provides the one genuinely modern pleasure." -- Aldous Huxley (1894 - 1963) From karl.gaissmaier at kiz.uni-ulm.de Mon Jul 21 08:28:19 2003 From: karl.gaissmaier at kiz.uni-ulm.de (Karl Gaissmaier) Date: Mon, 21 Jul 2003 09:28:19 +0200 Subject: [NoCat] [NoCatNet] RADIUS References: <3F16E881.1080708@eiu.edu> Message-ID: <3F1B9613.D5F451F2@kiz.uni-ulm.de> Hi Randy, Randy Ethridge schrieb: > > I am having a problem with Radius authenticaton. The AUTHEN::RADIUS mod > worked when make test was run but all I get when I try to logon through > NoCat is the username and password doesnt match...any ideas? did you already apply ulrics radius patch? You'll find on the list. Regards Charly -- Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network Tel.: ++49 731 50-22499 From rob at nocat.net Tue Jul 22 10:35:28 2003 From: rob at nocat.net (Rob Flickenger) Date: Tue, 22 Jul 2003 02:35:28 -0700 Subject: [NoCat] wrtgen: a WRT54G firmware generator Message-ID: Allright, here it is: http://nocat.net/download/wrtgen/ A 5k perl script that generates firmware that the WRT54G will accept. Requirements: * Perl, and String::CRC32 (from CPAN) * mkcramfs, v1.1 (from SourceForge) * wget, if you want it to download firmware from Linksys for you Features: * Auto-download the original firmware from Linksys * Extract the original CramFS for your own edification * Builds a new CramFS root on the fly, computes the proper header, and generates the firmware I've used it to make a couple of good copies so far, but it's still very alpha. It is released under the GPL. Enjoy! --Rob From karl.gaissmaier at kiz.uni-ulm.de Tue Jul 22 11:44:16 2003 From: karl.gaissmaier at kiz.uni-ulm.de (Karl Gaissmaier) Date: Tue, 22 Jul 2003 12:44:16 +0200 Subject: [NoCat] Captive and Passive mods References: Message-ID: <3F1D1580.E62F7E65@kiz.uni-ulm.de> Hi Essam, Essam Abdelazim schrieb: > > Hi every one, > > Does anyone has an idea about the main difference between captive and > passive mode as far as port usage? I know that passive is for your > gateway if its running behind a NAT but i want to know why exactly. a > response would be appreciated. you should first understand the normal authentication process in captive mode. Let me try to explain: 1.) user surfs to a web site not in allowed web hosts 2.) user gets inside the gateway a redirect to port 5280 on the gateway 3.) the gateway daemon listens on port 5280 and sends a http redirect to the AuthServer 4.) User client accepts the http redirect to the authserver and surfs to this new web location (autmatically) 5.) the webserver on the authserver starts via cgi the nocat login perl script 6.) this login perl script presents the wellknown login page 7.) user fill's in the username/password 8.) the login perl script checks the user credentials against DB, flatfile, radius, ... 9.) if the username and password is correct the login perl script, running on the authserver, tries to connect the gateway daemon on port 5280 on the gateway machine to authorize this user in the firewall rules THIS IS THE MAIN DIFFERENCE if the gateway is running behind a nating firewall. The authserver is not able to connect the gatway behind this nating firewall. Therefore the login perl script redirects the client browser again back to the gateway with the auhtorization ticket in the URI. This is called passive mode by the NoCatAuth creators, since the authserver can't connect the gateway actively, it directs the client browser to send the ticket via a new redirect, it's a little bit like ping pong, isn't ist? Regards Charly -- Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network Tel.: ++49 731 50-22499 From recompiler at hacksrus.com Tue Jul 22 15:20:16 2003 From: recompiler at hacksrus.com (Vlad) Date: Tue, 22 Jul 2003 10:20:16 -0400 (EDT) Subject: [NoCat] A simple way around needing a hard drive, or an expansive compact flash In-Reply-To: <16156.31299.936794.976041@zaphod.netgate.com> References: <10865.64.253.49.129.1058814788.squirrel@www.omnistep.com> <16156.31299.936794.976041@zaphod.netgate.com> Message-ID: <10173.64.253.49.75.1058883616.squirrel@mail.omnistep.com> I think there should be a centralized autobuild/network boot server, so people can mirror and customize the image. I just booted a mini itx with 2 senao cards and a 10/100 (usb) network card using a 256MB usb thumb drive. A thumb drive is $43 and every modern mobo has a usb connector, not so for compact flash. Jim Thompson said: > > Most modern machines support PXE, which makes this even more trivial. > > -- > "Speed, it seems to me, provides the one genuinely modern pleasure." > -- Aldous Huxley (1894 - 1963) > > > _______________________________________________ > NoCat mailing list > NoCat@lists.nocat.net > http://lists.nocat.net/mailman/listinfo/nocat > -- Vlad G. The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. From crh at ubiqx.mn.org Tue Jul 22 18:34:02 2003 From: crh at ubiqx.mn.org (Christopher R. Hertel) Date: Tue, 22 Jul 2003 12:34:02 -0500 Subject: [NoCat] wrtgen: a WRT54G firmware generator In-Reply-To: References: Message-ID: <20030722173402.GE3128@Favog.ubiqx.mn.org> This is very cool. I am working on the Dell 1184 myself, and have managed to extract the RamFS image (they don't use CramFS...dunno why yet). I have not got as far as building a new RomFS filesystem yet, though. Has anyone had luck building a new kernel for the Linksys? Chris -)----- PS. There's a bit of discussion regarding the Dell and Linksys Linux-based APs going on over on the LinuxAP mailing list. On Tue, Jul 22, 2003 at 02:35:28AM -0700, Rob Flickenger wrote: > Allright, here it is: > > http://nocat.net/download/wrtgen/ > > A 5k perl script that generates firmware that the WRT54G will accept. > > Requirements: > > * Perl, and String::CRC32 (from CPAN) > * mkcramfs, v1.1 (from SourceForge) > * wget, if you want it to download firmware from Linksys for you > > Features: > > * Auto-download the original firmware from Linksys > * Extract the original CramFS for your own edification > * Builds a new CramFS root on the fly, computes the proper header, and > generates the firmware > > I've used it to make a couple of good copies so far, but it's still > very alpha. It is released under the GPL. > > Enjoy! > > --Rob > > > _______________________________________________ > NoCat mailing list > NoCat@lists.nocat.net > http://lists.nocat.net/mailman/listinfo/nocat -- "Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)----- crh@ubiqx.mn.org OnLineBook -- http://ubiqx.org/cifs/ -)----- crh@ubiqx.org From niallm at enigma.ie Tue Jul 22 00:47:51 2003 From: niallm at enigma.ie (Niall Richard Murphy) Date: Tue, 22 Jul 2003 00:47:51 +0100 Subject: [NoCat] Continual capture cycle? Message-ID: <20030721234751.GA71229@enigma.ie> Folks, I have nocat working nicely. Gpg verification, RADIUS authentication, everything hunky-dory (after much hacking around). However, despite positive authentication from the authserv back to the gateway, as evinced by these messages: [2003-07-21 23:34:41] Denying peer 00:03:93:E9:E2:7E without prior permit. [2003-07-21 23:35:36] Spawning child process 2327. [2003-07-21 23:35:36] Connection to 172.17.32.1 from 172.17.32.11 [2003-07-21 23:35:36] Received notify from 172.17.32.11 [2003-07-21 23:35:37] gpg --decrypt --homedir=/usr/local/nocat/bin/../pgp --keyring truste dkeys.gpg --no-tty -o- returned error message: gpg: Signature made Mon Jul 21 23:45:35 2003 UTC using DSA key ID [...] [...] gpg: There is no indication that the signature belongs to the owner. [2003-07-21 23:35:37] Got auth msg: Redirect http://172.17.32.1:5280/?ticket=owGbwMvMwCSYpb%2bo2fOuUR7j6XlJDPYyFT1BqSmZ RanJJZwZJSUFVvr65eXlejnleXp5qSX6XL6JyZwGBlYGxlaWxlaullauRlbmrlyhxalFnHmZiTk5uVwhmbmp%2baUl [...] Mac 00:03:93:E9:E2:7E User niallm Timeout 600 Token $1$77208459$Qw6jRi2cct/0ErFHNEHqw0 Mode login Action Permit Member ANY [2003-07-21 23:35:37] Unknown ID notify from 00:03:93:E9:E2:7E! I still get captured and forced towards the authentication page! [2003-07-21 23:35:37] Capturing 172.17.32.11 for http://172.17.32.1:5280/?ticket=owE1Uj1 [...] Can anyone explain why this might be? More details available on request... Niall -- Enigma Consulting Limited: Security, UNIX and telecommunications consultants. Address: Floor 2, 45 Dawson Street, Dublin 2, Ireland. 802.11 deployment in Dublin: http://www.enigma.ie/wardrive/ From adam at sonic.net Tue Jul 22 18:32:07 2003 From: adam at sonic.net (adam) Date: Tue, 22 Jul 2003 10:32:07 -0700 Subject: [NoCat] wrtgen: a WRT54G firmware generator In-Reply-To: References: Message-ID: <20030722103207.A19264@sonic.net> w00t! * Rob Flickenger [2003-07-22 02:39]: > Allright, here it is: > > http://nocat.net/download/wrtgen/ > > A 5k perl script that generates firmware that the WRT54G will accept. > > Requirements: > > * Perl, and String::CRC32 (from CPAN) > * mkcramfs, v1.1 (from SourceForge) > * wget, if you want it to download firmware from Linksys for you > > Features: > > * Auto-download the original firmware from Linksys > * Extract the original CramFS for your own edification > * Builds a new CramFS root on the fly, computes the proper header, and > generates the firmware > > I've used it to make a couple of good copies so far, but it's still > very alpha. It is released under the GPL. > > Enjoy! > > --Rob > > > _______________________________________________ > NoCat mailing list > NoCat@lists.nocat.net > http://lists.nocat.net/mailman/listinfo/nocat From fernan_cs at yahoo.es Tue Jul 22 19:04:55 2003 From: fernan_cs at yahoo.es (Fernando Cabrera) Date: Tue, 22 Jul 2003 20:04:55 +0200 Subject: [NoCat] Fwd: Redirection to the login page Message-ID: <5.1.0.14.2.20030722200442.009fee00@pop.correo.yahoo.es> > >>I have a problem with the Nocat Project. I=B4m using the=20 >>NoCatAuth-0.82.tar.gz from http://nocat.net/download/NoCatAuth/ >> >>I=B4m using two computers with Red Hat 7.2. The first one has installed= the=20 >>gateway, and the second one the authenticator. >>I=B4m also using a laptop to connect to the gateway. I can connect to the= =20 >>Internet through other computer of the same LAN. >>This is the schema of my network >> >> 10.45.1.152 ----------------- 10.45.1.14:7532 >> Authenticator | Proxy. Internet >> | >> | >> ------- 10.45.1.87 >> Gateway >> 192.168.0.1 >> >> Port=E1til >> 192.168.0.20 >> >>I=B4ve configured the gateway mode in Passive mode. >>When i try to log into Nocat, i have to write login and password and i=20 >>get a popup window, but it=B4s redirected to the login page. It=B4s always= =20 >>the same, like a loop. >> >>I think i have some problem with the authentication, but i don=B4t know= how=20 >>to solve it. I=B4m using gnupg-1.2.2 >> >>I also tried to configure the gateway mode in Open Mode, but i cannot=20 >>access to Internet. I have configured my laptop with a default proxy=20 >>(192.168.0.1) in the web navigator. I think this is enough?? >> >>Below this, i=B4ve pasted the log file of the gateway. >> >>Thanks for your time!!! >> >>>[2003-07-09 18:21:19] Gateway running on port 5280. >>>[2003-07-09 18:23:31] Spawning child process 5918. >>>[2003-07-09 18:23:31] Spawning child process 5919. >>>[2003-07-09 18:23:31] Connection to 10.45.1.87 from 192.168.0.20 >>>[2003-07-09 18:23:31] No header line from 192.168.0.20 >>>[2003-07-09 18:23:31] Connection to 10.45.1.87 from 192.168.0.20 >>>[2003-07-09 18:23:31] Received notify from 192.168.0.20 >>>[2003-07-09 18:23:31] Missing notify from 192.168.0.20 >>>[2003-07-09 18:23:31] Capturing 192.168.0.20 for= http://10.45.1.87:5280/ >>>[2003-07-09 18:23:31] Notifying parent of Capture on peer= 00:05:5D:25:46:7E >>>[2003-07-09 18:23:31] Got notification Capture of peer 00:05:5D:25:46:7E >>>[2003-07-09 18:23:31] Child process returned 1 >>>[2003-07-09 18:23:43] Spawning child process 5920. >>>[2003-07-09 18:23:43] Connection to 10.45.1.87 from 192.168.0.20 >>>[2003-07-09 18:23:43] Received notify from 192.168.0.20 >>>[2003-07-09 18:23:43] gpg --decrypt=20 >>>--homedir=3D/usr/local/nocat/bin/../pgp --keyring trustedkeys.gpg= --no-tty=20 >>>-o- returned error message: >>>gpg: Firma creada el mi=E9 09 jul 2003 18:23:01 CEST usando clave DSA ID= =20 >>>924212EE >>>gpg: Firma correcta de "fernando cabrera (mi direccion de correo)=20 >>>" >>>gpg: ATENCI=D3N: =A1Esta clave no est=E1 certificada por una firma de= confianza! >>>gpg: No hay indicios de que la firma pertenezca al propietario. >>>gpg: Huella dactilar: 5883 EE73 BD28 B6BB B8AB 9BA5 B455 5694 9242 12EE >>>[2003-07-09 18:23:43] Got auth msg: >>>Timeout 600 >>>Token $1$28400095$lX.wnMb1kmU3jVYyq2beu1 >>>Mode skip >>>Redirect http://10.45.1.87:5280/ >>>Mac 00:05:5D:25:46:7E >>>User UNKNOWN >>>Action Permit >>>[2003-07-09 18:23:43] User () v. trusted (Any) >>>iptables: libiptc/libip4tc.c:384: do_check: Assertion=20 >>>`h->info.valid_hooks =3D=3D (1 << 0 | 1 << 3)' failed. >>>/usr/local/nocat/bin/access.fw: line 42: 5923 Abortado >>> iptables -t mangle $cmd NoCat -m mac --mac-source $mac -s $ip -j MARK= =20 >>> --set-mark $mark >>>[2003-07-09 18:23:43] User UNKNOWN permitted in class Public >>>[2003-07-09 18:23:43] Notifying parent of Permit on peer= 00:05:5D:25:46:7E >>>[2003-07-09 18:23:43] Available MACs: 00:05:5D:25:46:7E >>>[2003-07-09 18:23:43] Got notification Permit of peer 00:05:5D:25:46:7E >>>[2003-07-09 18:23:43] Child process returned 1 >>>[2003-07-09 18:23:43] Spawning child process 5925. >>>[2003-07-09 18:23:43] Connection to 10.45.1.87 from 192.168.0.20 >>>[2003-07-09 18:23:43] Received notify from 192.168.0.20 >>>[2003-07-09 18:23:43] Missing notify from 192.168.0.20 >>>[2003-07-09 18:23:43] Capturing 192.168.0.20 for= http://10.45.1.87:5280/ >>>[2003-07-09 18:23:43] Notifying parent of Capture on peer= 00:05:5D:25:46:7E >>>[2003-07-09 18:23:43] Got notification Capture of peer 00:05:5D:25:46:7E >>>[2003-07-09 18:23:43] Child process returned 1 >> >> >> >>gpg: Firma creada el mi=E9 09 jul 2003 18:23:01 CEST usando clave DSA ID= =20 >>924212EE >>gpg: Firma correcta de "fernando cabrera (mi direccion de correo)=20 >>" >>gpg: ATENCI=D3N: =A1Esta clave no est=E1 certificada por una firma de= confianza! >>gpg: No hay indicios de que la firma pertenezca al propietario. >>gpg: Huella dactilar: 5883 EE73 BD28 B6BB B8AB 9BA5 B455 5694 9242 12EE >> >>I try to translate the message >> >>gpg: Signature created on Wednesday 09 jul 2003 18:23:01 CEST using a=20 >>key DSA ID 924212EE >>gpg: Correct signature of "fernando cabrera" >>gpg: ATTENTION: !This key is not certificated by a trusted signature! >>gpg: There are not indications that the signature belongs to the= proprietor. >>gpg: Dactilar print: 5883 EE73 BD28 B6BB B8AB 9BA5 B455 5694 9242 12EE From an at sonic.net, expansive at sonic.net, compact at sonic.net, flash at sonic.net Tue Jul 22 20:08:59 2003 From: an at sonic.net, expansive at sonic.net, compact at sonic.net, flash at sonic.net (Roger Weeks) Date: Tue, 22 Jul 2003 12:08:59 -0700 (PDT) Subject: [NoCat] A simple way around needing a hard drive, In-Reply-To: <20030722190002.10284.31099.Mailman@mouse> from "nocat-request@lists.nocat.net" at Jul 22, 2003 12:00:02 PM Message-ID: <200307221908.h6MJ8xjG007178@bolt.sonic.net> Has anyone booted PXE using 802.11b cards? Is it even possible? The problem with relying on a PC for boot code, somewhere on the wired network of a box that has two radio cards, is you've now increased the cost of your node exponentially. If a soekris or a Via board could boot using PXE over a wireless link that would be great. Roger > Date: Tue, 22 Jul 2003 10:20:16 -0400 (EDT) > Subject: Re: [NoCat] A simple way around needing a hard drive, > or an expansive compact flash > From: "Vlad" > To: "Jim Thompson" > Cc: recompiler@hacksrus.com, nocat@lists.nocat.net > > I think there should be a centralized autobuild/network boot server, so > people can mirror and customize the image. > > I just booted a mini itx with 2 senao cards and a 10/100 (usb) network > card using a 256MB usb thumb drive. A thumb drive is $43 and every modern > mobo has a usb connector, not so for compact flash. From karl.gaissmaier at kiz.uni-ulm.de Wed Jul 23 08:18:16 2003 From: karl.gaissmaier at kiz.uni-ulm.de (Karl Gaissmaier) Date: Wed, 23 Jul 2003 09:18:16 +0200 Subject: [NoCat] Captive and Passive mods References: <72C22EFC-BC72-11D7-8492-000393867270@pacbell.net> Message-ID: <3F1E36B8.D8AA8C6A@kiz.uni-ulm.de> Hi Essam, I send my answer also to the list, since therefore is a discussion list. The community has no profit if we change to p2p on an interisting topic, as long as we are not off topic. Essam Abdelazim schrieb: > Hey Charly, > > I appreciate you answering me so quickly. Thanks for going in details > with describing the process of authentication between the authserv and > the gateway. > > Looking at your order i am interested in point number "9" where you > said the following > > " 9.) if the username and password is correct the login perl script, > > running on the authserver, tries to connect the gateway daemon > > on port 5280 on the gateway machine to authorize this user > > in the firewall rules" > > > I understand that having the gateway behind a NAT (Router) would not > allow the authserv to connect to the gateway, which brings out the real > question. We know that the authserv uses port 5280 to connect back to > the gateway in Captive mod, so this means if i open port 5280 on the > NAT in which the gateway reside behind that should allow the authserv > to connect to the gateway and run in Captive mod even thought the > gateway is behind a NAT. Yes, that's true. If you are the administrator of the nating firewall you are able to do DNAT to the gateway. Keep in mind to configure nocat for Captive Mode in this case. I didn't try it, but I'm sure it works out of the box, or perhaps with a little bit twiddling, if you are a not a well experienced firewall admin. Regards Charly -- Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network Tel.: ++49 731 50-22499 From karl.gaissmaier at kiz.uni-ulm.de Wed Jul 23 08:50:15 2003 From: karl.gaissmaier at kiz.uni-ulm.de (Karl Gaissmaier) Date: Wed, 23 Jul 2003 09:50:15 +0200 Subject: [NoCat] Continual capture cycle? References: <20030721234751.GA71229@enigma.ie> Message-ID: <3F1E3E37.C6EED74F@kiz.uni-ulm.de> Hi Niall, Niall Richard Murphy schrieb: > > Folks, > > I have nocat working nicely. Gpg verification, RADIUS authentication, everything > hunky-dory (after much hacking around). However, despite positive authentication > from the authserv back to the gateway, as evinced by these messages: > > [2003-07-21 23:34:41] Denying peer 00:03:93:E9:E2:7E without prior permit. > [2003-07-21 23:35:36] Spawning child process 2327. > [2003-07-21 23:35:36] Connection to 172.17.32.1 from 172.17.32.11 > [2003-07-21 23:35:36] Received notify from 172.17.32.11 > [2003-07-21 23:35:37] gpg --decrypt --homedir=/usr/local/nocat/bin/../pgp --keyring truste > dkeys.gpg --no-tty -o- returned error message: > gpg: Signature made Mon Jul 21 23:45:35 2003 UTC using DSA key ID [...] > [...] > gpg: There is no indication that the signature belongs to the owner. are you sure, that the file trustedkeys.gpg in /usr/local/nocat/pgp on the gateway is identical with the pubring.gpg or the authserver? Please try the following: gateway# cd /usr/local/nocat/pgp gateway# gpg --homedir=. --list-keys --keyring trustedkeys.gpg and on the authserv: authserv# cd /usr/local/nocat/pgp authserv# gpg --homedir=. --list-keys and perhaps you find the differnce on yourself or send the output to the list. Regards Charly -- Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network Tel.: ++49 731 50-22499 From recompiler at hacksrus.com Wed Jul 23 22:17:24 2003 From: recompiler at hacksrus.com (Vlad) Date: Wed, 23 Jul 2003 17:17:24 -0400 (EDT) Subject: [NoCat] A simple way around needing a hard drive, Message-ID: <24927.64.253.49.123.1058995044.squirrel@mail.omnistep.com> I beg to differ. Most people have atleast one or 2 boxes already runing as servers. This solution is intended to ecrease cost, not increase cost. I doubt any mother board could boot over a wireless link and that's just as well because as a network security consultant I'd hate to see stuff booting un encrypted over wireless. PXE offers absolutely nothing in the form of authentication. I'm sure it is possible to hack up a solution where the mobo has a cheap little 8MB flash drive with IDE conenctor (I got tons from ebay) and loads core functionality of it, and then downloads the rest over wireless link. >Message: 1 >From: Roger Weeks >Subject: Re: [NoCat] A simple way around needing a hard drive, >To: nocat@lists.nocat.net >Date: Tue, 22 Jul 2003 12:08:59 -0700 (PDT) >Reply-To: an@sonic.net, expansive@sonic.net, compact@sonic.net, flash@sonic.net >Has anyone booted PXE using 802.11b cards? Is it even possible? >The problem with relying on a PC for boot code, somewhere on the wired >network of a box that has two radio cards, is you've now increased the cost >of your node exponentially. >If a soekris or a Via board could boot using PXE over a wireless link that >would be great. >Roger -- Vlad G. The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. From Eduard-ciril.Castells at estudiant.upc.es Wed Jul 23 22:47:06 2003 From: Eduard-ciril.Castells at estudiant.upc.es (Eduard-ciril Castells) Date: Wed, 23 Jul 2003 23:47:06 +0200 Subject: [NoCat] gpg problem & redirect Message-ID: Hello, I've a problem with the autentication with nocatauth. By the way= i get logged in and get the popup , but the main screen drops back to the log= in. All permision are the same as apache. If some one who had the same prob= lem can help me.... Thanks apache error log : [Wed Jul 23 22:59:58 2003] [notice] Apache/1.3.27 (Unix) mod_ssl/2.8.14= OpenSSL/0.9.7b configured -- resuming normal operations [Wed Jul 23 22:59:58 2003] [notice] Accept mutex: sysvsem (Default: sys= vsem) [2003-07-23 23:00:10] User UNKNOWN from 147.83.113.59 requests form [2003-07-23 23:00:11] User UNKNOWN from 147.83.113.59 requests form [2003-07-23 23:00:23] User root from 147.83.113.59 requests form gpg: Warning: unsafe permissions on directory "/usr/local/nocat/authentication/pgp" gpg: Warning: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: Warning: unsafe permissions on file "/usr/local/nocat/authentication/pgp/secring.gpg" gpg: Warning: unsafe permissions on file "/usr/local/nocat/authentication/pgp/pubring.gpg" gpg: Warning: unsafe permissions on file "/usr/local/nocat/authentication/pgp/trustedkeys.gpg" [2003-07-23 23:00:24] User root from 147.83.113.59 requests popup [2003-07-23 23:00:29] User UNKNOWN from 147.83.113.59 requests form Nocat.log [2003-07-23 23:11:32] Gateway running on port 5280. [2003-07-23 23:11:42] Spawning child process 3102. [2003-07-23 23:11:42] Use of uninitialized value in concatenation (.) o= r string at /usr/local/nocat/gateway/bin/../lib/NoCat/Gateway.pm line 252, line 2. [2003-07-23 23:11:42] Connection to 172.16.0.1 from [2003-07-23 23:11:42] Use of uninitialized value in chomp at /usr/local/nocat/gateway/bin/../lib/NoCat.pm line 221, line 4. [2003-07-23 23:11:42] Use of uninitialized value in join or string at /usr/local/nocat/gateway/bin/../lib/NoCat.pm line 224, line 4. [2003-07-23 23:11:42] Can't capture peer without MAC [2003-07-23 23:12:03] Spawning child process 3131. [2003-07-23 23:12:03] Connection to 172.16.0.1 from 172.16.2.3 [2003-07-23 23:12:03] Capturing 172.16.2.3 for http://www.google.com/= [2003-07-23 23:12:03] Notifying parent of Capture on peer 00:04:76:8D:3= A:06 [2003-07-23 23:12:03] Got notification Capture of peer 00:04:76:8D:3A:0= 6 [2003-07-23 23:12:03] Child process returned 1 [2003-07-23 23:12:06] Spawning child process 3132. [2003-07-23 23:12:06] Connection to 172.16.0.1 from 172.16.2.3 [2003-07-23 23:12:06] Capturing 172.16.2.3 for http://bis.180solutions.com/ads.aspx?did=3D280&ver=3D4.3&duid=3D4fd23dd= f1f088021&browser_ok=3Dy&rnd=3D13&keyword=3Dgateway&bid=3D1&error =3D&rec_bytes=3D0 [2003-07-23 23:12:06] Notifying parent of Capture on peer 00:04:76:8D:3= A:06 [2003-07-23 23:12:06] Got notification Capture of peer 00:04:76:8D:3A:0= 6 [2003-07-23 23:12:06] Child process returned 1 [2003-07-23 23:12:24] Spawning child process 3133. [2003-07-23 23:12:24] Connection to 172.16.0.1 from 172.16.2.3 [2003-07-23 23:12:24] Received notify from 172.16.2.3 gpg: Firma creada el mi=E9 23 jul 2003 21:00:23 UTC usando clave DSA ID= 15D69682 gpg: Imposible comprobar la firma: Clave p=FAblica no encontrada [2003-07-23 23:12:24] gpg --decrypt --homedir=3D/usr/local/nocat/gatewa= y/pgp --keyring trustedkeys.gpg --no-tty -o- returned error: Desplazamiento i= legal ( 2 ) [2003-07-23 23:12:24] Invalid notify from 172.16.2.3 [2003-07-23 23:12:24] Capturing 172.16.2.3 for http://172.16.0.1:5280/?ticket=3DowGbwMvMwCQoUXDeQfTatCbG0wuSGOzlvqf7pu= YmpRZxFuXnl3AFpaZkFqUml3BmlJQUWOnrl5eX66Xn56fnpOol5%2bfqc%2fkmJnMaGFgZm= FiZm1lZuFgZO1oZmHE5Jpdk5udxBqQW5WaWcIUWw0zzzU9J5czJT8%2fM4wrJzE3NLy3hND= Mw4ArJz07N41QxVDEzNzIyBmIVj3TLDN%2b0RNPKJA%2bPqIhcLxMX13JnPa4Oe2ZWsBNhb= hZk0nFgmO8z2eVjvLjd6jdOws5cIYs7%2f4a26jDMLzdIDz5Uf8IhY8ukXcH5fB8zuCxLAQ= %3d%3d%3dInIj [2003-07-23 23:12:24] Notifying parent of Capture on peer 00:04:76:8D:3= A:06 [2003-07-23 23:12:24] Got notification Capture of peer 00:04:76:8D:3A:0= 6 [2003-07-23 23:12:24] Child process returned 1 [2003-07-23 23:12:24] Spawning child process 3135. [2003-07-23 23:12:24] Connection to 172.16.0.1 from 172.16.2.3 [2003-07-23 23:12:24] Capturing 172.16.2.3 for http://bannerserver.gator.com/bannerserver/bannerserver.dll?GetBannerLi= st [2003-07-23 23:12:24] Notifying parent of Capture on peer 00:04:76:8D:3= A:06 [2003-07-23 23:12:24] Got notification Capture of peer 00:04:76:8D:3A:0= 6 [2003-07-23 23:12:24] Child process returned 1 [2003-07-23 23:12:24] Spawning child process 3136. [2003-07-23 23:12:24] Connection to 172.16.0.1 from 172.16.2.3 [2003-07-23 23:12:24] Capturing 172.16.2.3 for http://bannerserver.gator.com/bannerserver/bannerserver.dll?GetBannerLi= st [2003-07-23 23:12:24] Notifying parent of Capture on peer 00:04:76:8D:3= A:06 [2003-07-23 23:12:24] Got notification Capture of peer 00:04:76:8D:3A:0= 6 [2003-07-23 23:12:24] Child process returned 1 [2003-07-23 23:22:04] Expiring connection from 172.16.2.3 . [2003-07-23 23:22:04] Denying peer 00:04:76:8D:3A:06 without prior perm= it. = From rjw at sonic.net Thu Jul 24 21:56:00 2003 From: rjw at sonic.net (Roger Weeks) Date: Thu, 24 Jul 2003 13:56:00 -0700 (PDT) Subject: [NoCat] A simple way around needing a hard drive, In-Reply-To: <20030724190002.29115.58449.Mailman@mouse> from "nocat-request@lists.nocat.net" at Jul 24, 2003 12:00:02 PM Message-ID: <200307242056.h6OKu1bM021945@bolt.sonic.net> Vlad, I don't know what kind of network you have, but in our co-op wireless network almost ALL of our members do not have servers running in their homes. For our network, having a box running a PXE server at each relay location is not only cost prohibitive, but impractical as well. Roger Weeks > Message: 1 > Date: Wed, 23 Jul 2003 17:17:24 -0400 (EDT) > Subject: Re: [NoCat] A simple way around needing a hard drive, > From: "Vlad" > To: nocat@lists.nocat.net > Cc: an@sonic.net, expansive@sonic.net, compact@sonic.net > > I beg to differ. Most people have atleast one or 2 boxes already runing as > servers. This solution is intended to ecrease cost, not increase cost. > > I doubt any mother board could boot over a wireless link and that's just > as well because as a network security consultant I'd hate to see stuff > booting un encrypted over wireless. PXE offers absolutely nothing in the > form of authentication. > > I'm sure it is possible to hack up a solution where the mobo has a cheap > little 8MB flash drive with IDE conenctor (I got tons from ebay) and loads > core functionality of it, and then downloads the rest over wireless link. From nimsim at hotmail.com Thu Jul 24 23:38:27 2003 From: nimsim at hotmail.com (NIMIT SAWHNEY) Date: Fri, 25 Jul 2003 04:08:27 +0530 Subject: [NoCat] Problems getting RADIUS to work Message-ID: I get the following messages when I try to authenticate a user via RADIUS. The authentication packets never seem to reach my RADIUS server. (I am otherwise able to ping and telnet to my radius server from my auth. box) Any ideas as to what could be the problem? thanks, /nimit ------------------------------------------------------------------------------------ [Thu Jul 24 14:30:31 2003] [error] [client 192.168.11.130] [2003-07-24 14:30:31] User UNKNOWN from 192.168.11.130 requests form [Thu Jul 24 14:30:58 2003] [error] [client 192.168.11.130] [2003-07-24 14:30:57] User john from 192.168.11.130 requests form, referer: https://192.168.11.145/cgi-bin/login?redirect=http%3a%2f%2fwww%2ecmu%2eedu%2f&timeout=600&gateway=10%2e0%2e1%2e1%3a5280&mac=00%3a10%3aA4%3a8B%3a21%3aE4&token=%241%2403301047%24VJk%2f2WvD6K9ElXgAe9SmS%2e [Thu Jul 24 14:30:58 2003] [error] [client 192.168.11.130] [2003-07-24 14:30:57] Connecting to RADIUS server 192.168.11.97:8998 with Timeout 10, referer: https://192.168.11.145/cgi-bin/login?redirect=http%3a%2f%2fwww%2ecmu%2eedu%2f&timeout=600&gateway=10%2e0%2e1%2e1%3a5280&mac=00%3a10%3aA4%3a8B%3a21%3aE4&token=%241%2403301047%24VJk%2f2WvD6K9ElXgAe9SmS%2e [Thu Jul 24 14:30:58 2003] [error] [client 192.168.11.130] [2003-07-24 14:30:58] Out of servers to try, referer: https://192.168.11.145/cgi-bin/login?redirect=http%3a%2f%2fwww%2ecmu%2eedu%2f&timeout=600&gateway=10%2e0%2e1%2e1%3a5280&mac=00%3a10%3aA4%3a8B%3a21%3aE4&token=%241%2403301047%24VJk%2f2WvD6K9ElXgAe9SmS%2e -------------------------------------------------------------------------------------- _________________________________________________________________ Real time news. Connection to the Internet. http://server1.msn.co.in/sp03/gprs/index.asp On your mobile now! From karl.gaissmaier at kiz.uni-ulm.de Fri Jul 25 10:14:25 2003 From: karl.gaissmaier at kiz.uni-ulm.de (Karl Gaissmaier) Date: Fri, 25 Jul 2003 11:14:25 +0200 Subject: [NoCat] Problems getting RADIUS to work References: Message-ID: <3F20F4F1.7C44B473@kiz.uni-ulm.de> Hi, NIMIT SAWHNEY schrieb: > > I get the following messages when I try to authenticate a user via RADIUS. > The authentication packets never seem to reach my RADIUS server. > (I am otherwise able to ping and telnet to my radius server from my auth. ... > 14:30:57] Connecting to RADIUS server 192.168.11.97:8998 with Timeout 10, are you really sure that your radius server listens on port 8998? Looks like a misconfiguration in authserv.conf. Regards Charly -- Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network Tel.: ++49 731 50-22499 From nimsim at hotmail.com Fri Jul 25 12:50:58 2003 From: nimsim at hotmail.com (Nimit Sawhney) Date: Fri, 25 Jul 2003 07:50:58 -0400 Subject: [NoCat] Problems getting RADIUS to work References: <3F20F4F1.7C44B473@kiz.uni-ulm.de> Message-ID: Yes..it's a modified radius server which listens on port 8998. Would it be a problem if the server is expecting TCP packets on 8998 but the nocat auth box (i.e. radiusperl) sends UDP instead? thanks, /nimit > Hi, > > NIMIT SAWHNEY schrieb: > > > > I get the following messages when I try to authenticate a user via RADIUS. > > The authentication packets never seem to reach my RADIUS server. > > (I am otherwise able to ping and telnet to my radius server from my auth. > ... > > 14:30:57] Connecting to RADIUS server 192.168.11.97:8998 with Timeout 10, > > are you really sure that your radius server listens on port 8998? > Looks like a misconfiguration in authserv.conf. > > Regards > Charly > > -- From karl.gaissmaier at kiz.uni-ulm.de Fri Jul 25 13:05:15 2003 From: karl.gaissmaier at kiz.uni-ulm.de (Karl Gaissmaier) Date: Fri, 25 Jul 2003 14:05:15 +0200 Subject: [NoCat] Problems getting RADIUS to work References: <3F20F4F1.7C44B473@kiz.uni-ulm.de> Message-ID: <3F211CFB.379AC4E9@kiz.uni-ulm.de> Hi, Nimit Sawhney schrieb: > > Yes..it's a modified radius server which listens on port 8998. > Would it be a problem if the server is expecting TCP packets > on 8998 but the nocat auth box (i.e. radiusperl) sends UDP > instead? definitely YES! What do you mean with a modified radius server? Have you ever used ethereal to see the packet flow? Regards Charly -- Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network Tel.: ++49 731 50-22499 From nimsim at hotmail.com Fri Jul 25 13:07:49 2003 From: nimsim at hotmail.com (Nimit Sawhney) Date: Fri, 25 Jul 2003 08:07:49 -0400 Subject: [NoCat] Problems getting RADIUS to work References: <3F20F4F1.7C44B473@kiz.uni-ulm.de> <3F211CFB.379AC4E9@kiz.uni-ulm.de> Message-ID: Hi Charly, By modified, I meant that its got RADIUS plus some other extra functionality. Unfortunately, I don't have much access to this radius servers' machine, so can't run ethereal on it. If I try a telnet from the nocat auth box to port 8998 of this radius server, it does work. Is there a way I can write a TCP wrapper for the radiusperl packets? Thanks, /nimit Charly wrote...: > Hi, > > Nimit Sawhney schrieb: > > > > Yes..it's a modified radius server which listens on port 8998. > > Would it be a problem if the server is expecting TCP packets > > on 8998 but the nocat auth box (i.e. radiusperl) sends UDP > > instead? > > definitely YES! What do you mean with a modified radius server? > Have you ever used ethereal to see the packet flow? > > Regards > Charly From karl.gaissmaier at kiz.uni-ulm.de Fri Jul 25 13:33:35 2003 From: karl.gaissmaier at kiz.uni-ulm.de (Karl Gaissmaier) Date: Fri, 25 Jul 2003 14:33:35 +0200 Subject: [NoCat] Problems getting RADIUS to work References: <3F20F4F1.7C44B473@kiz.uni-ulm.de> <3F211CFB.379AC4E9@kiz.uni-ulm.de> Message-ID: <3F21239F.7034E4A4@kiz.uni-ulm.de> Hi Nimit, Nimit Sawhney schrieb: > > Hi Charly, > > By modified, I meant that its got RADIUS plus some other > extra functionality. Unfortunately, I don't have much access > to this radius servers' machine, so can't run ethereal on it. If > I try a telnet from the nocat auth box to port 8998 of this > radius server, it does work. radius protocol is udp based, whatever hears on tcp port 8998 on your radius hosting server has nothing to do with RFC based radius protocol > > Is there a way I can write a TCP wrapper for the radiusperl > packets? wrong solution. Have you patched NoCatAuth with the radius patch from my co-worker ulric posted on the list few weeks/days ago? Regards Charly P.S. You are really new to networking, aren't you? -- Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network Tel.: ++49 731 50-22499 From nimsim at hotmail.com Fri Jul 25 14:15:10 2003 From: nimsim at hotmail.com (Nimit Sawhney) Date: Fri, 25 Jul 2003 09:15:10 -0400 Subject: [NoCat] Problems getting RADIUS to work References: <3F20F4F1.7C44B473@kiz.uni-ulm.de> <3F211CFB.379AC4E9@kiz.uni-ulm.de> <3F21239F.7034E4A4@kiz.uni-ulm.de> Message-ID: Hi, > > > > By modified, I meant that its got RADIUS plus some other > > extra functionality. Unfortunately, I don't have much access > > to this radius servers' machine, so can't run ethereal on it. If > > I try a telnet from the nocat auth box to port 8998 of this > > radius server, it does work. > > radius protocol is udp based, whatever hears on tcp port 8998 > on your radius hosting server has nothing to do with RFC > based radius protocol Just found this out...there are several propreitary RADIUS implementations which use TCP but the packet formats et al. is the same as what is specified in the RFC. > > > > Is there a way I can write a TCP wrapper for the radiusperl > > packets? > > wrong solution. Have you patched NoCatAuth with the radius > patch from my co-worker ulric posted on the list few > weeks/days ago? Why is it the wrong solution? If a particular radius-like server (if that makes you more comfortable) accepts TCP only, what is the harm in adding this capability in the nocat auth.? yes..that patch (for the missing 'string' types) was applied. > > Regards > Charly > > P.S. You are really new to networking, aren't you? Politically incorrect assumption on your part !! rgds, /nimit From karl.gaissmaier at kiz.uni-ulm.de Fri Jul 25 15:11:19 2003 From: karl.gaissmaier at kiz.uni-ulm.de (Karl Gaissmaier) Date: Fri, 25 Jul 2003 16:11:19 +0200 Subject: [NoCat] Problems getting RADIUS to work References: <3F20F4F1.7C44B473@kiz.uni-ulm.de> <3F211CFB.379AC4E9@kiz.uni-ulm.de> <3F21239F.7034E4A4@kiz.uni-ulm.de> Message-ID: <3F213A87.513FB33C@kiz.uni-ulm.de> Hi Nimit, Nimit Sawhney schrieb: ... > Just found this out...there are several propreitary RADIUS > implementations which use TCP but the packet formats et al. > is the same as what is specified in the RFC. > > > > > > > Is there a way I can write a TCP wrapper for the radiusperl > > > packets? > > > > wrong solution. Have you patched NoCatAuth with the radius > > patch from my co-worker ulric posted on the list few > > weeks/days ago? > > Why is it the wrong solution? If a particular radius-like server > (if that makes you more comfortable) accepts TCP only, what is > the harm in adding this capability in the nocat auth.? because I thought this radius server will perhaps also listen on udp and before trying to write a wrapper you should first be sure that there is no other problem. It is not easy to guess what you've already tried from your questions. You started with the following question: > > I get the following messages when I try to authenticate a user via RADIUS. > > The authentication packets never seem to reach my RADIUS server. > > (I am otherwise able to ping and telnet to my radius server from my auth. > > box) > > Any ideas as to what could be the problem? there was no hint that you will use a proprietary radius server based on tcp. Even the telnet and ping hint tells us only, that you have a proper network connection (routing). You didn't tell us, that you have telnetted to the radius port. > > P.S. You are really new to networking, aren't you? > > Politically incorrect assumption on your part !! then you was still to lazy to report the full story. Regards Charly -- Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network Tel.: ++49 731 50-22499 From ben at clubelite.com Sat Jul 26 00:54:57 2003 From: ben at clubelite.com (Ben) Date: Fri, 25 Jul 2003 19:54:57 -0400 Subject: [NoCat] Status of NoCatSplash? Message-ID: <020101c35308$272f4940$fa00000a@tammetta.com> Hello, I noticed NoCatSplash has not been updated since Jan 2003 Is it not kept current with NoCat? I've read what I can find on each but what are the current functional differences between each. Ideally, I'm looking to put NoCatSplash on a LEAF box that boots from a floppy. Does anyone currently have such a thing working? Thanks, Ben From recompiler at hacksrus.com Sat Jul 26 02:19:54 2003 From: recompiler at hacksrus.com (Vlad) Date: Fri, 25 Jul 2003 21:19:54 -0400 (EDT) Subject: [NoCat] Basic Security Module - routing rules Message-ID: <10411.64.253.49.43.1059182394.squirrel@mail.omnistep.com> Walking around NYC today with my IPaq today I was reminded of the good old "linksys" and "default" free community wifi networks. I think in the near future a simple security module should be added to NoCat. It should perform as follows. 1) Upon installation of nocat a user designates a private and the wireless subnet. 2) When users are added there is an option to add them to trusted group with default being no. 3) Untrusted users can only route between wireless interface and uplink, no traffic is routed between private subnet and wireless interface for untrusted users. 4) Trusted users such as the node operator can still access their machine on private LAN while keeping other users out. I think having basic security will give nocat access points another significant advantage over the $80 access points some may buy. The security may also help spread adoption of access points. I realize it's not a trivial patch and requires a major rewrite so it probably won't be out for a bit. I plan on doing some research on this within the next few days and getting to work on it if it's feasible. If anyone has any suggestions or comments about feasibility please email the list so we have a good constructive thread going. -- Vlad G. The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. From nam045 at hotmail.com Sat Jul 26 08:10:55 2003 From: nam045 at hotmail.com (nauman .) Date: Sat, 26 Jul 2003 08:10:55 +0100 Subject: [NoCat] Fwd: Fw: PLEEEEEASE READ!!!!! It was on the news!] Message-ID: This is a multi-part message in MIME format. ------=_NextPart_000_303a_4c2c_4bbe Content-Type: text/html



>From: "Mam Bruh"
>To: arshadraja@mail.com, anaveedikram@hotmail.com, asr_74@hotmail.com, bahzadkhan@hotmail.com, balocheleven@hotmail.com, billithekilli@hotmail.com, billithekilli@yahoo.com, daniel34ian@hotmail.com, ihsanulhaq723@hotmail.com, emailtipu@yahool.com, gora_kala@mail.com, jazzi47@hotmail.com, nam045@hotmail.com, shahkhan90210@yahoo.com, qavi_k@yahoo.co.uk, sajjad69@msn.com, usm795@yahoo.com, wasif_2000@yahoo.com, wasif_h_s@hotmail.com, worrier_84@hotmail.com
>Subject: Fw: PLEEEEEASE READ!!!!! It was on the news!]
>Date: Sat, 26 Jul 2003 06:11:29 +0000
>
>
>
>
>>From: "Umer Afridi"
>>To: daniel34ian@hotmail.com, afridi05@hotmail.com,
>>airazr1@hotmail.com, aneeq21@hotmail.com, anzzz_91@yahoo.com,
>>armr_20@hotmail.com, arsandhu100@yahoo.com,
>>asifalikallue@hotmail.com, asifaziz28@hotmail.com,
>>azhar12c@yahoo.com, billithekilli@hotmail.com,
>>bilaltariqtoor@yahoo.com, ordynovych@hotmail.com,
>>crystalsanna@hotmail.com, eagar01@hotmail.com,
>>garfield_lhr@hotmail.com, hotchallan@hotmail.com,
>>imme_29@yahoo.com, imranshafi2003@yahoo.com,
>>khaledkamal200-@yahoo.com, kimosoufi@hotmail.com,
>>lovingraja2003@yahoo.com, woodya@clear.net.nz, yasazmy@hotmail.com,
>>mambruh34@hotmail.com, mohdhaiderzaidi@hotmail.com,
>>navidkayani@hotmail.com, saeedzidi@hotmail.com,
>>sara_amna@yahoo.com, anusha_khan_anu@hotmail.com,
>>shubar12@hotmail.com, tzafridi@hotmail.com, amr66@hotmail.com,
>>umerafridi@hotmail.com, umersaeedafridi@yahoo.com,
>>virgogirl_186@hotmail.com, yasir_afridi@hotmail.com
>>Subject: Fwd: Fw: PLEEEEEASE READ!!!!! It was on the news!]
>>Date: Fri, 18 Jul 2003 13:21:30 +0000
>>

Enjoy a faster internet experience when you sign up for a FREE BT Broadband connection! ------=_NextPart_000_303a_4c2c_4bbe Content-Type: text/html X-Stn-Info:



>From: "jahan zeb"
>To: zia34149@hotmail.com, yousaf_javed@hotmail.com, warriach25@yahoo.com, samkhan1002@hotmail.com, saeedrabbani@hotmail.com, rohailkhattak76@hotmail.com, rammal07@hotmail.com, navpak@hotmail.com, naumanaziz57@hotmail.com, msadiqnasiry@hotmail.com, mkakakhel@un.org, manzoorx@hotmail.com, majorshahab@yahoo.co.uk, maa700@hotmail.com, m_shahzad_k@yahoo.com, lt_khan27@hotmail.com, latifulhaq@hotmail.com, lajpalian24@yahoo.com, kokib75@hotmail.com, junpak2@hotmail.com, ishaqazamkhan@hotmail.com, hussainia1@hotmail.com, drmunsoob@yahoo.com, asifmehmood577@hotmail.com, arsd999@hotmail.com, amjadz73@hotmail.com, ahmadalam99@hotmail.com, abidfarman71@hotmail.com, aazad126@hotmail.com
>Subject: Fwd: Fw: PLEEEEEASE READ!!!!! It was on the news!]
>Date: Wed, 16 Jul 2003 13:13:43 +0000
>
>
>
>
>>From: "Babar Ali"
>>To: zakaanis@hotmail.com, zahid_102@hotmail.com,
>>veedee73@hotmail.com, veedaasif@hotmail.com,
>>shamshersheikh@hotmail.com, s_t68@hotmail.com, rebel_164@yahoo.com,
>>nomi_gee10@hotmail.com, jzsab@hotmail.com, jrkhan1@hotmail.com,
>>johny_walker76@hotmail.com, isfandiar@hotmail.com,
>>fatimashamsher@hotmail.com, clansman_76@hotmail.com,
>>Asad_Ali@LMKR.NET, amberjunaid@hotmail.com, alizaheer76@hotmail.com
>>Subject: Fwd: Fw: PLEEEEEASE READ!!!!! It was on the news!]
>>Date: Tue, 15 Jul 2003 06:44:27 +0000
>>
------=_NextPart_000_303a_4c2c_4bbe Content-Type: text/html X-Stn-Info:



>From: JDSPreacher2@aol.com
>To: TanyaWaycool@aol.com, Tigerlady575@aol.com, FlcGull@aol.com, Flower1161@aol.com, Froggychicka2003@aol.com, Sweetshine79@aol.com, Trmpstcool@aol.com, Trs71263@aol.com, Babygirl5666b@aol.com, sunlesssky1972@yahoo.com, Cookieafortune@aol.com, Allierene@aol.com, aiksaath@hotmail.com, agnewj@hotmail.com, Smithevelyn8@aol.com, David2cool7@aol.com
>Subject: Fwd: Fw: PLEEEEEASE READ!!!!! It was on the news!]
>Date: Sat, 12 Jul 2003 13:38:13 EDT
>
>
------=_NextPart_000_303a_4c2c_4bbe Content-Type: message/rfc822 Content-Disposition: inline Return-Path: Received: from rly-xm04.mx.aol.com (rly-xm04.mail.aol.com [172.20.83.105]) by air-xm02.mail.aol.com (v94.1) with ESMTP id MAILINXM22-81ed3f0ff88e2fa; Sat, 12 Jul 2003 08:01:18 -0400 Received: from hotmail.com (law15-f78.law15.hotmail.com [64.4.23.78]) by rly-xm04.mx.aol.com (v94.27) with ESMTP id MAILRELAYINXM41-6053f0ff87d3be; Sat, 12 Jul 2003 08:01:01 -0400 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 12 Jul 2003 05:01:00 -0700 Received: from 216.221.81.97 by lw15fd.law15.hotmail.msn.com with HTTP; Sat, 12 Jul 2003 12:01:00 GMT X-Originating-IP: [216.221.81.97] X-Originating-Email: [agnewj@hotmail.com] From: "Jennifer Agnew" To: aiksaath@hotmail.com, becky_897@hotmail.com, boz@lfcmail.co.uk, JDSPreacher2@aol.com, JP78WC@aol.com, tll@catlover.com Subject: Fwd: Fw: PLEEEEEASE READ!!!!! It was on the news!] Date: Sat, 12 Jul 2003 08:01:00 -0400 Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_7ad1_35ee_7b06" Message-ID: X-OriginalArrivalTime: 12 Jul 2003 12:01:00.0782 (UTC) FILETIME=[42EAB8E0:01C3486D] X-Mailer: Unknown (No Version) ------=_NextPart_000_7ad1_35ee_7b06 Content-Type: text/html








   Jennifer 
>From: "Sharon Devereux"
>To: agnewj@hotmail.com
>Subject: Fwd: Fw: PLEEEEEASE READ!!!!! It was on the news!]
>Date: Fri, 11 Jul 2003 20:44:34 -0400
>
>
>
>
>
>I.m not creative That Way
>
>
>
>
>
>>From: "Bambi McClentic"
>>To: bambi@cogeco.ca, carlaelliot70@hotmail.com,
>>devereuxsharon@hotmail.com, jamc_90@msn.com, jillo2000@hotmail.com,
>>JollyGirl5@hotmail.com, kevells@msn.com, kkanalas@hotmail.com,
>>mderuyte@sympatico.ca, mrfedx990@hotmail.com, rhanson2@cogeco.ca
>>Subject: Fwd: Fw: PLEEEEEASE READ!!!!! It was on the news!]
>>Date: Fri, 11 Jul 2003 20:48:03 +0000
>>

The new MSN 8: smart spam protection and 2 months FREE* ------=_NextPart_000_7ad1_35ee_7b06 Content-Type: message/rfc822 Received: from 216.221.81.98 by sea1fd.sea1.hotmail.msn.com with HTTP; Fri, 11 Jul 2003 20:48:03 GMT X-Originating-IP: [216.221.81.98] X-Originating-Email: [pinky0331@hotmail.com] From: "Bambi McClentic" To: bambi@cogeco.ca, carlaelliot70@hotmail.com, devereuxsharon@hotmail.com, jamc_90@msn.com, jillo2000@hotmail.com, JollyGirl5@hotmail.com, kevells@msn.com, kkanalas@hotmail.com, mderuyte@sympatico.ca, mrfedx990@hotmail.com, rhanson2@cogeco.ca Subject: Fwd: Fw: PLEEEEEASE READ!!!!! It was on the news!] Date: Fri, 11 Jul 2003 20:48:03 +0000 Mime-Version: 1.0 Content-Type: text/html X-Stn-Info:



>From: "Rob & Nancy Hanson"
>To: "zuk" , "Sheri" ,"Randy Gillis" ,"Mark DeRuyte" ,"Kelly" ,"bob carthew" ,"Barbara Johnston" ,"bambi"
>Subject: Fw: PLEEEEEASE READ!!!!! It was on the news!]
>Date: Fri, 11 Jul 2003 11:06:18 -0400
>
>
>----- Original Message -----
>From:
>To: ; ;
>; ;
>; ;
>; ;
>
>Sent: Thursday, July 03, 2003 12:21 PM
>Subject: Fw: PLEEEEEASE READ!!!!! It was on the news!]
>
>
> >
> >
> >
> >
> >
> > ----- Forwarded by Nancy J Bozzato/PEHLAM on 07/03/03 07:06 AM -----
> >
> > >
> > >
> > >
> > > OK....let's see if this is for real...... It would be nice!
> > >
> > > To all of my friends, I do not usually forward messages,
> > > but this is from my good friend Pearlas Sanborn and she
> > > really is an attorney. If she says that this will work - it WILL work.
> > > After all, what have you got to lose?
> > >
> > >
> > >
> > > SORRY EVERYBODY.....JUST HAD TO TAKE THE CHANCE!!!
> > > I'm an attorney, and I know the law. This thing is for real.
> > > Rest assured AOL and Intel will follow through with their
> > > promises for fear of facing a multimillion dollar class
> > > action suit similar to the one filed by PepsiCo against
> > > General Electric not too long ago.
> > >
> > >
> > >
> > > Dear Friends,
> > > Please do not take this for a junk letter. Bill Gates is sharing
> > > his fortune. If you ignore this you will repent later. Microsoft
> > > and AOL are now the largest Internet companies and in an
> > > effort to make sure that Internet Explorer remains the most
> > > widely used program, Microsoft and AOL are running an
> > > e-mail beta test.
> > >
> > > When you forward this e-mail to friends,
> > > Microsoft can and will track it (if you are a Microsoft
> > > Windows user) for a two week time period. For every
> > > person that you forward this e-mail to, Microsoft will
> > > pay y ou $245.00, for every person that you sent it to that
> > > forwards it on, Microsoft will pay you $243.00 and for
> > > every third person that receives it, you will be paid
> > > $241.00. Within two weeks, Microsoft will contact you
> > > for your address and then send you a cheque.
> > >
> > > Regards.
> > >
> > > Charles S. Bailey
> > > General Manager Field Operations
> > > 1/800-842-2332 Ext. 1085 or
> > > 904/245-1085 or RNX 292-1085
> > > Charles_Bailey@csx.com
> > >
> > >
> > >
> > > I thought this was a scam myself, but two weeks
> > > after receiving this e-mail and forwarding it on,
> > > Microsoft contacted me for my address and
> > > within days, I received a cheque for US$24,800.00.
> > > You need to respond before the beta testing is over.
> > > If anyone can afford this Bill Gates is the man.
> > > It's all marketing expense to him. Please forward
> > > this to as many people as possible. You are bound
> > > to get at least US$10,000.00. We're not going to
> > > h elp them out with their e-mail beta test without
> > > getting a little something for our time. My brother's
> > > girlfriend got in on this a few months ago. When I
> > > went to visit him for the Baylor/UT game. She
> > > showed me her check. It was for the sum of
> > > $4,324.44 and was stamped "Paid In Full". Like I
> > > said before, I know the law, and this is for real.
> > >
> > > Intel and AOL are now discussing a merger which
> > > would make them the largest Internet company
> > > and in an effort make sure that AOL remains the
> > > most widely used program, Intel and AOL are
> > > running an e-mail beta test.
> > >
> > > When you forward this e-mail to friends, Intel can
> > > and will track it (if you are a Microsoft Windows
> > > user) for a two week time period.
> > >
> > > For every person that you forward this e-mail to,
> > > Microsoft will pay you $203.15.
> > >
> > > For every person that you sent it to that forwards
> > > it on, Microsoft will pay you $156.29.
> > >
> > > And for every third person th at receives it, you will
> > > be paid $17.65. Within two weeks, Intel will contact
> > > you for your address and then send you a check.
> > > I thought this was a scam myself, but a friend of my
> > > good friend's Aunt Patricia, who works at Intel, actually
> > > got a check of $4,543.23 by forwarding this e-mail.
> > >
> > >
> > > Try it, what have you got to lose????
> > > --- Lewis Hansen
> > > --- lnw36@jps.net
> > > --- EarthLink: The #1 provider of the Real Internet.
> > >
> > >
> > >
> >
> > _________________________________________________________________
> > Protect your PC - get McAfee.com VirusScan Online
> > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> >
> >
> >
> >
>
>
------=_NextPart_000_7ad1_35ee_7b06-- ------=_NextPart_000_303a_4c2c_4bbe-- From wireless at verma.sfsu.edu Sat Jul 26 08:17:58 2003 From: wireless at verma.sfsu.edu (Sameer Verma) Date: Sat, 26 Jul 2003 00:17:58 -0700 Subject: [NoCat] revisiting RADIUS - Stop packets Message-ID: <3F222B26.1090003@verma.sfsu.edu> People, I have been looking at the archives for some insight into RADIUS on NoCatAuth (NCA). Based on the Authen::Radius (modified RadiusPerl from http://chip.net/nocat) it looks like the stop packets have to come from the gateway, which means that Authen::Radius has to be installed on the gateway as well. Since the gw has to send the stop packet, its nocat.conf needs to have entries regarding the radius server. The last post I saw from Chip about this was about sending the stop packet from the auth server. This would be in line with NCA's original design. It looks like the stop packet must come from two locations. One should be the subroutine that triggers the logout on the authserver (i.e. the user logged out). The other should be the subroutine that denies access to the user due to an expired session (user accientally closed the logout popup). Anybody know what these sub routines are? Schuyler? Rob? Jay? Chip? Others? Sameer -- Dr. Sameer Verma, Ph.D. Asst. Professor of Information Systems San Francisco State University San Francisco CA 94132 USA http://verma.sfsu.edu/ From johnc at tvg.vg Sat Jul 26 12:12:22 2003 From: johnc at tvg.vg (John Culpepper) Date: Sat, 26 Jul 2003 07:12:22 -0400 Subject: [NoCat] Fwd: Fw: PLEEEEEASE READ!!!!! It was on the news!] In-Reply-To: Message-ID: > This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --B_3142048342_8236917 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit > Too stupid to live. > --B_3142048342_8236917 Content-type: text/html; charset="US-ASCII" Content-transfer-encoding: quoted-printable Re: [NoCat] Fwd: Fw: PLEEEEEASE READ!!!!! It was on the news!]</TITL= E> </HEAD> <BODY> <BLOCKQUOTE><FONT FACE=3D"Verdana">Too stupid to live. <BR> <BR> </FONT></BLOCKQUOTE><FONT FACE=3D"Verdana"><BR> </FONT> </BODY> </HTML> --B_3142048342_8236917-- From jbarrett at amduat.net Sat Jul 26 15:22:11 2003 From: jbarrett at amduat.net (Jacob S. Barrett) Date: Sat, 26 Jul 2003 07:22:11 -0700 Subject: [NoCat] revisiting RADIUS - Stop packets Message-ID: <3F228E93.8060803@amduat.net> Check the archives for my posts. I have patches for NoCat that add a pluggable accounting module to the gateway. I have implementations for file and RADIUS accounting. Check out http://www.pogozone.net/projects/nocat/ for the patches and some details. -Jake Sameer Verma wrote: > People, > I have been looking at the archives for some insight into RADIUS on > NoCatAuth (NCA). Based on the Authen::Radius (modified RadiusPerl from > http://chip.net/nocat) it looks like the stop packets have to come from > the gateway, which means that Authen::Radius has to be installed on the > gateway as well. Since the gw has to send the stop packet, its > nocat.conf needs to have entries regarding the radius server. > > The last post I saw from Chip about this was about sending the stop > packet from the auth server. This would be in line with NCA's original > design. > It looks like the stop packet must come from two locations. One should > be the subroutine that triggers the logout on the authserver (i.e. the > user logged out). The other should be the subroutine that denies access > to the user due to an expired session (user accientally closed the > logout popup). > > Anybody know what these sub routines are? > > Schuyler? Rob? Jay? Chip? Others? > > Sameer > -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it." From wireless at verma.sfsu.edu Sat Jul 26 18:47:50 2003 From: wireless at verma.sfsu.edu (Sameer Verma) Date: Sat, 26 Jul 2003 10:47:50 -0700 Subject: [NoCat] revisiting RADIUS - Stop packets In-Reply-To: <3F228E93.8060803@amduat.net> References: <3F228E93.8060803@amduat.net> Message-ID: <3F22BEC6.9090701@verma.sfsu.edu> Jacob S. Barrett wrote: > Check the archives for my posts. I have patches for NoCat that add a > pluggable accounting module to the gateway. I have implementations > for file and RADIUS accounting. Check out > http://www.pogozone.net/projects/nocat/ for the patches and some details. > > -Jake I did look at these patches, but I am still looking for a way to send the stop packet from the auth server without modifying the gateway. Hence the post. Sameer -- Dr. Sameer Verma, Ph.D. Asst. Professor of Information Systems San Francisco State University San Francisco CA 94132 USA http://verma.sfsu.edu/ > > Sameer Verma wrote: > >> People, >> I have been looking at the archives for some insight into RADIUS on >> NoCatAuth (NCA). Based on the Authen::Radius (modified RadiusPerl >> from http://chip.net/nocat) it looks like the stop packets have to >> come from the gateway, which means that Authen::Radius has to be >> installed on the gateway as well. Since the gw has to send the stop >> packet, its nocat.conf needs to have entries regarding the radius >> server. >> >> The last post I saw from Chip about this was about sending the stop >> packet from the auth server. This would be in line with NCA's >> original design. >> It looks like the stop packet must come from two locations. One >> should be the subroutine that triggers the logout on the authserver >> (i.e. the user logged out). The other should be the subroutine that >> denies access to the user due to an expired session (user accientally >> closed the logout popup). >> >> Anybody know what these sub routines are? >> >> Schuyler? Rob? Jay? Chip? Others? >> >> Sameer >> From jbarrett at amduat.net Sat Jul 26 19:58:55 2003 From: jbarrett at amduat.net (Jacob S. Barrett) Date: Sat, 26 Jul 2003 11:58:55 -0700 Subject: [NoCat] revisiting RADIUS - Stop packets In-Reply-To: <3F228E93.8060803@amduat.net> References: <3F228E93.8060803@amduat.net> Message-ID: <3F22CF6F.9030203@amduat.net> I know what you are trying to do, be that doesn't make any sense for the auth server to do any accounting, even the start. I want to help you understand why, so please don't take any of this as personal. And if any of this sounds like I am on drugs, well... I just got out of surgery, so yeah, I am a little messed up... :) The auth server just authorizes the request, it doesn't know if the gateway accepted it. It doesn't really know if there was any delay at the gateway before the rules are added to allow the client to use the service. So by sending a start at the auth server you have just told RADIUS that a user has started using a service. What if the gateway didn't accept the the auth servers reply, either a bad key or the user is in an untrusted group? Do you now have to bounce something back to the auth server to send the stop to RADIUS? That would be kind of odd because the user never actually used the service, but the accounting would show that he had. Also, RADIUS accounting is for measuring usage, not authentication. All the usage is measured at the gateway; how long a user was on, and how many bytes or packets he passed. Does it make sense to have the auth server doing accounting? I think it makes the most sense for it happen from the gateway. From there we can measure packets and bytes as well as time on. If you don't like the fact that the gateway is now talking to your RADIUS server you could write plug-in for the accounting module that offloaded this onto another machine, like the auth server. The difference between what you are trying to do and what this would do is that the gateway is really doing the accounting and sending to some accounting destination. You just happen to give it a plug-in that sends it to another web service on the auth server that forwards it to RADIUS. Although personally I don't see any good reason to do this, it can be done rather easily. -Jake Sameer Verma wrote: > Jacob S. Barrett wrote: > >> Check the archives for my posts. I have patches for NoCat that add a >> pluggable accounting module to the gateway. I have implementations >> for file and RADIUS accounting. Check out >> http://www.pogozone.net/projects/nocat/ for the patches and some details. >> >> -Jake > > > I did look at these patches, but I am still looking for a way to send > the stop packet from the auth server without modifying the gateway. > Hence the post. > > Sameer > -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it." From wireless at verma.sfsu.edu Sat Jul 26 22:28:42 2003 From: wireless at verma.sfsu.edu (Sameer Verma) Date: Sat, 26 Jul 2003 14:28:42 -0700 Subject: [NoCat] revisiting RADIUS - Stop packets In-Reply-To: <3F22CF6F.9030203@amduat.net> References: <3F228E93.8060803@amduat.net> <3F22CF6F.9030203@amduat.net> Message-ID: <3F22F28A.20709@verma.sfsu.edu> Jacob S. Barrett wrote: > I know what you are trying to do, be that doesn't make any sense for > the auth server to do any accounting, even the start. I want to help > you understand why, so please don't take any of this as personal. And > if any of this sounds like I am on drugs, well... I just got out of > surgery, so yeah, I am a little messed up... :) Agreed. > > The auth server just authorizes the request, it doesn't know if the > gateway accepted it. It doesn't really know if there was any delay at > the gateway before the rules are added to allow the client to use the > service. So by sending a start at the auth server you have just told > RADIUS that a user has started using a service. What if the gateway > didn't accept the the auth servers reply, either a bad key or the user > is in an untrusted group? Do you now have to bounce something back to > the auth server to send the stop to RADIUS? That would be kind of odd > because the user never actually used the service, but the accounting > would show that he had. Also, RADIUS accounting is for measuring > usage, not authentication. All the usage is measured at the gateway; > how long a user was on, and how many bytes or packets he passed. Does > it make sense to have the auth server doing accounting? I think it > makes the most sense for it happen from the gateway. From there we > can measure packets and bytes as well as time on. Makes sense. In short, it looks like what you are saying is that authentication must happen on the auth and acct. on the gw. Correct? > > If you don't like the fact that the gateway is now talking to your > RADIUS server you could write plug-in for the accounting module that > offloaded this onto another machine, like the auth server. The > difference between what you are trying to do and what this would do is > that the gateway is really doing the accounting and sending to some > accounting destination. You just happen to give it a plug-in that > sends it to another web service on the auth server that forwards it to > RADIUS. Although personally I don't see any good reason to do this, > it can be done rather easily. > > -Jake This would be a round about way of getting the work done. Sameer -- Dr. Sameer Verma, Ph.D. Asst. Professor of Information Systems San Francisco State University San Francisco CA 94132 USA http://verma.sfsu.edu/ From hjohnson at sfu.ca Sun Jul 27 00:53:39 2003 From: hjohnson at sfu.ca (hjohnson@sfu.ca) Date: Sat, 26 Jul 2003 16:53:39 -0700 Subject: [NoCat] ANN: New throttle.fw script Message-ID: <20030726235339.GB4243@vancouver.lucidoc.com> --u3/rZRmxL6MmkK24 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello Folks, Just throught that I would drop a note to you all regarding a heavily modified throttle.fw script that I have put together for linux/netfilter. The new script can be had from http://vancouver.lucidoc.com/~hans/nocat/throttle.fw New Features: Traffic throttling is based around the HTB qdisc. I have personally found this qdisc to be easier on the CPU, and also much easier to manage. Traffic priotization for each class of user (Onwer, Coop, Public). This allows you to throttle down certain types of traffic (such as P2P/bittorrent and what not) on the outbound link so as to not saturate the outbound link. At this point, the low priority traffic is simply filtered out by source/destination port. If there is demand for inbound filtering in the same style, I can add it relatively quickly. More knobs: for each class of user, and each priority, you can set guaranteed minimum throughput, as well as hard maximums on the throughput. This applies to both inbound and outbound queing.=20 Anyhow, please take a look at that script and let me know what you think. I am also preparing a more advanced initialize.fw script that will play nicely on a multi-homed (wired and wireless) firewall. I should be releasing it relatively shortly as well. Regards, Hans Johnson --u3/rZRmxL6MmkK24 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/IxSDGCZpgOYsv8kRAm02AJ4gGg5jzSgdaWW35zSbhS/ky4a/VgCeIeYw sTdNimrzK9weTJtbYKar/Yk= =ktyK -----END PGP SIGNATURE----- --u3/rZRmxL6MmkK24-- From jbarrett at amduat.net Sun Jul 27 01:15:56 2003 From: jbarrett at amduat.net (Jacob S. Barrett) Date: Sat, 26 Jul 2003 17:15:56 -0700 Subject: [NoCat] revisiting RADIUS - Stop packets In-Reply-To: <3F22CF6F.9030203@amduat.net> References: <3F228E93.8060803@amduat.net> <3F22CF6F.9030203@amduat.net> Message-ID: <3F2319BC.9020402@amduat.net> Sameer Verma wrote: > Makes sense. In short, it looks like what you are saying is that > authentication must happen on the auth and acct. on the gw. Correct? Yes. > This would be a round about way of getting the work done. Yes, that is why I haven't done it that way. -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it." From aklougbo at yahoo.com Sun Jul 27 11:14:58 2003 From: aklougbo at yahoo.com (Aime) Date: Sun, 27 Jul 2003 03:14:58 -0700 (PDT) Subject: [NoCat] Patch handling is in disorder for the NoCatAuth developers community In-Reply-To: <3F16759C.F95BDBE9@kiz.uni-ulm.de> Message-ID: <20030727101458.1634.qmail@web11002.mail.yahoo.com> Hello Karl , When will you release your patches below , to the list ? It will be interesting if everybody can look at them. and give you a feedback. Thanks --Aime --- Karl Gaissmaier <karl.gaissmaier@kiz.uni-ulm.de> wrote: > Hi developers, > > I have a bunch of patches waiting to get sent to the > list, but I'm > disappointed of the patch handling for this project. > > I miss very hard a CVS server for the NoCatAuth > project. > > Following patches are waiting in my devel folder to > be sent: > > alarm-02.patch handles proper setting of the > handle alarm > CypherSecret-02.patch CyperSecret-02, cryptpwd, > corrects a small glitch > in the popup window I forgot in patch 01 > gpg-secmem-01.patch get rid of the following > warning: > gpg: Warning: using insecure memory!... > > http_redirect-01.patch a patch for handling the > wrong redirect > after a successful login. href and http headers > use different formats (similar patch exists, but > I had > no luck searching for it) > proxy-capture-03.patch detects clients with proxy > enabled and inform > them to disable it > radius-01.patch small patch already posted by my > co-worker ulric > > > at least it would be nice to have a process for > sending patches > and the patches should be stored in a repository > that we don't have to > seach in the list archive. > > Any suggestions? > > Regards > Charly > > -- > Karl Gaissmaier KIZ/Infrastructure, University > of Ulm, Germany > Email:karl.gaissmaier@kiz.uni-ulm.de > Service Group Network > Tel.: ++49 731 50-22499 > > _______________________________________________ > NoCat mailing list > NoCat@lists.nocat.net > http://lists.nocat.net/mailman/listinfo/nocat __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com From recompiler at hacksrus.com Sun Jul 27 20:27:06 2003 From: recompiler at hacksrus.com (Vlad) Date: Sun, 27 Jul 2003 15:27:06 -0400 (EDT) Subject: [NoCat] Patch handling is in disorder for the NoCatAuth developers community Message-ID: <10187.64.253.49.165.1059334026.squirrel@mail.omnistep.com> Hello, I must agree about the need for CVS server. As part of my employment for a research project I have found myself having to work with NoCat and writing custom patches for it, and doing some rather inovative things. I am very used to using CVS in the enterprise. I have talked to some higher ups, and expect to see an unoficial CVS server for NoCat being setup by either a prominent university or a prominent wireless group within the next few weeks. I will be in charge of maintiaining it. Developers who wish to have their patches mirrored should send me an email and a short patch description. I will create an account for them so that they may use it for development. there will also be an anonymous account for downloads. I have collected a lot of the patches for our own internal development, but I don't anticapate mirroring anyones patches publically without their explicit request. Developers may start emailing me requests for accounts on wednesday. Please make the subject "NoCat CVS account Request". -- Vlad G. The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. From bh at nt.is Sun Jul 27 20:51:26 2003 From: bh at nt.is (Brynjar Hauksson) Date: Mon, 28 Jul 2003 02:51:26 +0700 Subject: [NoCat] revisiting RADIUS - Stop packets In-Reply-To: <3F2319BC.9020402@amduat.net> Message-ID: <008601c35478$79a26380$6500a8c0@natuamia> One good reason to have the Accounting built into the authentication = server and then send these messages to the radius server is because of = NAT adsl modems. I happen to be struggling to install nocat with = radius. I just want to know when people log on and off, ... but the NAT is not being very nice to me :( In my case the radius server is on the internet, but the gateways are = behind an ADSL router with a built in firewall. I have been doing some = debugging on this and all the UDP packets from within NAT make it to the = server, but no replies from the server to the local network. What is the best course of action in this case? Kve=C3=B0ja / Best regards / = =E0=B8=94=E0=B9=89=E0=B8=A7=E0=B8=A2=E0=B8=84=E0=B8=A7=E0=B8=B2=E0=B8=A1=E0= =B8=84=E0=B8=B4=E0=B8=94=E0=B8=96=E0=B8=B6=E0=B8=87 Brynjar Hauksson ICQ# 15512204 -----Original Message----- From: nocat-admin@lists.nocat.net [mailto:nocat-admin@lists.nocat.net] = On Behalf Of Jacob S. Barrett Sent: Sunday, July 27, 2003 7:16 AM To: Sameer Verma Cc: nocat@lists.nocat.net Subject: Re: [NoCat] revisiting RADIUS - Stop packets Sameer Verma wrote: > Makes sense. In short, it looks like what you are saying is that=20 > authentication must happen on the auth and acct. on the gw. Correct? Yes. > This would be a round about way of getting the work done. Yes, that is why I haven't done it that way. --=20 Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it." _______________________________________________ NoCat mailing list NoCat@lists.nocat.net http://lists.nocat.net/mailman/listinfo/nocat From rob at nocat.net Sun Jul 27 22:45:53 2003 From: rob at nocat.net (Rob Flickenger) Date: Sun, 27 Jul 2003 14:45:53 -0700 Subject: [NoCat] Patch handling is in disorder for the NoCatAuth developers community In-Reply-To: <10187.64.253.49.165.1059334026.squirrel@mail.omnistep.com> Message-ID: <B249300F-C07B-11D7-8651-000393843BC2@nocat.net> On Sunday, July 27, 2003, at 12:27 PM, Vlad wrote: > I have talked to some higher ups, and expect to see an unoficial CVS > server for NoCat being setup by either a prominent university or a > prominent wireless group within the next few weeks. > > I will be in charge of maintiaining it. Terrific. Thanks for volunteering! For various reasons, we can't support read/write CVS access to the existing repository. And both Schuyler and I are mired pretty deeply in other (for-pay) projects at the moment, and I know my response time isn't what it used to be. But we can certainly mirror your patch directory if you like, and we will definitely roll patches into the main tree as we can. Regards, --Rob From bh at nt.is Sun Jul 27 23:05:46 2003 From: bh at nt.is (Brynjar Hauksson) Date: Mon, 28 Jul 2003 05:05:46 +0700 Subject: [NoCat] Patch handling is in disorder for the NoCatAuth developers community In-Reply-To: <B249300F-C07B-11D7-8651-000393843BC2@nocat.net> Message-ID: <008c01c3548b$3c6b05e0$6500a8c0@natuamia> I checked the nightly builds and I see that the patches from: http://www.pogozone.net/projects/nocat/ are not yet in the nightly build... ... I would be really happy if you could add at least the Radius patches = to the main distro... or on this new CVS server :) Kve=C3=B0ja / Best regards / = =E0=B8=94=E0=B9=89=E0=B8=A7=E0=B8=A2=E0=B8=84=E0=B8=A7=E0=B8=B2=E0=B8=A1=E0= =B8=84=E0=B8=B4=E0=B8=94=E0=B8=96=E0=B8=B6=E0=B8=87 Brynjar Hauksson ICQ# 15512204 -----Original Message----- From: nocat-admin@lists.nocat.net [mailto:nocat-admin@lists.nocat.net] = On Behalf Of Rob Flickenger Sent: Monday, July 28, 2003 4:46 AM To: Vlad Cc: nocat@lists.nocat.net Subject: Re: [NoCat] Patch handling is in disorder for the NoCatAuth = developers community On Sunday, July 27, 2003, at 12:27 PM, Vlad wrote: > I have talked to some higher ups, and expect to see an unoficial CVS > server for NoCat being setup by either a prominent university or a > prominent wireless group within the next few weeks. > > I will be in charge of maintiaining it. Terrific. Thanks for volunteering! For various reasons, we can't support read/write CVS access to the=20 existing repository. And both Schuyler and I are mired pretty deeply=20 in other (for-pay) projects at the moment, and I know my response time=20 isn't what it used to be. But we can certainly mirror your patch=20 directory if you like, and we will definitely roll patches into the=20 main tree as we can. Regards, --Rob _______________________________________________ NoCat mailing list NoCat@lists.nocat.net http://lists.nocat.net/mailman/listinfo/nocat From schuyler at oreilly.com Mon Jul 28 20:41:25 2003 From: schuyler at oreilly.com (Schuyler Erle) Date: Mon, 28 Jul 2003 12:41:25 -0700 (PDT) Subject: [NoCat] NoCatAuth Wiki (was: Patch handling is in disorder...) In-Reply-To: <10187.64.253.49.165.1059334026.squirrel@mail.omnistep.com> Message-ID: <Pine.LNX.4.21.0307281236570.27871-100000@magic.oreillynet.com> On Sun, 27 Jul 2003, Vlad wrote: > I must agree about the need for CVS server. As part of my employment for > a research project I have found myself having to work with NoCat and > writing custom patches for it, and doing some rather inovative things. I > am very used to using CVS in the enterprise. Thanks for offering this, Vlad, but hopefully it won't be necessary. I know I've been a little slow on the uptake -- very busy and otherwise distracted here -- but we're making some changes to the NoCatAuth development process that will hopefully make things a little quicker, a little better organized, and help the community attain greater involvement in the development of the project. The first step is that we've set up a wiki to allow people to post and maintain documentation, HOWTOs, patches, enhancements, scripts, whatever. I've already seeded the wiki with the documentation that's distributed with NoCatAuth, and I want to encourage you all to go check it out, feel free to update it, and to really make it your own. The wiki is at (surprise) http://nocat.net/wiki/ ... There's also links from the front page. If people who have posted patches to the mailing list might be willing to re-post their patches there, or post links to them, that might be a starting point for organizing the submitted code and getting it into the distribution. I hope to have more news for you all shortly. Thanks again for your patience. SDE From karl.gaissmaier at kiz.uni-ulm.de Mon Jul 28 21:01:07 2003 From: karl.gaissmaier at kiz.uni-ulm.de (Karl Gaissmaier) Date: Mon, 28 Jul 2003 22:01:07 +0200 Subject: [NoCat] Patch: anonymous-01.patch Message-ID: <200307282201.07769.karl.gaissmaier@kiz.uni-ulm.de> --------------Boundary-00=_VL3R4X2FUB0RR4PSSL05 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi folks, thanks Vlad, that we've the chance for a CVS Server. Here are the first patches for public review: Name: =09anonymous-01.patch Affected Files: =09cgi-bin/admlogin =09cgi-bin/login Severity: =09low Description: =09Uses the ANONYMOUS constant vom NoCat.pm instead of "UNNOWN" =09in the affecetd files. I think this was just a lapse during the change= s over =09time. --=20 Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network --------------Boundary-00=_VL3R4X2FUB0RR4PSSL05 Content-Type: text/x-diff; charset="us-ascii"; name="anonymous-01.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="anonymous-01.patch" diff -Naur NoCatAuth-nightly/cgi-bin/admlogin NoCatAuth-mod/cgi-bin/admlogin --- NoCatAuth-nightly/cgi-bin/admlogin Wed Mar 6 11:01:17 2002 +++ NoCatAuth-mod/cgi-bin/admlogin Wed Jul 16 17:33:57 2003 @@ -13,7 +13,7 @@ ### use lib '../lib/'; -use NoCat; +use NoCat qw( ANONYMOUS ); use strict; my $authserv = NoCat->auth_service( ConfigFile => $ENV{NOCAT} ); @@ -27,7 +27,7 @@ )); $authserv->log( 7, sprintf( "User %s from %s requests %s", - $params->{user} || "UNKNOWN", $cgi->remote_host, lc( $params->{mode} ) || "form" ) ); + $params->{user} || ANONYMOUS, $cgi->remote_host, lc( $params->{mode} ) || "form" ) ); # Figure out which image button was clicked (since they don't have value="" attributes). if (my ($button) = grep $params->{"mode_$_.x"}, qw( login skip logout )) { diff -Naur NoCatAuth-nightly/cgi-bin/login NoCatAuth-mod/cgi-bin/login --- NoCatAuth-nightly/cgi-bin/login Thu Aug 15 04:05:18 2002 +++ NoCatAuth-mod/cgi-bin/login Wed Jul 16 17:29:40 2003 @@ -33,7 +33,7 @@ )); $authserv->log( 7, sprintf( "User %s from %s requests %s", - $params->{user} || "UNKNOWN", $cgi->remote_host, + $params->{user} || ANONYMOUS, $cgi->remote_host, lc( $params->{mode} ) || "form" ) ); --------------Boundary-00=_VL3R4X2FUB0RR4PSSL05-- From karl.gaissmaier at kiz.uni-ulm.de Mon Jul 28 22:13:59 2003 From: karl.gaissmaier at kiz.uni-ulm.de (Karl Gaissmaier) Date: Mon, 28 Jul 2003 23:13:59 +0200 Subject: [NoCat] Patch: radius-01.patch Message-ID: <200307282313.59211.karl.gaissmaier@kiz.uni-ulm.de> --------------Boundary-00=_BZ6R7R2L046KMCUO0OYA Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8bit Name: radius-01.patch Affected Files: lib/NoCat/Source/RADIUS.pm Version: Patch against 0.82 Severity: necessary when you use radius Description: bug introduced with 0.82 -- Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network --------------Boundary-00=_BZ6R7R2L046KMCUO0OYA Content-Type: text/x-diff; charset="us-ascii"; name="radius-01.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="radius-01.patch" diff -Naur NoCatAuth-nightly/lib/NoCat/Source/RADIUS.pm NoCatAuth-mod/lib/NoCat/Source/RADIUS.pm --- NoCatAuth-nightly/lib/NoCat/Source/RADIUS.pm Thu Aug 15 04:00:02 2002 +++ NoCatAuth-mod/lib/NoCat/Source/RADIUS.pm Mon Jul 14 14:29:31 2003 @@ -85,8 +85,8 @@ # mimic the check_pwd from Authen::Radius $radius->clear_attributes; $radius->add_attributes ( - { Name => 1, Value => $user->id }, - { Name => 2, Value => $user_pw } + { Name => 1, Value => $user->id, Type => 'string' }, + { Name => 2, Value => $user_pw, Type => 'string' } ); my $radiuscheckok = 0; --------------Boundary-00=_BZ6R7R2L046KMCUO0OYA-- From karl.gaissmaier at kiz.uni-ulm.de Mon Jul 28 22:25:09 2003 From: karl.gaissmaier at kiz.uni-ulm.de (Karl Gaissmaier) Date: Mon, 28 Jul 2003 23:25:09 +0200 Subject: [NoCat] Patch: admin_deny-01.patch Message-ID: <200307282325.09105.karl.gaissmaier@kiz.uni-ulm.de> --------------Boundary-00=_XH7RDBX35TDHMSLLV174 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8bit Name: admin_deny-01.patch Affected Files: lib/NoCat/Gateway/Captive.pm Version: Patch against 0.82 or later Severity: important if you have a lot of clients Description: When the admin denies a client explicit with "access.fw deny mac ip group" the gateway don't get the state change and a new capture of this client will end up in a capture loop. With some small changes through this patch the admin is able to logout a client in the filterrules (reset to definitive state) without faking IP/MAC of the client and without resetting the whole gateway, with perhaps a lot of connections established! -- Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network --------------Boundary-00=_XH7RDBX35TDHMSLLV174 Content-Type: text/x-diff; charset="us-ascii"; name="admin_deny-01.patch" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="admin_deny-01.patch" diff -Naur NoCatAuth-nightly/lib/NoCat/Gateway/Captive.pm NoCatAuth-mod/lib/NoCat/Gateway/Captive.pm --- NoCatAuth-nightly/lib/NoCat/Gateway/Captive.pm Tue Feb 11 02:59:09 2003 +++ NoCatAuth-mod/lib/NoCat/Gateway/Captive.pm Fri Jul 25 17:01:09 2003 @@ -150,6 +150,10 @@ # Actually, we've seen this one before. Reuse the token. $original->socket( $peer->socket ); $peer = $original; + # reset old status in case we dropped just the peer in the mangle table + $peer->status(''); + $peer->user(''); + $peer->class(''); } else { $self->add_peer( $peer ); } --------------Boundary-00=_XH7RDBX35TDHMSLLV174-- From karl.gaissmaier at kiz.uni-ulm.de Mon Jul 28 22:44:42 2003 From: karl.gaissmaier at kiz.uni-ulm.de (Karl Gaissmaier) Date: Mon, 28 Jul 2003 23:44:42 +0200 Subject: [NoCat] Patch: daemonize-04.patch Message-ID: <200307282344.42236.karl.gaissmaier@kiz.uni-ulm.de> --------------Boundary-00=_IE8R520H6YQ8AGHS6MD7 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8bit Name: daemonize-04.patch Affected Files: bin/gateway lib/NoCat/Firewall.pm lib/NoCat.pm libexec/iptables/initialize.fw Version: Patch against 0.82 or later Severity: unimportant, just a better (IMHO) handling going daemon Description: If you choose syslogging still some messages are sent to the terminal, since the authors forgot to close STDIN, STDOUT, STDERR and logging itself should be polished in some pieces. This patch add some code to go daemon as you learn it from standard unix system programming books. Additional with this code, the daemon chdir's to '/' which makes small changes in Modules necessary that depend on the current working dir of the daemon, like Firewall.pm and initialize.fw for the throttling part. -- Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email: karl.gaissmaier@kiz.uni-ulm.de Service Group Network --------------Boundary-00=_IE8R520H6YQ8AGHS6MD7 Content-Type: text/x-diff; charset="us-ascii"; name="daemonize-04.patch" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="daemonize-04.patch" diff -Naur NoCatAuth-nightly/bin/gateway NoCatAuth-mod/bin/gateway --- NoCatAuth-nightly/bin/gateway 2003-03-08 02:56:51.000000000 +0100 +++ NoCatAuth-mod/bin/gateway 2003-07-26 17:06:36.000000000 +0200 @@ -58,7 +58,21 @@ } elsif ( not defined $pid ) { die "Can't fork: $!"; } - setsid; + + die "Cannot detach from controlling terminal" + unless setsid(); + + chdir '/' or die "Can't chdir('/'), $!\n"; + umask 0; + + # reopen stdin to /dev/null + open(STDIN, "</dev/null"); + + # reopen stdout, stderr to /dev/null if not needed for logging + if ($server->{LogFacility} eq 'syslog') { + open(STDOUT, ">/dev/null"); + open(STDERR, ">&STDOUT"); + } } # Fork a child process and watch it, if we're in debug mode. diff -Naur NoCatAuth-nightly/lib/NoCat/Firewall.pm NoCatAuth-mod/lib/NoCat/Firewall.pm --- NoCatAuth-nightly/lib/NoCat/Firewall.pm 2003-02-12 03:56:42.000000000 +0100 +++ NoCatAuth-mod/lib/NoCat/Firewall.pm 2003-07-26 17:11:24.000000000 +0200 @@ -21,6 +21,10 @@ MembersOnly RouteOnly IgnoreMAC ); +# not in qw() in order to have independent patches +# put these independent patches together in the next release -- charly +push @Perform_Export, 'BinPath'; + # If /proc/net/arp is available, use it. Otherwise, fork /sbin/arp and read # its output to get ARP cache data. Turns out '/sbin/arp -an' gives the same # output on both Linux and *BSD. (Thank goodness.) diff -Naur NoCatAuth-nightly/lib/NoCat.pm NoCatAuth-mod/lib/NoCat.pm --- NoCatAuth-nightly/lib/NoCat.pm 2003-07-13 12:00:04.000000000 +0200 +++ NoCatAuth-mod/lib/NoCat.pm 2003-07-26 17:08:47.000000000 +0200 @@ -54,6 +54,9 @@ ### Where to look for form templates? DocumentRoot => "$FindBin::Bin/../htdocs", + ### Where to look for executables + BinPath => "$FindBin::Bin", + ### Default log level. Verbosity => 5, LogFacility => "internal", diff -Naur NoCatAuth-nightly/libexec/iptables/initialize.fw NoCatAuth-mod/libexec/iptables/initialize.fw --- NoCatAuth-nightly/libexec/iptables/initialize.fw 2003-03-27 04:21:04.000000000 +0100 +++ NoCatAuth-mod/libexec/iptables/initialize.fw 2003-07-26 17:07:49.000000000 +0200 @@ -235,7 +235,7 @@ # # chmod +x throttle.fw # -[ -x throttle.fw ] && throttle.fw +[ -x $BinPath/throttle.fw ] && $BinPath/throttle.fw ## # Add any other local firewall rules below. --------------Boundary-00=_IE8R520H6YQ8AGHS6MD7-- From karl.gaissmaier at kiz.uni-ulm.de Mon Jul 28 22:57:57 2003 From: karl.gaissmaier at kiz.uni-ulm.de (Karl Gaissmaier) Date: Mon, 28 Jul 2003 23:57:57 +0200 Subject: [NoCat] Patch: CypherSecret-02.patch Message-ID: <200307282357.57583.karl.gaissmaier@kiz.uni-ulm.de> --------------Boundary-00=_L09RU2RHXYRQ6K8AFHJU Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8bit Name: CypherSecret-02.patch Affected Files: authserv.conf cgi-bin/login lib/NoCat.pm Version: Patch against 0.82 or later Severity: important, but depends on the user group (we are at a University!) Prohibits the standard cleartext passwords in the html source Description: the cgi param password is replaced with cryptpwd. The algorithm building the symmetric encryption is the same as in the radius protocol. The encryption code is nearly literally copied from Authen::Radius. The already exchanged and periodically altered token is used as a salt. Future: Perhaps with the usage of CGI::Session the whole authentication and renewal algorithm should be cleaned up and improved. -- Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network --------------Boundary-00=_L09RU2RHXYRQ6K8AFHJU Content-Type: text/x-diff; charset="us-ascii"; name="CypherSecret-02.patch" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="CypherSecret-02.patch" diff -Naur NoCatAuth-nightly/authserv.conf NoCatAuth-mod/authserv.conf --- NoCatAuth-nightly/authserv.conf Mon Mar 17 23:46:11 2003 +++ NoCatAuth-mod/authserv.conf Mon Jul 14 09:56:42 2003 @@ -12,6 +12,13 @@ # Verbosity 10 +# +# CypherSecret -- used for symmetric encryption of the +# user password. Without a CypherSecret the cleartext password is +# viewable in the html sources, the browser cache, the history, the ... +# +CypherSecret mysecret + ## # PGPKeyPath -- The directory in which PGP keys are stored. # NoCat tries to find this in the pgp/ directory above diff -Naur NoCatAuth-nightly/cgi-bin/login NoCatAuth-mod/cgi-bin/login --- NoCatAuth-nightly/cgi-bin/login Thu Aug 15 04:05:18 2002 +++ NoCatAuth-mod/cgi-bin/login Mon Jul 14 10:30:11 2003 @@ -52,6 +52,13 @@ $authserv->display( FatalForm => "Your gateway token is undefined. Problem with the gateway?" ) unless $params->{token}; +# did we get a crypted password, generate the cleartext for authentication +if ($authserv->{CypherSecret} and not $params->{pass}) { + my $salt = $params->{token}; + $params->{pass} = $authserv->encrypt_pwd($params->{cryptpwd}, $salt) + if $params->{cryptpwd}; +}; + # If the user skipped authentication... if ( $params->{user} eq ANONYMOUS or $params->{mode} =~ /^skip/io ) { $params->{user} = ANONYMOUS; @@ -80,10 +87,27 @@ # Either we're requesting the renewal popup box... if ( $params->{mode} =~ /^popup/io ) { $form = ( $params->{gateway} ? "PassiveRenewForm" : "RenewForm" ); + # create cryptpwd with new token as salt + if ($authserv->{CypherSecret}) { + my $salt = $params->{token}; + $params->{cryptpwd} = $authserv->encrypt_pwd($params->{pass}, $salt); + # be sure no cleartext password can be in the html forms or url's + delete $params->{pass}; + }; + $params->{redirect} = $authserv->renew_url; # Or we're either logging in, or renewing, in which case, notify the gateway. } elsif ($gw = $authserv->notify( Permit => $params )) { + + # create cryptpwd with new token as salt + if ($authserv->{CypherSecret} and not $gw->{Error}) { + my $salt = $gw->{Token} || $gw->{token}; + $params->{cryptpwd} = $authserv->encrypt_pwd($params->{pass}, $salt); + # be sure no cleartext password can be in the html forms or url's + delete $params->{pass}; + }; + if ( $gw->{Error} ) { # Oddly enough, this isn't really success. $form = "ExpiredForm"; diff -Naur NoCatAuth-nightly/lib/NoCat.pm NoCatAuth-mod/lib/NoCat.pm --- NoCatAuth-nightly/lib/NoCat.pm Sun Jul 13 12:00:04 2003 +++ NoCatAuth-mod/lib/NoCat.pm Mon Jul 14 09:56:42 2003 @@ -14,6 +14,7 @@ use FindBin; use Exporter; use Carp; +use Digest::MD5 qw(); use vars qw( @ISA @EXPORT_OK *FILE ); use strict; @@ -378,6 +379,26 @@ return NoCat::Peer->new( Parent => $self, @_ ); } +sub encrypt_pwd { + # based on the algorithm used in the radius protocol + croak "parameter(s) missing" unless scalar @_ == 3; + my ($self, $pwd, $token) = @_; + my ($i, $ct, @pwdp, @xor); + + # algorithm copied nearly literally from Authen::Radius by kg + # this only works for passwords <= 16 chars + $pwd .= "\0" x (16 - length($pwd) % 16); + @pwdp = unpack('C16', pack('a16', $pwd)); + $ct = Digest::MD5->new; + $ct->add ($self->{CypherSecret}, $token); + @xor = unpack('C16', $ct->digest()); + for $i (0..15) { + $pwdp[$i] ^= $xor[$i]; + } + + pack('C' . length($pwd), @pwdp); +} + 1; __END__ @@ -477,6 +498,8 @@ =item template() Pass a template, and optional hashref, and it returns the filled template. +=item encrypt_pwd() Symmetrically encrypts a string. Algorithm copied from Authen::Radius() + =item gateway() Returns a NoCat::Gateway object =item firewall() Returns a NoCat::Firewall object --------------Boundary-00=_L09RU2RHXYRQ6K8AFHJU-- From karl.gaissmaier at kiz.uni-ulm.de Mon Jul 28 23:06:49 2003 From: karl.gaissmaier at kiz.uni-ulm.de (Karl Gaissmaier) Date: Tue, 29 Jul 2003 00:06:49 +0200 Subject: [NoCat] Patch: alarm-02.patch Message-ID: <200307290006.49844.karl.gaissmaier@kiz.uni-ulm.de> --------------Boundary-00=_DF9R47GP6V2W29NTNWN0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8bit Name: alarm-02.patch Affected Files: lib/NoCat/Gateway.pm Version: Patch against 0.82 or later Severity: unimportant, works wihout applying this patch Description: handling a new connection on the gateway port is guarded with a timeout to prevent DoS and lurking processes. The alarm handling is a little bit improved with this patch. -- Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network --------------Boundary-00=_DF9R47GP6V2W29NTNWN0 Content-Type: text/x-diff; charset="us-ascii"; name="alarm-02.patch" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="alarm-02.patch" diff -Naur NoCatAuth-nightly/lib/NoCat/Gateway.pm NoCatAuth-mod/lib/NoCat/Gateway.pm --- NoCatAuth-nightly/lib/NoCat/Gateway.pm Mon Mar 10 17:50:51 2003 +++ NoCatAuth-mod/lib/NoCat/Gateway.pm Wed Jul 16 17:17:26 2003 @@ -278,20 +278,21 @@ $self->log( 8, "Connection to " . $sock->sockhost . " from $peerhost" ); - # Set the UNIX alarm clock. - alarm( $self->{HandleTimeout} ) if $self->{HandleTimeout}; - # Wrap the call to handle() in eval{}, so we catch the # exception when the alarm goes off. # - # Then turn the alarm off, Schuyler, you moron! - eval { + eval { + # ALRM signal handler only for this eval block + local $SIG{ALRM} = sub {die "timeout in handling connection\n"}; + + # Set the UNIX alarm clock. + alarm( $self->{HandleTimeout} ) if $self->{HandleTimeout}; $self->handle( $peer ); - alarm 0 if $self->{HandleTimeout}; + alarm 0; }; # Note the warning if the call to handle() threw an exception. - $self->log( 1, "$peerhost: $@" ) if $@; + $self->log( 1, "peer $peerhost: $@" ) if $@; } sub check_expired { --------------Boundary-00=_DF9R47GP6V2W29NTNWN0-- From karl.gaissmaier at kiz.uni-ulm.de Mon Jul 28 23:18:49 2003 From: karl.gaissmaier at kiz.uni-ulm.de (Karl Gaissmaier) Date: Tue, 29 Jul 2003 00:18:49 +0200 Subject: [NoCat] Patch: http_redirect_header-01.patch Message-ID: <200307290018.49811.karl.gaissmaier@kiz.uni-ulm.de> --------------Boundary-00=_DZ9RSG9QS5B0WYKN2F0D Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8bit Name: http_redirect_header-01.patch Affected Files: lib/NoCat/AuthService.pm htdocs/login_ok.html htdocs/register_ok.html htdocs/renew.html htdocs/renew_pasv.html Version: Patch against 0.82 or later Severity: necessary for proper redirect after a successful login when the user clicks on the offered link. Description: the $redirect is used for two purposes: First in the http-equiv and as a normal href in the login_ok form (you get redirected in 5 seconds ...). But this is not possible, these are different formats, since the http-equiv needs a time in front of the url. This introduces a new variable $http_redirect for use in http-equiv and the $redirect used in href. There exists already a patch from Jacob S. Barrett, but I think this patch is not proper handling the renewal time. Please tell me if I'm wrong. -- Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network --------------Boundary-00=_DZ9RSG9QS5B0WYKN2F0D Content-Type: text/x-diff; charset="us-ascii"; name="http_redirect_header-01.patch" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="http_redirect_header-01.patch" diff -Naur NoCatAuth-nightly/htdocs/login_ok.html NoCatAuth-mod/htdocs/login_ok.html --- NoCatAuth-nightly/htdocs/login_ok.html Thu Aug 15 04:01:25 2002 +++ NoCatAuth-mod/htdocs/login_ok.html Mon Jul 14 11:16:39 2003 @@ -1,7 +1,7 @@ <html> <head> <title>Welcome, $user! - +