[NoCat] GPG head banging

Ryan Shea ryan at muppethouse.com
Fri, 20 Jun 2003 02:05:35 -0400 

Ehh.  Finally I got it.  It had nothing to do with my GPG keys at all.   
I think I had different problems going on at different times, but it  
looks like after upgrading to the nightly build at one point I  
fat-fingered the MySQL password into the nocat.conf.  Sooo tired.  Now  
I shall rest.

-Ryan

On Thursday, June 19, 2003, at 03:23 AM, Rob Thorne wrote:

> Ryan,
>
> Several tips:
>
>   1. Your passphrase should be empty when you generate the key.
>   2. If apache is running as "apache", I usually make the pgp directory
>      belong to apache.apache (chown -R apache.apache pgp/) and make
>      sure the permissions are restricted to something like 600 (owner
>      r/w only; "chmod -R 600 pgp/).  This seems to make gpg much  
> happier.
>   3. As you correctly say, trustedkeys.gpg is indeed copied to the  
> gateway.
>   4. There is no need to generate a private/public key pair for the
>      gateway in order to use NoCatAuth, and nothing to copy from the
>      gateway to the auth server machine.
>
> A couple of these problems can definitely create log entries similar  
> to ones you're seeing, so I'd fix these problems first, and see if it  
> makes the "Child processes exited with 1" entry go away on the > gateway.
>
> Regards,
> Rob
>
> Ryan Shea wrote:
>
>> Hey guys.  I have my gateway working and it has no issues with  
>> auth.nocat.net, but I've been trying for countless hours to get my  
>> GPG configuration correct between my Auth server and my gateway box.
>>
>> make gpg tells me:
>>
>> cp -R /usr/local/nocat/pgp/pubring.gpg  
>> /usr/local/nocat/trustedkeys.gpg
>>
>> Be sure to make your /usr/local/nocat/pgp directory readable *only* by
>> the user
>>      your httpd runs as.
>>
>> The public key ring you'll need to distribute can be found in
>>             /usr/local/nocat/trustedkeys.gpg.
>>
>> I have obviously created a passphraseless key with an email address of
>> root@localhost.  I find that key in /usr/local/nocat/trustedkeys.gpg.
>> I created this key by typing make pgpkey on my Auth box - I was user
>> root at the time.  I also see in /usr/local/nocat/pgp that there are
>> four more gpg files, pubring.gpg, random.seed, secret.gpg, and
>> trusdb.gpg.
>>
>> As I understand it from the "you'll need to distribute" line from  
>> "make
>> pgpkey", /usr/local/nocat/trustedkeys.gpg should be copied to the
>> gateway box - and I do this.  "scp trustedkeys.gpg
>> root@gateway:/usr/local/nocat/trustedkeys.gpg".  I also noticed that:
>> [root@hate.net pgp]$diff pubring.gpg ../trustedkeys.gpg
>> [root@hate.net pgp]$
>>
>> so those are the same... hmm, so is this like ssh key authentication
>> and the public key of the auth service should be in the  
>> trustedkeys.gpg
>> file on the gateway server (like authorized_keys file)?
>>
>> Here is my apache log.  Again, same problem after copying the
>> trustedkeys.gpg over to the gateway box.
>> [Wed Jun 18 22:10:04 2003] [error] [client 10.0.2.1] Premature end of
>> script headers: login, referer:
>> https://nocat.muppethouse.net/cgi-bin/
>> login?token=%241%2440669155%240xT%2eFgwPAEImLsD%2eCiOIH0&timeout=600&r 
>> ed
>> irect=http%3a%2f%2fwww%2eyahoo%2ecom%2f&mac=00%3a05%3a5D%3aF1%3a38%3a1 
>> 2&
>> gateway=172%2e16%2e2%2e1%3a5280
>> [Wed Jun 18 22:10:04 2003] [error] [client 10.0.2.1] [2003-06-18
>> 22:10:04] gpg --sign --armor --homedir=/usr/local/nocat/cgi-bin/../pgp
>> --keyring trustedkeys.gpg --no-tty -o- 2>/dev/null returned error:
>> Illegal seek ( 2 ), referer:
>> https://nocat.muppethouse.net/cgi-bin/
>> login?token=%241%2440669155%240xT%2eFgwPAEImLsD%2eCiOIH0&timeout=600&r 
>> ed
>> irect=http%3a%2f%2fwww%2eyahoo%2ecom%2f&mac=00%3a05%3a5D%3aF1%3a38%3a1 
>> 2&
>> gateway=172%2e16%2e2%2e1%3a5280
>> [Wed Jun 18 22:10:04 2003] [error] [client 10.0.2.1] Can't call method
>> "text" on an undefined value at ../lib//NoCat/AuthService.pm line  
>> 134.,
>> referer:
>> https://nocat.muppethouse.net/cgi-bin/
>> login?token=%241%2440669155%240xT%2eFgwPAEImLsD%2eCiOIH0&timeout=600&r 
>> ed
>> irect=http%3a%2f%2fwww%2eyahoo%2ecom%2f&mac=00%3a05%3a5D%3aF1%3a38%3a1 
>> 2&
>> gateway=172%2e16%2e2%2e1%3a5280
>>
>> Does the Auth server need to have the gateway public key in its
>> trustedkeys.gpg?
>> I have validated each of the keys with md5sum and by looking at the
>> strings within them and I am properly copying the files as I intended.
>> Do I need to downgrade gnupg to 1.0.6?  I'm currently running 1.0.7 -
>> but since it works with auth.nocat.net isn't that sort of a proof of
>> concept?
>>
>> Thank you developers for what seems like the ONLY well developed  
>> complete solution to the wireless security problem - now if I could  
>> only get it to work.
>>
>> -Ryan
>
> -- 
> Rob Thorne
> Torenware Networks
>
>