IPMI password authentication - ipmitool

I don't see the option of PASSWORD authentication at my IPMI channel 1 settings output. I even tried factory reset. Can you please let me know how I can enable the password authentication.
$ipmitool lan print 1
Auth Type Support : MD2 MD5 OEM
Auth Type Enable : Callback : MD2 MD5 OEM
: User : MD2 MD5 OEM
: Operator : MD2 MD5 OEM
: Admin : MD2 MD5 OEM
: OEM :


Your IPMI device does not support the password authentication. The following line in the ipmitool output lists all of authentication types that are supported in your device:
Auth Type Support : MD2 MD5 OEM
So authentication types NONE and PASSWORD are not supported. It is probably due to security reasons because both of them are rather bad choice for authentication. Nevertheless it is up to BMC firmware developer what authentication type is supported.
You can enable / disable authentication types that are supported by your device by ipmitool:
# ipmitool lan set 1 auth User NONE
# ipmitool lan print 1
...
Auth Type Support : NONE MD5
Auth Type Enable : Callback : MD5
: User : NONE
: Operator : MD5
: Admin : MD5
: OEM : MD5
...
But I cannot set PASSWORD or MD2 because they are not supported in my device.

Related

Freeradius authenticate windows ad username and password failed while testing thru wifi setup

Trying to authenticate windows AD username and password by freeradius thru NTLM auth.
while testing ntlm auth in freeradius machine, got success message.
ntlm_auth --request-nt-key --domain=MPLradius --username=Administrator --
password=abc#123456789
NT_STATUS_OK: Success (0x0)
While trying thru wifi , got below error
[chap] login attempt by "sophosadmin#mplradius.local" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] = invalid
+} # group CHAP = invalid
Failed to authenticate the user.
expand: BLACK -> BLACK
Login incorrect (rlm_chap: Clear text password not available):
[sophosadmin#mplradius.local/<CHAP-Password>] (from client x.x.x.x port 2149580837
cli xx:xx:xx:xx:xx:xx) BLACK
Using Post-Auth-Type Reject
Could you help me sort out this error.

Kerberos aes-256 encryption not working

Server is a RHEL7, Kerberos is AD (Windows). I'm only client of KDC.
Arcfour-hmac works fine but when I change encryption type to aes-256 and set up a new keytab, kinit still works, but not kvno. And even if the user seems to have a valid ticket (in klist) he is not able to start services anymore.
I don't have access to the Kerberos AD, but it seems properly configured to use aes-256, because end users (on Windows computers) already request tickets in this encryption type.
My krb5.conf :
[libdefaults]
default_realm = TOTO.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tkt_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc
[realms]
TOTO.NET = {
kdc = kdc1.toto.net
kdc = kdc2.toto.net
admin_server = kdc1.toto.net
}
[domain_realm]
.toto.net = TOTO.NET
toto.net = TOTO.NET
And here the errors I got when I try to acquire a ticket with kvno :
[2477332] 1493147723.961912: Getting credentials myuser#TOTO.NET -> nn/myserver#TOTO.NET using ccache FILE:/tmp/krb5cc_0
[2477332] 1493147723.962055: Retrieving myuser#TOTO.NET -> nn/myserver#TOTO.NET from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_0)
[2477332] 1493147723.962257: Retrieving myuser#TOTO.NET -> krbtgt/TOTO.NET#TOTO.NET from FILE:/tmp/krb5cc_0 with result: 0/Success
[2477332] 1493147723.962267: Starting with TGT for client realm: myuser#TOTO.NET -> krbtgt/TOTO.NET#TOTO.NET
[2477332] 1493147723.962274: Requesting tickets for nn/myserver#TOTO.NET, referrals on
[2477332] 1493147723.962309: Generated subkey for TGS request: aes256-cts/17DF
[2477332] 1493147723.962363: etypes requested in TGS request: aes256-cts, aes128-cts
[2477332] 1493147723.962504: Encoding request body and padata into FAST request
[2477332] 1493147723.962575: Sending request (1716 bytes) to TOTO.NET
[2477332] 1493147723.962725: Resolving hostname kdc1.TOTO.NET
[2477332] 1493147723.963054: Initiating TCP connection to stream ip_of_kdc1:88
[2477332] 1493147723.964205: Sending TCP request to stream ip_of_kdc1:88
[2477332] 1493147724.3751: Received answer (329 bytes) from stream ip_of_kdc1:88
[2477332] 1493147724.3765: Terminating TCP connection to stream ip_of_kdc1:88
[2477332] 1493147724.3846: Response was not from master KDC
[2477332] 1493147724.3879: Decoding FAST response
[2477332] 1493147724.3965: TGS request result: -1765328370/KDC has no support for encryption type
klist -ket mykeytab
Keytab name: FILE:nn.service.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 01/01/1970 01:00:00 nn/myserver01#TOTO.NET (aes256-cts-hmac-sha1-96)
1 03/22/2017 16:34:55 nn/myserver02#TOTO.NET (aes256-cts-hmac-sha1-96)
Thanks for your help

Ask your AD administrator to enable support for AES-256 encryption types on the AD account associated with the keytab. To find that account, run this command:
setspn -Q nn/myserver01#TOTO.NET
the output will tell you the name of the account. It will start with CN=xxx, where "xxx" is the name of the AD account. To enable support for AES-256 encryption types on the AD account, tell your AD admin that the checkbox "This account supports Kerberos AES 256 bit encryption" must be checked, and that is found under Account tab, all the way at the bottom.

I just recently encountered this problem and was able to solve it.
for us, it was that AD was using a different salt than what the Kerberos client used by default.
That is, when using ktutil:
addent -password -p servicepuppetnp#AMER.EXAMPLE.COM -k 4 -e arcfour-hmac
Password for admspike_white#AMER.EXAMPLE.COM:
produces a keytab file that I could use to kinit as that principal. Whereas:
ktutil: addent -password -p admspike_white#AMER.EXAMPLE.COM -k 1 -e aes256-cts-hmac-sha1-96
Password for admspike_white#AMER.EXAMPLE.COM:
did not produce a keytab file that would allow successful kinit. (pre-auth failure).
I had to do this:
ktutil: addent -password -p admspike_white#AMER.EXAMPLE.COM -k 1 -e aes256-cts-hmac-sha1-96 -f
Password for admspike_white#AMER.EXAMPLE.COM:
which tells ktutil to get the salt info from the AD DC. then it uses the correct salt. That produces a keytab file that allows successful kinit.

How to authenticate POP3 with Gmail?

I'm trying to figure out how to send my credentials to Gmail. RFC5034 gives an example
S: IMPLEMENTATION BlurdyBlurp POP3 server
S: .
C: AUTH PLAIN dGVzdAB0ZXN0AHRlc3Q=
S: +OK Maildrop locked and ready
and the base64 encoded string decodes to test\0test\0test where \0 is null character.
However, if I send a base64 encoded string like that username\0user#gmail.com\0password, then I get an error message like this
-ERR [SYS/TEMP] Temporary system problem. Please try again later. df2mb862702032iec
So, these are the combinations I've tried with their outcomes:
user\0password => -ERR invalid SASL argument 42mb45977297otf
user#gmail.com\0password => -ERR invalid SASL argument uz3mb206121874obc
\0user#gmail.com\0password => -ERR [AUTH] Username and password not accepted.
\0user\0password => -ERR [AUTH] Username and password not accepted.
name\0user#gmail.com\0password => -ERR [SYS/TEMP] Temporary system problem. Please try again later. df2mb862702032iec
\0name\0user#gmail.com\0password => -ERR invalid SASL argument h184mb244881255oib
So, it looks like it should be \0user#gmail.com\0password but if I base64 encode my email and password like this:
echo -ne '\0user#gmail.com\0password' | base64
My username and password are still rejected.
So, can someone confirm the correct method of base64 encoding? Oh, and I have Pop mail activated in my settings.

And the answer is that there's a bug with Gmail. Even though with pop3 enabled on my account (of 15Gb of email), it doesn't recognise my credentials.
I have another email account with my own domain on gmail with very little mail and using the base64 version of
\0user#domain.com\0password
works just fine where \0 represents the null character.

You need to enable "less secure apps" in your GMail settings:
https://myaccount.google.com/lesssecureapps?pli=1

getting correct certificate info for offlineimap from outlook imap server

I'm trying to use offlineimap to download Outlook.com messages, but can't seem to get the security correct (I use offlineimap successfully for other IMAP accounts as well). In .offlineimaprc, in the remote repository section, I've put:
[Repository remoteOutlook]
type = IMAP
remotehost = imap-mail.outlook.com
ssl = yes
cert_fingerprint = c914dd966dbd0912c36ec294f83d8d3b5a434729
remoteport = 993
remoteuser = <hidden>
remotepass = <hidden>
The fingerprint was captured using gnutls-cli, as follows:
$ gnutls-cli -p 993 imap-mail.outlook.com
Processed 168 CA certificate(s).
Resolving 'imap-mail.outlook.com'...
Connecting to '157.56.195.250:993'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,CN=*.hotmail.com', issuer `C=BE,O=GlobalSign nv-sa,CN=GlobalSign Organization Validation CA - SHA256 - G2', RSA key 2048 bits, signed using RSA-SHA256, activated `2015-12-15 22:26:11 UTC', expires `2016-12-15 22:26:11 UTC', SHA-1 fingerprint `c914dd966dbd0912c36ec294f83d8d3b5a434729'
Public Key ID:
e74e1f5a4a2656b5bbf73ae68e293e43a0846941
Public key's random art:
+--[ RSA 2048]----+
| .E |
| . |
| + . |
| + . . . . |
| . . .S.o . |
| . +. . |
| o.= + |
| . *+= =+ |
| .=+==++.|
+-----------------+
- Certificate[1] info:
- subject `C=BE,O=GlobalSign nv-sa,CN=GlobalSign Organization Validation CA - SHA256 - G2', issuer `C=BE,O=GlobalSign nv-sa,OU=Root CA,CN=GlobalSign Root CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2014-02-20 10:00:00 UTC', expires `2024-02-20 10:00:00 UTC', SHA-1 fingerprint `902ef2deeb3c5b13ea4c3d5193629309e231ae55'
- Status: The certificate is trusted.
- Description: (TLS1.0)-(ECDHE-RSA-SECP384R1)-(AES-256-CBC)-(SHA1)
- Session ID: 82:4B:00:00:4D:3C:F0:07:B9:B1:49:21:9F:95:99:A9:8B:E4:A7:44:21:6F:06:F6:15:6D:76:F5:F6:3F:4C:97
- Ephemeral EC Diffie-Hellman parameters
- Using curve: SECP384R1
- Curve size: 384 bits
- Version: TLS1.0
- Key Exchange: ECDHE-RSA
- Cipher: AES-256-CBC
- MAC: SHA1
- Compression: NULL
- Options: extended master secret, safe renegotiation,
- Handshake was completed
- Simple Client Mode:
* OK Outlook.com IMAP4rev1 server version 17.4.0.0 ready (DUB451-IMAP396)
*** Fatal error: The TLS connection was non-properly terminated.
*** Server has terminated the connection abnormally.
This output shows two certificates (0 and 1), with respective SHA1 fingerprints,
c914dd966dbd0912c36ec294f83d8d3b5a434729
902ef2deeb3c5b13ea4c3d5193629309e231ae55
If I use the first one (as shown in .offlineimaprc above), offlineimap fails to authenticate correctly, and the response is "BAD ['SASL Token argument is missing or invalid.']":
$ offlineimap -o
XOAUTH2 authentication failed: AUTHENTICATE command error: BAD ['SASL Token argument is missing or invalid.']. Data: FBPH2 AUTHENTICATE XOAUTH2
PLAIN authentication failed: [AUTHENTICATIONFAILED] Invalid username or password.
LOGIN authentication failed: [AUTHENTICATIONFAILED] Invalid username or password.
ERROR: All authentication types failed:
XOAUTH2: AUTHENTICATE command error: BAD ['SASL Token argument is missing or invalid.']. Data: FBPH2 AUTHENTICATE XOAUTH2
PLAIN: [AUTHENTICATIONFAILED] Invalid username or password.
LOGIN: [AUTHENTICATIONFAILED] Invalid username or password.
ERROR: Exceptions occurred during the run!
ERROR: All authentication types failed:
XOAUTH2: AUTHENTICATE command error: BAD ['SASL Token argument is missing or invalid.']. Data: FBPH2 AUTHENTICATE XOAUTH2
PLAIN: [AUTHENTICATIONFAILED] Invalid username or password.
LOGIN: [AUTHENTICATIONFAILED] Invalid username or password.
Traceback:
File "/usr/lib64/python2.7/site-packages/offlineimap/accounts.py", line 271, in syncrunner
self.__sync()
File "/usr/lib64/python2.7/site-packages/offlineimap/accounts.py", line 334, in __sync
remoterepos.getfolders()
File "/usr/lib64/python2.7/site-packages/offlineimap/repository/IMAP.py", line 448, in getfolders
imapobj = self.imapserver.acquireconnection()
File "/usr/lib64/python2.7/site-packages/offlineimap/imapserver.py", line 525, in acquireconnection
self.__authn_helper(imapobj)
File "/usr/lib64/python2.7/site-packages/offlineimap/imapserver.py", line 437, in __authn_helper
"failed:\n\t%s"% msg, OfflineImapError.ERROR.REPO)
Alternatively, if I use the second, offlineimap reports that actually the first fingerprint is the one that the outlook server uses, but as shown previously that one fails, insisting that the username/password is bad.
$ offlineimap -o
ERROR: Server SSL fingerprint 'c914dd966dbd0912c36ec294f83d8d3b5a434729' for hostname 'imap-mail.outlook.com' does not match configured fingerprint(s) ['902ef2deeb3c5b13ea4c3d5193629309e231ae55']. Please verify and set 'cert_fingerprint' accordingly if not set yet.
ERROR: Exceptions occurred during the run!
ERROR: Server SSL fingerprint 'c914dd966dbd0912c36ec294f83d8d3b5a434729' for hostname 'imap-mail.outlook.com' does not match configured fingerprint(s) ['902ef2deeb3c5b13ea4c3d5193629309e231ae55']. Please verify and set 'cert_fingerprint' accordingly if not set yet.
Traceback:
File "/usr/lib64/python2.7/site-packages/offlineimap/accounts.py", line 271, in syncrunner
self.__sync()
File "/usr/lib64/python2.7/site-packages/offlineimap/accounts.py", line 334, in __sync
remoterepos.getfolders()
File "/usr/lib64/python2.7/site-packages/offlineimap/repository/IMAP.py", line 448, in getfolders
imapobj = self.imapserver.acquireconnection()
File "/usr/lib64/python2.7/site-packages/offlineimap/imapserver.py", line 511, in acquireconnection
af=self.af,
File "/usr/lib64/python2.7/site-packages/offlineimap/imaplibutil.py", line 194, in __init__
super(WrappedIMAP4_SSL, self).__init__(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/offlineimap/bundled_imaplib2.py", line 2135, in __init__
IMAP4.__init__(self, host, port, debug, debug_file, identifier, timeout, debug_buf_lvl)
File "/usr/lib64/python2.7/site-packages/offlineimap/bundled_imaplib2.py", line 357, in __init__
self.open(host, port)
File "/usr/lib64/python2.7/site-packages/offlineimap/imaplibutil.py", line 213, in open
OfflineImapError.ERROR.REPO)
I've checked username and password several times (I use the same setup in mutt, and this works fine in terms of accessing the outlook IMAP server). Can anyone tell me what I might be doing incorrectly?

OK, I should have paid more attention to the very first error message:
XOAUTH2 authentication failed: AUTHENTICATE command error: BAD ['SASL Token argument is missing or invalid.']. Data: BFKO2 AUTHENTICATE XOAUTH2
Apparently, as discussed in this archlinux forum thread, the default authentication order in offlineimap is
auth_mechanisms = GSSAPI, CRAM-MD5, XOAUTH2, PLAIN, LOGIN
In order for OAUTH2 to work, as detailed here additional settings need to be present in .offlineimaprc:
oauth2_client_secret = ...
oauth2_client_id = ...
oauth2_refresh_token = ...
So the first certificate fingerprint is indeed correct, the error is just a notice that XOAUTH2 failed, which can be suppressed simply by specifying the authentication protocols explicitly, and removing XOAUTH2 from the list:
auth_mechanisms = GSSAPI, CRAM-MD5, PLAIN, LOGIN
I will give setting up XOAUTH2 a shot and post back.

SSH + Radius + LDAP

I have been doing a lot of research on ssh (openssh) and radius.
What I want to do:
SSH in to equipment with credentials (username and password) stored in either on a radius server or ldap store. I have been reading online and some people point to having an ldap server running in the background of your radius server. This will work, but will only work if the user is found in the local machine.
The problem:
Is there a way for me to ssh (or telnet) in to my equipment by logging in via a radius server that contains the credentials? if not is there a way for the client (the machine I am trying to connect to) get an updated list of credentials and store it locally from a central location (whether it be a radius server or an sql database etc).
I have been able to connect via Radius but only on accounts that are local, but for example if I try to connect with an account that does not exist locally (client-wise) I get "incorrect"
Here is the radius output:
Code:
rad_recv: Access-Request packet from host 192.168.4.1 port 5058, id=219, length=85 User-Name = "klopez"
User-Password = "\010\n\r\177INCORRECT"
NAS-Identifier = "sshd"
NAS-Port = 4033
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "192.168.4.200"
Code:
[ldap] performing user authorization for klopez[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> klopez
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=klopez)
[ldap] expand: dc=lab,dc=local -> dc=lab,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=lab,dc=local, with filter (uid=klopez)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword -> Cleartext-Password == "somepass"
[ldap] userPassword -> Password-With-Header == "somepass"
[ldap] looking for reply items in directory...
[ldap] user klopez authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Config already contains "known good" password. Ignoring Password-With-Header
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "? INCORRECT"
[pap] Using clear text password "somepass"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> klopez
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
I also have pam_radius installed, and its working (can log in on a account that exists locally). Although I read this and do not know if this is 100% accurate:
http://freeradius.1045715.n5.nabble.com/SSH-authendication-with-radius-server-fails-if-the-user-does-not-exist-in-radius-client-td2784316.html
and
http://fhf.org/archives/713
tl:dr:
I need to ssh into a machine that does not have a user/pass locally and that combination will be stored remotely, such as a radius server or ldap.
please advise
P.S.
The solution is preferable using radius server or ldap but not necessary. If there is an alternate please advise.
Thanks,
Kevin

You can configure SSH to authenticate directly against an LDAP server using PAM LDAP.
I've set it up myself on Debian Systems:
https://wiki.debian.org/LDAP/PAM
https://wiki.debian.org/LDAP/NSS
You need to have both PAM and NSS to get SSH working. You also need to enable PAM in your SSH configuration. Install the libnss-ldapd libpam-ldapd and nslcd packages on Debian (or Ubuntu) system.