• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

Invalid Security Token without any Security tokens being set -- Also CA SSL security concerns

Scheduled Pinned Locked Moved Solved
General
4
11
8.6k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mrayzies
    last edited by Tom Elliott Dec 9, 2015, 7:12 PM Dec 9, 2015, 7:13 PM

    While working on setting up FOG from the dev git branch (our current production FOG server is version .32 and can’t support our new hardware, requiring an upgrade), I noted that there was now a new FOG client service. When setting up my image for upload, I tried out the new FOG client service.

    I’m still having issues getting the client service to run (I’m plagued by invalid security tokens that resetting the encryption data won’t fix: https://forums.fogproject.org/topic/5088/could-not-get-security-token-token-dat/3 https://forums.fogproject.org/topic/6130/certificate-issues-since-moving-fog-from-ubuntu-to-fedora/10 https://forums.fogproject.org/topic/5259/hostnamechanger/4); however, while looking through those links I realized that the new FOG client service installs a CA into client machines.

    Am I missing something, or isn’t this just as bad as things like SuperFish, Dell or ESET?
    http://fortune.com/2015/11/23/dell-laptop-security-problem/
    https://www.reddit.com/r/technology/comments/3twmfv/dell_ships_laptops_with_rogue_root_ca_exactly/
    http://www.zdnet.com/article/lenovos-superfish-its-worse-than-we-thought/
    https://device5.co.uk/blog/do-not-use-eset-ssl-protocol-filtering.html

    What is the motivation to shift to this new style of client service? Is there some other flaw with the legacy client service that makes this model that much better? And if we must move to the new client service model, could FOG be modified so that we could provide our own certificates and rely on existing CAs instead of making one specifically for FOG?

    1 Reply Last reply Reply Quote 0
    • T
      Tom Elliott
      last edited by Dec 9, 2015, 7:23 PM

      What?

      The FOG CA (from the fog server) is generated the first time to establish a proper trust relationship. This trust relationship ensures the fog server is only created at a specific point. This allows the client to trust that the server is who he says he is. The security token is created by the server and passed to the client during the initial authorization sequence. This security token allows the server to more appropriately trust the clients.

      You are more than welcome to create your own CA’s and certificates as needed and use whatever means you deem fit for your organization. We do it because the installer does everything in attempt to make things “run right out the gate”.

      We aren’t allowing the certificates stored on the FOG Server to be easily retrieved and I think for good reason.

      There is a second CA that you may see, which is related to the one we are creating so we can sign the code base. This is yet another attempt at security assurance that the file you are installing is indeed one that we built and created.

      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

      1 Reply Last reply Reply Quote 2
      • W
        Wayne Workman
        last edited by Wayne Workman Dec 9, 2015, 1:29 PM Dec 9, 2015, 7:27 PM

        @mrayzies Thanks for raising these concerns.

        All computers ship with public root certificates already installed. This includes Windows, OSX, Android, Linux, iOS, and so on.

        The Dell laptops sound like they were shipped with Dell’s PRIVATE key… big no-no… someone should be fired over that.

        Superfish had the functionality to install a new public root cert on the system it ran on without the user’s permission, which is why it was dangerous.

        The ESET antivirus was just outright terribly written and designed antivirus.

        @Jbob could best explain how the FOG Client’s public cert and authority is set up, since he designed the new client.

        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
        Daily Clean Installation Results:
        https://fogtesting.fogproject.us/
        FOG Reporting:
        https://fog-external-reporting-results.fogproject.us/

        1 Reply Last reply Reply Quote 2
        • M
          mrayzies
          last edited by mrayzies Dec 9, 2015, 1:54 PM Dec 9, 2015, 7:52 PM

          @tom-elliott

          The client has a “FOG Project” and “FOG Server CA” certificate – if I’m understanding you correctly, the “FOG Server CA” certificate is generated by the installation script for secure communication between the server and clients and the “FOG Project” certificate is for this project to sign the code, correct? Some follow up questions to that:

          1. these CAs are installed by the FOG client service, correct?
          2. is how would the client actually use the “FOG Project” certificate to verify the code, since the code runs on the server and isn’t directly accessible by the client?
          3. if this is all done for secure communication between client and server, then why in the fog log do I see it attempting to communicate over insecure HTTP? Is this feature just not ready yet?

          @Wayne-Workman @Jbob

          Thanks for clarifying what you (and the industry) do differently and why those other issues don’t pertain to this situation, I appreciate the knowledge.

          1 Reply Last reply Reply Quote 0
          • W
            Wayne Workman
            last edited by Wayne Workman Dec 13, 2015, 12:33 AM Dec 9, 2015, 8:05 PM

            wiki tagging this… good stuff.

            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
            Daily Clean Installation Results:
            https://fogtesting.fogproject.us/
            FOG Reporting:
            https://fog-external-reporting-results.fogproject.us/

            1 Reply Last reply Reply Quote 0
            • M
              mrayzies
              last edited by Dec 9, 2015, 8:14 PM

              @Jbob

              Ahhhh okay, now I believe I am understanding the situation better.

              If it’s not too much of a sin to hijack and redirect the thread now, I would really appreciate help on figuring out what’s gone wrong with my client (since now I want to use the new client if I can).

              As I initially posted, I am getting invalid security token errors in the fog log on the client. Like many of the links suggested, I tried to reset the encryption values for my client, but that has done nothing.

              The log (which repeats this endlessly):

              ------------------------------------------------------------------------------
              --------------------------------Authentication--------------------------------
              ------------------------------------------------------------------------------
               12/9/2015 2:09 PM Client-Info Version: 0.9.9
               12/9/2015 2:09 PM Middleware::Communication URL: http://fog/fog/management/other/ssl/srvpublic.crt
               12/9/2015 2:09 PM Middleware::Authentication ERROR: Could not get security token
               12/9/2015 2:09 PM Middleware::Authentication ERROR: Could not find file 'C:\Windows\system32\token.dat'.
               12/9/2015 2:09 PM Data::RSA FOG Server CA cert found
               12/9/2015 2:09 PM Middleware::Authentication Cert OK
               12/9/2015 2:09 PM Middleware::Communication POST URL: http://fog/fog/management/index.php?sub=authorize
               12/9/2015 2:09 PM Middleware::Communication Response: Invalid security token
               12/9/2015 2:09 PM Service Sleeping for 120 seconds
              

              If I manually nagivate to the authorize URL, the webpage reads only:

              #!im
              

              Even though I have reset the encryption data, the database is pretty much blank for that host:

              *************************** 1. row ***************************
                        hostID: 1
                      hostName: hostname
                      hostDesc: 
                        hostIP: 
                     hostImage: 1
                  hostBuilding: 0
                hostCreateDate: 2015-12-08 15:00:57
                hostLastDeploy: 0000-00-00 00:00:00
                  hostCreateBy: fog
                     hostUseAD: 0
                  hostADDomain: 
                      hostADOU: 
                    hostADUser: 
                    hostADPass: 
              hostADPassLegacy: 
                hostProductKey: 
              hostPrinterLevel: 
                hostKernelArgs: 
                    hostKernel: 
                    hostDevice: 
                   hostPending: 
                    hostPubKey: 
                  hostSecToken: 
                   hostSecTime: 0000-00-00 00:00:00
                  hostPingCode: 
                  hostExitBios: sanboot
                   hostExitEfi: sanboot
              
              1 Reply Last reply Reply Quote 0
              • J
                Joe Schmitt Senior Developer
                last edited by Dec 9, 2015, 8:17 PM

                Sounds like a possible sever error. @Tom-Elliott

                As for why you get #!im when you go their manually, that url in the log is a POST request with hidden data in it (the encrypted token / key)

                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                1 Reply Last reply Reply Quote 0
                • M
                  mrayzies
                  last edited by Dec 9, 2015, 9:19 PM

                  To sum up for anyone who stumble across this post (though sadly the title may lead many people away):

                  There was a bug in the FOG client service and jumping to this commit seemed to fix it: 4adc2c2c02a19edbc8f8b6d7db63cad9ad2572fb (special thanks to @Jbob and @tom-elliott)

                  W 1 Reply Last reply Dec 9, 2015, 11:15 PM Reply Quote 0
                  • W
                    Wayne Workman @mrayzies
                    last edited by Dec 9, 2015, 11:15 PM

                    @mrayzies What cloud version is that commit? (top left corner of the web interface)

                    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                    Daily Clean Installation Results:
                    https://fogtesting.fogproject.us/
                    FOG Reporting:
                    https://fog-external-reporting-results.fogproject.us/

                    T 1 Reply Last reply Dec 10, 2015, 1:14 AM Reply Quote 0
                    • T
                      Tom Elliott @Wayne Workman
                      last edited by Dec 10, 2015, 1:14 AM

                      @Wayne-Workman He was using the current 5680 when he was seeing the issue, and we upgraded him to current (as of now) to 5688.

                      The problem was he still had the “cannot modify headers” information being sent at inopportune times. So this was invalidly acting like the host had a security token, and would immediately fail to send one. I fixed the header problem some time last night, and only had two (4 cloud versions) today so it was relatively easy to figure out and fix.

                      He also had some customizations for his own nfs situation that needed to be set. So part of the issues were also cause, but again easily fixed.

                      I’ve modified the title a bit to hep others find this issue more easily too.

                      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                      1 Reply Last reply Reply Quote 1
                      • W
                        Wayne Workman
                        last edited by Dec 13, 2015, 6:33 AM

                        @Jbob said:

                        @mrayzies not a problem. To answer those questions:

                        1. Yes, the client installs your servers’ certificate and ours.
                        2. The “FOG Project” CA (made by us) servers 2 purpose.
                        • SYSTEM level services need to be digitally signed otherwise windows will throw security errors (I have seen this issue when imaging a machine with an unsigned client). This can also be used to ensure no tampering was done with the client files
                        • That certificate is used to “verify” upgrades. Lets say we release v0.9.10, the client will download the msi from your server and check if it was signed by us. If the msi was somehow tampered, the digital signature would no longer be valid.
                        1. Using HTTP over HTTPS has no security benefit to the client. Why? Because all traffic is already encrypted. Here’s a very basic overview of how the new client communicates
                        • Each client has a security token. This is used to prove to the server that the client is the actual host and not an impersonator. This token gets cycled constantly. When the client first makes contact, it encrypts its token and a proposed AES 256 key using RSA 4096 using your server’s public key. (This public key is verified against the pinned server CA certificate by checking the x509 chain and fingerprints).
                        • If the server accepts the security token and the new AES key, all traffic from that point on is AES 256 encrypted using that securely transmitted key.

                        The whole point of our security model is to allow for secure communication over insecure medians.
                        Even then, the client installation has an HTTPS option, but it serves no real security benefit.

                        This stuff and a little other stuff has been added here:
                        https://wiki.fogproject.org/wiki/index.php/FOG_Client#Security_design

                        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                        Daily Clean Installation Results:
                        https://fogtesting.fogproject.us/
                        FOG Reporting:
                        https://fog-external-reporting-results.fogproject.us/

                        1 Reply Last reply Reply Quote 0
                        • 1 / 1
                        1 / 1
                        • First post
                          6/11
                          Last post

                        224

                        Online

                        12.0k

                        Users

                        17.3k

                        Topics

                        155.2k

                        Posts
                        Copyright © 2012-2024 FOG Project