New Fog client and security
-
@Wayne-Workman
Sorry - didn’t see your post. Here it is:8/12/2016 2:37 PM FOG Service Engine Version: 3 8/12/2016 2:37 PM Starting all sub processes 8/12/2016 2:37 PM 9 modules loaded 8/12/2016 2:37 PM * Starting FOG.AutoLogOut 8/12/2016 2:37 PM FOG::AutoLogOut Starting process... 8/12/2016 2:37 PM * Starting FOG.DisplayManager 8/12/2016 2:37 PM FOG::DisplayManager Starting display manager process... 8/12/2016 2:37 PM * Starting FOG.GUIWatcher 8/12/2016 2:37 PM FOG::GUIWatcher Starting GUI Watcher... 8/12/2016 2:37 PM * Starting FOG.HostNameChanger 8/12/2016 2:37 PM FOG::HostnameChanger Starting hostname change process... 8/12/2016 2:37 PM FOG::HostnameChanger Yielding to other subservices for 4 seconds. 8/12/2016 2:37 PM * Starting FOG.HostRegister 8/12/2016 2:37 PM FOG::HostRegister Starting host registration process... 8/12/2016 2:37 PM * Starting FOG.MODDebug 8/12/2016 2:37 PM FOG::MODDebug Start Called 8/12/2016 2:37 PM FOG::MODDebug Sleeping for 100 Seconds 8/12/2016 2:37 PM * Starting FOG.PrinterManager 8/12/2016 2:37 PM FOG::PrinterManager Starting interprocess communication process... 8/12/2016 2:37 PM * Starting FOG.SnapinClient 8/12/2016 2:37 PM FOG::SnapinClient Starting snapin client process... 8/12/2016 2:37 PM FOG::PrinterManager interprocess comm startup: OK 8/12/2016 2:37 PM * Starting FOG.TaskReboot 8/12/2016 2:37 PM FOG::TaskReboot Taskreboot in lazy mode. 8/12/2016 2:37 PM FOG::TaskReboot Starting Task Reboot... 8/12/2016 2:38 PM FOG::HostRegister Exiting because only 1 mac address was found. 8/12/2016 2:38 PM FOG::DisplayManager Attempting to connect to fog server... 8/12/2016 2:38 PM FOG::PrinterManager Attempting to connect to fog server... 8/12/2016 2:38 PM FOG::SnapinClient Sleeping for 369 seconds. 8/12/2016 2:38 PM FOG::PrinterManager Module is active... 8/12/2016 2:38 PM FOG::PrinterManager Starting printer manager... 8/12/2016 2:38 PM FOG::PrinterManager Yielding to other services for 35 seconds. 8/12/2016 2:38 PM FOG::HostnameChanger Attempting to connect to fog server... 8/12/2016 2:38 PM FOG::HostnameChanger Module is active... 8/12/2016 2:38 PM FOG::HostnameChanger Hostnames are different - POOPSHOOT - public-image 8/12/2016 2:38 PM FOG::HostnameChanger Using default fog method. 8/12/2016 2:38 PM FOG::HostnameChanger Computer is about to restart. 8/12/2016 2:38 PM FOG::GUIWatcher Message found, attempting to notify GUI! 8/12/2016 2:38 PM FOG::AutoLogOut Module is active... 8/12/2016 2:38 PM FOG::AutoLogOut Timeout value is Zero, disabling module. 8/12/2016 2:38 PM FOG::AutoLogOut The path is not of a legal form. 8/12/2016 2:38 PM FOG::AutoLogOut at System.IO.Path.NormalizePathFast(String path, Boolean fullCheck) at System.IO.Path.NormalizePath(String path, Boolean fullCheck) at System.IO.Path.GetFullPathInternal(String path) at System.IO.Path.GetFullPath(String path) at System.Drawing.IntSecurity.UnsafeGetFullPath(String fileName) at System.Drawing.IntSecurity.DemandReadFileIO(String fileName) at System.Drawing.Image.FromFile(String filename, Boolean useEmbeddedColorManagement) at System.Drawing.Image.FromFile(String filename) at FOG.AutoLogOut.doWork() 8/12/2016 2:38 PM FOG::GUIWatcher Dispatch OK! 8/12/2016 2:39 PM FOG Service Engine Version: 3 8/12/2016 2:39 PM Starting all sub processes 8/12/2016 2:39 PM 9 modules loaded 8/12/2016 2:39 PM * Starting FOG.AutoLogOut 8/12/2016 2:39 PM FOG::AutoLogOut Starting process... 8/12/2016 2:39 PM * Starting FOG.DisplayManager 8/12/2016 2:39 PM FOG::DisplayManager Starting display manager process... 8/12/2016 2:39 PM * Starting FOG.GUIWatcher 8/12/2016 2:39 PM FOG::GUIWatcher Starting GUI Watcher... 8/12/2016 2:39 PM * Starting FOG.HostNameChanger 8/12/2016 2:39 PM FOG::HostnameChanger Starting hostname change process... 8/12/2016 2:39 PM FOG::HostnameChanger Yielding to other subservices for 2 seconds. 8/12/2016 2:39 PM * Starting FOG.HostRegister 8/12/2016 2:39 PM FOG::HostRegister Starting host registration process... 8/12/2016 2:39 PM * Starting FOG.MODDebug 8/12/2016 2:39 PM FOG::MODDebug Start Called 8/12/2016 2:39 PM FOG::MODDebug Sleeping for 100 Seconds 8/12/2016 2:39 PM * Starting FOG.PrinterManager 8/12/2016 2:39 PM FOG::PrinterManager Starting interprocess communication process... 8/12/2016 2:39 PM * Starting FOG.SnapinClient 8/12/2016 2:39 PM FOG::SnapinClient Starting snapin client process... 8/12/2016 2:39 PM FOG::PrinterManager interprocess comm startup: OK 8/12/2016 2:39 PM * Starting FOG.TaskReboot 8/12/2016 2:39 PM FOG::TaskReboot Taskreboot in lazy mode. 8/12/2016 2:39 PM FOG::TaskReboot Starting Task Reboot... 8/12/2016 2:39 PM FOG::HostRegister Exiting because only 1 mac address was found. 8/12/2016 2:39 PM FOG::PrinterManager Attempting to connect to fog server... 8/12/2016 2:39 PM FOG::SnapinClient Sleeping for 391 seconds. 8/12/2016 2:39 PM FOG::DisplayManager Attempting to connect to fog server... 8/12/2016 2:39 PM FOG::DisplayManager Module is disabled globally on the FOG Server. 8/12/2016 2:39 PM FOG::PrinterManager Module is active... 8/12/2016 2:39 PM FOG::PrinterManager Starting printer manager... 8/12/2016 2:39 PM FOG::PrinterManager Yielding to other services for 41 seconds. 8/12/2016 2:39 PM FOG::TaskReboot Attempting to connect to fog server... 8/12/2016 2:39 PM FOG::TaskReboot Module is active... 8/12/2016 2:39 PM FOG::TaskReboot Attempting to connect to fog server... 8/12/2016 2:39 PM FOG::TaskReboot No job exists for 00:50:56:AF:66:63 8/12/2016 2:39 PM FOG::TaskReboot No task found for client. 8/12/2016 2:39 PM FOG::HostnameChanger Attempting to connect to fog server... 8/12/2016 2:39 PM FOG::HostnameChanger Module is active... 8/12/2016 2:39 PM FOG::HostnameChanger Hostname is up to date 8/12/2016 2:39 PM FOG::AutoLogOut Module is active... 8/12/2016 2:39 PM FOG::AutoLogOut Timeout value is Zero, disabling module. 8/12/2016 2:39 PM FOG::AutoLogOut The path is not of a legal form. 8/12/2016 2:39 PM FOG::AutoLogOut at System.IO.Path.NormalizePathFast(String path, Boolean fullCheck) at System.IO.Path.NormalizePath(String path, Boolean fullCheck) at System.IO.Path.GetFullPathInternal(String path) at System.IO.Path.GetFullPath(String path) at System.Drawing.IntSecurity.UnsafeGetFullPath(String fileName) at System.Drawing.IntSecurity.DemandReadFileIO(String fileName) at System.Drawing.Image.FromFile(String filename, Boolean useEmbeddedColorManagement) at System.Drawing.Image.FromFile(String filename) at FOG.AutoLogOut.doWork() 8/12/2016 2:39 PM FOG::PrinterManager Failed to connect to fog server! 8/12/2016 2:39 PM FOG::PrinterManager This is typically caused by a network error! 8/12/2016 2:39 PM FOG::PrinterManager Sleeping for 1 minute. 8/12/2016 2:40 PM FOG::MODDebug Reading config settings... 8/12/2016 2:40 PM FOG::MODDebug Reading of config settings passed. 8/12/2016 2:40 PM FOG::MODDebug Starting Core processing... 8/12/2016 2:40 PM FOG::MODDebug Operating System ID: 6 8/12/2016 2:40 PM FOG::MODDebug Operating System Minor: 1 8/12/2016 2:40 PM FOG::MODDebug MAC ID 0 00:50:56:AF:66:63 8/12/2016 2:40 PM FOG::MODDebug MAC POST String: 00:50:56:AF:66:63 8/12/2016 2:40 PM FOG::MODDebug A user is currently logged in 8/12/2016 2:40 PM FOG::MODDebug Username: public-image\admin 8/12/2016 2:40 PM FOG::MODDebug Hostname: public-image 8/12/2016 2:40 PM FOG::MODDebug Attempting to open connect to: http://10.0.0.67/fog/service/debug.php 8/12/2016 2:40 PM FOG::MODDebug Server responded with: Hello FOG Client 8/12/2016 2:40 PM FOG::MODDebug Module has finished work and will now exit. 8/12/2016 2:40 PM FOG::PrinterManager Failed to connect to fog server! 8/12/2016 2:40 PM FOG::PrinterManager This is typically caused by a network error! 8/12/2016 2:40 PM FOG::PrinterManager Sleeping for 1 minute. 8/12/2016 2:41 PM FOG::PrinterManager Failed to connect to fog server! 8/12/2016 2:41 PM FOG::PrinterManager This is typically caused by a network error! 8/12/2016 2:41 PM FOG::PrinterManager Sleeping for 1 minute.
-
@LibraryMark That’s the log from the legacy client. We would need you to uninstall the legacy client, reboot the machine, install the new fog client, reboot the machine, and then give it 5 minutes, and then retrieve the entire log file. You may upload it as a text file to the forums.
-
@Wayne-Workman OK - that might take me a while.
-
@Wayne-Workman
I do not have enough privileges for uploading.Here’s the file’s contents:
8/12/2016 3:05 PM Main Overriding exception handling 8/12/2016 3:05 PM Main Bootstrapping Zazzles 8/12/2016 3:05 PM Controller Initialize 8/12/2016 3:05 PM Zazzles Creating main thread 8/12/2016 3:05 PM Zazzles Service construction complete 8/12/2016 3:05 PM Controller Start 8/12/2016 3:05 PM Service Starting service 8/12/2016 3:05 PM Bus ERROR: Could not enter socket 8/12/2016 3:05 PM Bus ERROR: Cannot load Counter Name data because an invalid index '' was read from the registry. 8/12/2016 3:05 PM Bus { "self": true, "channel": "Status", "data": "{\r\n \"action\": \"load\"\r\n}" } 8/12/2016 3:05 PM Bus ERROR: Could not enter socket 8/12/2016 3:05 PM Bus ERROR: Cannot load Counter Name data because an invalid index '' was read from the registry. 8/12/2016 3:05 PM Bus Emmiting message on channel: Status 8/12/2016 3:05 PM Service Invoking early JIT compilation on needed binaries ------------------------------------------------------------------------------ --------------------------------Authentication-------------------------------- ------------------------------------------------------------------------------ 8/12/2016 3:05 PM Client-Info Version: 0.11.5 8/12/2016 3:05 PM Client-Info OS: Windows 8/12/2016 3:05 PM Middleware::Authentication Waiting for authentication timeout to pass 8/12/2016 3:05 PM Middleware::Communication Download: http://10.0.0.67/fog/management/other/ssl/srvpublic.crt 8/12/2016 3:05 PM Data::RSA FOG Server CA cert found 8/12/2016 3:05 PM Middleware::Authentication Cert OK 8/12/2016 3:05 PM Middleware::Authentication ERROR: Could not get security token 8/12/2016 3:05 PM Middleware::Authentication ERROR: Could not find file 'C:\Program Files\FOG\token.dat'. 8/12/2016 3:05 PM Middleware::Communication POST URL: http://10.0.0.67/fog/management/index.php?sub=requestClientInfo&authorize&newService 8/12/2016 3:05 PM Middleware::Response Invalid security token ------------------------------------------------------------------------------ --------------------------------Authentication-------------------------------- ------------------------------------------------------------------------------ 8/12/2016 3:05 PM Client-Info Version: 0.11.5 8/12/2016 3:05 PM Client-Info OS: Windows 8/12/2016 3:05 PM Middleware::Authentication Waiting for authentication timeout to pass 8/12/2016 3:07 PM Middleware::Communication Download: http://10.0.0.67/fog/management/other/ssl/srvpublic.crt 8/12/2016 3:07 PM Data::RSA FOG Server CA cert found 8/12/2016 3:07 PM Middleware::Authentication Cert OK 8/12/2016 3:07 PM Middleware::Authentication ERROR: Could not get security token 8/12/2016 3:07 PM Middleware::Authentication ERROR: Could not find file 'C:\Program Files\FOG\token.dat'. 8/12/2016 3:07 PM Middleware::Communication POST URL: http://10.0.0.67/fog/management/index.php?sub=requestClientInfo&authorize&newService 8/12/2016 3:07 PM Middleware::Response Invalid security token ------------------------------------------------------------------------------ --------------------------------Authentication-------------------------------- ------------------------------------------------------------------------------ 8/12/2016 3:07 PM Client-Info Version: 0.11.5 8/12/2016 3:07 PM Client-Info OS: Windows 8/12/2016 3:07 PM Middleware::Authentication Waiting for authentication timeout to pass 8/12/2016 3:09 PM Middleware::Communication Download: http://10.0.0.67/fog/management/other/ssl/srvpublic.crt 8/12/2016 3:09 PM Data::RSA FOG Server CA cert found 8/12/2016 3:09 PM Middleware::Authentication Cert OK 8/12/2016 3:09 PM Middleware::Authentication ERROR: Could not get security token 8/12/2016 3:09 PM Middleware::Authentication ERROR: Could not find file 'C:\Program Files\FOG\token.dat'. 8/12/2016 3:09 PM Middleware::Communication POST URL: http://10.0.0.67/fog/management/index.php?sub=requestClientInfo&authorize&newService 8/12/2016 3:09 PM Middleware::Response Invalid security token ------------------------------------------------------------------------------ --------------------------------Authentication-------------------------------- ------------------------------------------------------------------------------ 8/12/2016 3:09 PM Client-Info Version: 0.11.5 8/12/2016 3:09 PM Client-Info OS: Windows 8/12/2016 3:09 PM Middleware::Authentication Waiting for authentication timeout to pass 8/12/2016 3:11 PM Middleware::Communication Download: http://10.0.0.67/fog/management/other/ssl/srvpublic.crt 8/12/2016 3:11 PM Data::RSA FOG Server CA cert found 8/12/2016 3:11 PM Middleware::Authentication Cert OK 8/12/2016 3:11 PM Middleware::Authentication ERROR: Could not get security token 8/12/2016 3:11 PM Middleware::Authentication ERROR: Could not find file 'C:\Program Files\FOG\token.dat'. 8/12/2016 3:11 PM Middleware::Communication POST URL: http://10.0.0.67/fog/management/index.php?sub=requestClientInfo&authorize&newService 8/12/2016 3:11 PM Middleware::Response Invalid security token ------------------------------------------------------------------------------ --------------------------------Authentication-------------------------------- ------------------------------------------------------------------------------ 8/12/2016 3:11 PM Client-Info Version: 0.11.5 8/12/2016 3:11 PM Client-Info OS: Windows 8/12/2016 3:11 PM Middleware::Authentication Waiting for authentication timeout to pass
-
@LibraryMark Does this file exist on the host?
C:\Program Files\FOG\token.dat
And what version of Windows is this host? -
@Wayne-Workman
That file does not exist. Where should it come from?
The PC (well, VM actually) is running 32-bit Windows 7. -
@LibraryMark The new client should place it when it’s installed.
-
@Wayne-Workman
Right. Well, it didn’t. -
@LibraryMark Does the computer you tried on have Internet access?
-
@Wayne-Workman Yes. Why?
-
@LibraryMark Just asking questions to try to figure out what happened. I’m still thinking on it.
-
@Wayne-Workman
Oh. Well - don’t spend too much time on it. I can always get by with the old client for now. -
@LibraryMark said in New Fog client and security:
@Wayne-Workman
Oh. Well - don’t spend too much time on it. I can always get by with the old client for now.And that’s exactly why the legacy client remains supported. To allow transition as possible.
Pinging @Joe-Schmitt about this.
-
The log says invalid security token. Try hitting the reset encryption data button on the host in the fog web portal.
-
I feel I should add some information.
The new client and security are a “teamed” thing. So while the client is highly more secure, this security is two sided.
First bit. We have asymmetric key pairs set up on the server of which the client uses the server’s public key to verify and validate the trust of the server.
The server has a trust of the client as well, so both sides must be trusting each other for communication to happen. This is all automatic.
If the Server cannot trust the client, the client is immediately informed of such actions and no pertinent (sensitive) data is passed to the client. If the client cannot trust the server, the client will not keep communicating with the server (won’t keep trying to get anything from the server).
In the first case (server cannot trust) the response is “Invalid security token.” This can be reset right on the GUI if you’re sure the client is a viable client in your environment. This will enable you to know of potential “trouble” clients as well.
All of this is handled, more or less, automatically though. There is a third layer of security which is to ensure the client installer is “trusted”. This is handled when you first start to install the client. It downloads the public key of the layout that was used to sign the file during the build process.
Of all of this, the most problematic issue is most likely the installation itself. This is because the installation will look to the internet to download the public key. If this cannot be found, I don’t know the consequences. That said, most will not have to worry about this.
The way all this security works is quite fast and very much automated. While you may have the occasional “Invalid Security Token” issue, this is most likely to occur after imaging and the system has the client enabled on an image that was sysprepped. This is issue will often occur because it attempts to send the “trust” information of the original uploaded system. This tells the server that the information is invalid and properly shuts the communication down. (Even though it’s highly unexpected from the admin/user side).
The imaging process (deploy) will reset the token information automatically so as to help prevent these issues, but as I stated there may be some oddities to this occasionally. If there’s other issues, you can reset this information right within the GUI. This reset can be done individually per each host, or via groups. There’s also cli methods to reset though most won’t need this.
In the second case (client cannot trust) the issue is a little bit more involved. A client receives all its information from the server and performs actions based on what the server sends it, so it is necessary to make the client trust the server on a much “deeper” level. The Trust relationship in either direction is incredibly important, but right fully more “show stopping” when the client cannot trust the server because of the earlier statements (the client performs actions based on what the server sends it).
The asymmetric key’s are generated when the fog installer is run. These keys are signed by an automatically generated CA (Certificate of Authority) on the same installer pass. While you can pass arguments to recreate the CA (which will also automatically recreate the main server’s keys), it would be unwise to do so after the initial install and FOG Client being installed in your image. This is because the CA signed certificate is what’s used to validate the trust of the server. Without this, you could by pass simply by making your own certs which would defeat the purpose of all the security. Yes, it is more than possible to use your own purchased certs and information, but for the installer sake and documentary purposes this will need to be asked on a case by case basis (though it’s rather simple). If you need to update your server’s keys for whatever reason, and are reasonably sure your CA is not impacted, you can do this without any issue to the clients.
-
@Joe-Schmitt said in New Fog client and security:
The log says invalid security token. Try hitting the reset encryption data button on the host in the fog web portal.
Tried it. fog.log still says,
ERROR: Could not find file 'C:\Program Files\FOG\token.dat'.```
-
@Tom-Elliott - thanks for the explanation of how it works.
Did something happen that drove all this effort to secure things? Was someone hacked?
-
@Tom-Elliott
Is the token file only generated on imaging? Where does it come from - what puts ‘C:\Program Files\FOG\token.dat’ in place? -
@LibraryMark said in New Fog client and security:
Did something happen that drove all this effort to secure things? Was someone hacked?
It happened because it was needed. Nobody is known to have been hacked - maliciously. The developers are often the ones to find holes, and then they patch them.
Is the token file only generated on imaging? Where does it come from - what puts ‘C:\Program Files\FOG\token.dat’ in place?
The encryption & security model for the new client only concerns the new client’s communications with the server, not imaging itself. You can image without any client installed on the image, you would just have a lot of manual work afterwards to do.
-
Thanks, Wayne.
No one is able to answer why the token.dat file is not there? What puts it there? I have seen other topics on this issue, but have not seen any solution (that I understand, anyway). I know I must be doing something wrong but I have no idea what.
I know I do not need the client to image, and all I do use the client for is hostname changing and rebooting if there is a task waiting (and I don’t really need that). Those two things could be accomplished easy enough in other ways, I suppose. I already have an autoit script that runs on the last auto-login to do some tasks before the user sees the PC. It could easily change change the host name, too. Knowing what to change it to is the only (slightly) hard part. Could be as simple as parsing a text file for a mac-hostname pair, and I could host that on the fog server. Could make a php script for it that hands out the hostname given a mac address from the fog database.