New Fog client and security

LibraryMark

https://wiki.fogproject.org/wiki/index.php?title=FOG_Client#Security_Design

Wayne Workman

said in New Fog client and security:

I have no interest in it whatsoever as it seems like a lot of overkill to me.

We will see if you still feel the same when your old fog client is used as a root kit by some hacker. I would urge you to move to the new client.

Encryption and security is not a problem, it’s the solution.

LibraryMark

@Wayne-Workman
I hope that I didn’t insult anyone, but I was happy as a clam with 0.32 and it’s feature set. It did everything I needed, did it well, and never gave me any trouble, but our newer PC’s did not play well with it.

We are a public library and public network only has our machines on it. We use software that rolls back changes to the PC’s when they reboot. I don’t know how a rootkit could take hold. I do worry that this software will not allow changes that might keep my PC’s from communicating.

Also - I don’t find any clear explanation of how to install the new client and make sure that the encryption keys are set up correctly. Am I missing something? That might go a ways to alleviate my trepidation on using shared-key encryption just to image my PC’s.

Quazz

@LibraryMark The keys are set up automatically, you don’t have to do anything for it.

LibraryMark

@Quazz said in New Fog client and security:

@LibraryMark The keys are set up automatically, you don’t have to do anything for it.

I tried that. I installed the new client on my master PC. Then I gave it a bogus hostname to see if the client would rename it. It never did. I reinstalled the old client and the first thing it did was reboot with the correct host name. I am sure I am doing something wrong, but at this point I don’t know what.

Wayne Workman

@LibraryMark The C:\fog.log is the first and only place to start troubleshooting. It’s often something very simple.

Wayne Workman

@LibraryMark said in New Fog client and security:

I don’t know how a rootkit could take hold.

The legacy fog client is NOT secure. I don’t want to divulge too much information on this, but I want you to just trust that it is absolutely in no way, shape, or form secure at all, and I know this as fact. It’s security features would stop an inexperienced script kiddie from taking advantage of it. That’s about it.

The new fog client is a fortress. It uses state of the art security features.

LibraryMark

@Wayne-Workman said in New Fog client and security:

@LibraryMark said in New Fog client and security:

I don’t know how a rootkit could take hold.

The legacy fog client is NOT secure.

And I have no problem with that. The point is if I can’t seem to make the new one work, then what good is it to me?

Here is what I did to install the new one:

1. uninstalled the old client
2. Went to http://(my fog server IP)/fog/client/download.php?newclient
3. Saved SmartInstaller.exe.
4. Ran it and gave it the IP of my server
5. rebooted the computer.
6. gave PC bogus host name
7. Waited (forever) for machine to reboot with correct name. (it never does)
8. Uninstall new client.
9. Reinstall old client.
10. Rebooted PC.
11. PC reboots itself shortly thereafter with correct hostname.

What am I missing?

Wayne Workman

@LibraryMark said in New Fog client and security:

What am I missing?

The fog log that we asked for.

LibraryMark

@Wayne-Workman
Sorry - didn’t see your post. Here it is:

 8/12/2016 2:37 PM FOG Service Engine Version: 3
 8/12/2016 2:37 PM Starting all sub processes
 8/12/2016 2:37 PM 9 modules loaded
 8/12/2016 2:37 PM  * Starting FOG.AutoLogOut
 8/12/2016 2:37 PM FOG::AutoLogOut Starting process...
 8/12/2016 2:37 PM  * Starting FOG.DisplayManager
 8/12/2016 2:37 PM FOG::DisplayManager Starting display manager process...
 8/12/2016 2:37 PM  * Starting FOG.GUIWatcher
 8/12/2016 2:37 PM FOG::GUIWatcher Starting GUI Watcher...
 8/12/2016 2:37 PM  * Starting FOG.HostNameChanger
 8/12/2016 2:37 PM FOG::HostnameChanger Starting hostname change process...
 8/12/2016 2:37 PM FOG::HostnameChanger Yielding to other subservices for 4 seconds.
 8/12/2016 2:37 PM  * Starting FOG.HostRegister
 8/12/2016 2:37 PM FOG::HostRegister Starting host registration process...
 8/12/2016 2:37 PM  * Starting FOG.MODDebug
 8/12/2016 2:37 PM FOG::MODDebug Start Called
 8/12/2016 2:37 PM FOG::MODDebug Sleeping for 100 Seconds
 8/12/2016 2:37 PM  * Starting FOG.PrinterManager
 8/12/2016 2:37 PM FOG::PrinterManager Starting interprocess communication process...
 8/12/2016 2:37 PM  * Starting FOG.SnapinClient
 8/12/2016 2:37 PM FOG::SnapinClient Starting snapin client process...
 8/12/2016 2:37 PM FOG::PrinterManager  interprocess comm startup: OK
 8/12/2016 2:37 PM  * Starting FOG.TaskReboot
 8/12/2016 2:37 PM FOG::TaskReboot Taskreboot in lazy mode.
 8/12/2016 2:37 PM FOG::TaskReboot Starting Task Reboot...
 8/12/2016 2:38 PM FOG::HostRegister Exiting because only 1 mac address was found.
 8/12/2016 2:38 PM FOG::DisplayManager Attempting to connect to fog server...
 8/12/2016 2:38 PM FOG::PrinterManager Attempting to connect to fog server...
 8/12/2016 2:38 PM FOG::SnapinClient Sleeping for 369 seconds.
 8/12/2016 2:38 PM FOG::PrinterManager Module is active...
 8/12/2016 2:38 PM FOG::PrinterManager Starting printer manager...
 8/12/2016 2:38 PM FOG::PrinterManager Yielding to other services for 35 seconds.
 8/12/2016 2:38 PM FOG::HostnameChanger Attempting to connect to fog server...
 8/12/2016 2:38 PM FOG::HostnameChanger Module is active...
 8/12/2016 2:38 PM FOG::HostnameChanger Hostnames are different - POOPSHOOT - public-image
 8/12/2016 2:38 PM FOG::HostnameChanger Using default fog method.
 8/12/2016 2:38 PM FOG::HostnameChanger Computer is about to restart.
 8/12/2016 2:38 PM FOG::GUIWatcher Message found, attempting to notify GUI!
 8/12/2016 2:38 PM FOG::AutoLogOut Module is active...
 8/12/2016 2:38 PM FOG::AutoLogOut Timeout value is Zero, disabling module.
 8/12/2016 2:38 PM FOG::AutoLogOut The path is not of a legal form.
 8/12/2016 2:38 PM FOG::AutoLogOut    at System.IO.Path.NormalizePathFast(String path, Boolean fullCheck)
   at System.IO.Path.NormalizePath(String path, Boolean fullCheck)
   at System.IO.Path.GetFullPathInternal(String path)
   at System.IO.Path.GetFullPath(String path)
   at System.Drawing.IntSecurity.UnsafeGetFullPath(String fileName)
   at System.Drawing.IntSecurity.DemandReadFileIO(String fileName)
   at System.Drawing.Image.FromFile(String filename, Boolean useEmbeddedColorManagement)
   at System.Drawing.Image.FromFile(String filename)
   at FOG.AutoLogOut.doWork()
 8/12/2016 2:38 PM FOG::GUIWatcher Dispatch OK!
 8/12/2016 2:39 PM FOG Service Engine Version: 3
 8/12/2016 2:39 PM Starting all sub processes
 8/12/2016 2:39 PM 9 modules loaded
 8/12/2016 2:39 PM  * Starting FOG.AutoLogOut
 8/12/2016 2:39 PM FOG::AutoLogOut Starting process...
 8/12/2016 2:39 PM  * Starting FOG.DisplayManager
 8/12/2016 2:39 PM FOG::DisplayManager Starting display manager process...
 8/12/2016 2:39 PM  * Starting FOG.GUIWatcher
 8/12/2016 2:39 PM FOG::GUIWatcher Starting GUI Watcher...
 8/12/2016 2:39 PM  * Starting FOG.HostNameChanger
 8/12/2016 2:39 PM FOG::HostnameChanger Starting hostname change process...
 8/12/2016 2:39 PM FOG::HostnameChanger Yielding to other subservices for 2 seconds.
 8/12/2016 2:39 PM  * Starting FOG.HostRegister
 8/12/2016 2:39 PM FOG::HostRegister Starting host registration process...
 8/12/2016 2:39 PM  * Starting FOG.MODDebug
 8/12/2016 2:39 PM FOG::MODDebug Start Called
 8/12/2016 2:39 PM FOG::MODDebug Sleeping for 100 Seconds
 8/12/2016 2:39 PM  * Starting FOG.PrinterManager
 8/12/2016 2:39 PM FOG::PrinterManager Starting interprocess communication process...
 8/12/2016 2:39 PM  * Starting FOG.SnapinClient
 8/12/2016 2:39 PM FOG::SnapinClient Starting snapin client process...
 8/12/2016 2:39 PM FOG::PrinterManager  interprocess comm startup: OK
 8/12/2016 2:39 PM  * Starting FOG.TaskReboot
 8/12/2016 2:39 PM FOG::TaskReboot Taskreboot in lazy mode.
 8/12/2016 2:39 PM FOG::TaskReboot Starting Task Reboot...
 8/12/2016 2:39 PM FOG::HostRegister Exiting because only 1 mac address was found.
 8/12/2016 2:39 PM FOG::PrinterManager Attempting to connect to fog server...
 8/12/2016 2:39 PM FOG::SnapinClient Sleeping for 391 seconds.
 8/12/2016 2:39 PM FOG::DisplayManager Attempting to connect to fog server...
 8/12/2016 2:39 PM FOG::DisplayManager Module is disabled globally on the FOG Server.
 8/12/2016 2:39 PM FOG::PrinterManager Module is active...
 8/12/2016 2:39 PM FOG::PrinterManager Starting printer manager...
 8/12/2016 2:39 PM FOG::PrinterManager Yielding to other services for 41 seconds.
 8/12/2016 2:39 PM FOG::TaskReboot Attempting to connect to fog server...
 8/12/2016 2:39 PM FOG::TaskReboot Module is active...
 8/12/2016 2:39 PM FOG::TaskReboot Attempting to connect to fog server...
 8/12/2016 2:39 PM FOG::TaskReboot No job exists for 00:50:56:AF:66:63
 8/12/2016 2:39 PM FOG::TaskReboot No task found for client.
 8/12/2016 2:39 PM FOG::HostnameChanger Attempting to connect to fog server...
 8/12/2016 2:39 PM FOG::HostnameChanger Module is active...
 8/12/2016 2:39 PM FOG::HostnameChanger Hostname is up to date
 8/12/2016 2:39 PM FOG::AutoLogOut Module is active...
 8/12/2016 2:39 PM FOG::AutoLogOut Timeout value is Zero, disabling module.
 8/12/2016 2:39 PM FOG::AutoLogOut The path is not of a legal form.
 8/12/2016 2:39 PM FOG::AutoLogOut    at System.IO.Path.NormalizePathFast(String path, Boolean fullCheck)
   at System.IO.Path.NormalizePath(String path, Boolean fullCheck)
   at System.IO.Path.GetFullPathInternal(String path)
   at System.IO.Path.GetFullPath(String path)
   at System.Drawing.IntSecurity.UnsafeGetFullPath(String fileName)
   at System.Drawing.IntSecurity.DemandReadFileIO(String fileName)
   at System.Drawing.Image.FromFile(String filename, Boolean useEmbeddedColorManagement)
   at System.Drawing.Image.FromFile(String filename)
   at FOG.AutoLogOut.doWork()
 8/12/2016 2:39 PM FOG::PrinterManager Failed to connect to fog server!
 8/12/2016 2:39 PM FOG::PrinterManager This is typically caused by a network error!
 8/12/2016 2:39 PM FOG::PrinterManager Sleeping for 1 minute.
 8/12/2016 2:40 PM FOG::MODDebug Reading config settings...
 8/12/2016 2:40 PM FOG::MODDebug Reading of config settings passed.
 8/12/2016 2:40 PM FOG::MODDebug Starting Core processing...
 8/12/2016 2:40 PM FOG::MODDebug Operating System ID: 6
 8/12/2016 2:40 PM FOG::MODDebug Operating System Minor: 1
 8/12/2016 2:40 PM FOG::MODDebug MAC ID 0 00:50:56:AF:66:63
 8/12/2016 2:40 PM FOG::MODDebug MAC POST String: 00:50:56:AF:66:63
 8/12/2016 2:40 PM FOG::MODDebug A user is currently logged in
 8/12/2016 2:40 PM FOG::MODDebug Username: public-image\admin
 8/12/2016 2:40 PM FOG::MODDebug Hostname: public-image
 8/12/2016 2:40 PM FOG::MODDebug Attempting to open connect to: http://10.0.0.67/fog/service/debug.php
 8/12/2016 2:40 PM FOG::MODDebug Server responded with: Hello FOG Client
 8/12/2016 2:40 PM FOG::MODDebug Module has finished work and will now exit.
 8/12/2016 2:40 PM FOG::PrinterManager Failed to connect to fog server!
 8/12/2016 2:40 PM FOG::PrinterManager This is typically caused by a network error!
 8/12/2016 2:40 PM FOG::PrinterManager Sleeping for 1 minute.
 8/12/2016 2:41 PM FOG::PrinterManager Failed to connect to fog server!
 8/12/2016 2:41 PM FOG::PrinterManager This is typically caused by a network error!
 8/12/2016 2:41 PM FOG::PrinterManager Sleeping for 1 minute.

Wayne Workman

@LibraryMark That’s the log from the legacy client. We would need you to uninstall the legacy client, reboot the machine, install the new fog client, reboot the machine, and then give it 5 minutes, and then retrieve the entire log file. You may upload it as a text file to the forums.

LibraryMark

@Wayne-Workman OK - that might take me a while.

LibraryMark

@Wayne-Workman
I do not have enough privileges for uploading.

Here’s the file’s contents:

 8/12/2016 3:05 PM Main Overriding exception handling
 8/12/2016 3:05 PM Main Bootstrapping Zazzles
 8/12/2016 3:05 PM Controller Initialize
 8/12/2016 3:05 PM Zazzles Creating main thread
 8/12/2016 3:05 PM Zazzles Service construction complete
 8/12/2016 3:05 PM Controller Start

 8/12/2016 3:05 PM Service Starting service
 8/12/2016 3:05 PM Bus ERROR: Could not enter socket
 8/12/2016 3:05 PM Bus ERROR: Cannot load Counter Name data because an invalid index '' was read from the registry.
 8/12/2016 3:05 PM Bus {
  "self": true,
  "channel": "Status",
  "data": "{\r\n  \"action\": \"load\"\r\n}"
}
 8/12/2016 3:05 PM Bus ERROR: Could not enter socket
 8/12/2016 3:05 PM Bus ERROR: Cannot load Counter Name data because an invalid index '' was read from the registry.
 8/12/2016 3:05 PM Bus Emmiting message on channel: Status
 8/12/2016 3:05 PM Service Invoking early JIT compilation on needed binaries

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 8/12/2016 3:05 PM Client-Info Version: 0.11.5
 8/12/2016 3:05 PM Client-Info OS:      Windows
 8/12/2016 3:05 PM Middleware::Authentication Waiting for authentication timeout to pass
 8/12/2016 3:05 PM Middleware::Communication Download: http://10.0.0.67/fog/management/other/ssl/srvpublic.crt
 8/12/2016 3:05 PM Data::RSA FOG Server CA cert found
 8/12/2016 3:05 PM Middleware::Authentication Cert OK
 8/12/2016 3:05 PM Middleware::Authentication ERROR: Could not get security token
 8/12/2016 3:05 PM Middleware::Authentication ERROR: Could not find file 'C:\Program Files\FOG\token.dat'.
 8/12/2016 3:05 PM Middleware::Communication POST URL: http://10.0.0.67/fog/management/index.php?sub=requestClientInfo&authorize&newService
 8/12/2016 3:05 PM Middleware::Response Invalid security token

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 8/12/2016 3:05 PM Client-Info Version: 0.11.5
 8/12/2016 3:05 PM Client-Info OS:      Windows
 8/12/2016 3:05 PM Middleware::Authentication Waiting for authentication timeout to pass
 8/12/2016 3:07 PM Middleware::Communication Download: http://10.0.0.67/fog/management/other/ssl/srvpublic.crt
 8/12/2016 3:07 PM Data::RSA FOG Server CA cert found
 8/12/2016 3:07 PM Middleware::Authentication Cert OK
 8/12/2016 3:07 PM Middleware::Authentication ERROR: Could not get security token
 8/12/2016 3:07 PM Middleware::Authentication ERROR: Could not find file 'C:\Program Files\FOG\token.dat'.
 8/12/2016 3:07 PM Middleware::Communication POST URL: http://10.0.0.67/fog/management/index.php?sub=requestClientInfo&authorize&newService
 8/12/2016 3:07 PM Middleware::Response Invalid security token

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 8/12/2016 3:07 PM Client-Info Version: 0.11.5
 8/12/2016 3:07 PM Client-Info OS:      Windows
 8/12/2016 3:07 PM Middleware::Authentication Waiting for authentication timeout to pass
 8/12/2016 3:09 PM Middleware::Communication Download: http://10.0.0.67/fog/management/other/ssl/srvpublic.crt
 8/12/2016 3:09 PM Data::RSA FOG Server CA cert found
 8/12/2016 3:09 PM Middleware::Authentication Cert OK
 8/12/2016 3:09 PM Middleware::Authentication ERROR: Could not get security token
 8/12/2016 3:09 PM Middleware::Authentication ERROR: Could not find file 'C:\Program Files\FOG\token.dat'.
 8/12/2016 3:09 PM Middleware::Communication POST URL: http://10.0.0.67/fog/management/index.php?sub=requestClientInfo&authorize&newService
 8/12/2016 3:09 PM Middleware::Response Invalid security token

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 8/12/2016 3:09 PM Client-Info Version: 0.11.5
 8/12/2016 3:09 PM Client-Info OS:      Windows
 8/12/2016 3:09 PM Middleware::Authentication Waiting for authentication timeout to pass
 8/12/2016 3:11 PM Middleware::Communication Download: http://10.0.0.67/fog/management/other/ssl/srvpublic.crt
 8/12/2016 3:11 PM Data::RSA FOG Server CA cert found
 8/12/2016 3:11 PM Middleware::Authentication Cert OK
 8/12/2016 3:11 PM Middleware::Authentication ERROR: Could not get security token
 8/12/2016 3:11 PM Middleware::Authentication ERROR: Could not find file 'C:\Program Files\FOG\token.dat'.
 8/12/2016 3:11 PM Middleware::Communication POST URL: http://10.0.0.67/fog/management/index.php?sub=requestClientInfo&authorize&newService
 8/12/2016 3:11 PM Middleware::Response Invalid security token

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 8/12/2016 3:11 PM Client-Info Version: 0.11.5
 8/12/2016 3:11 PM Client-Info OS:      Windows
 8/12/2016 3:11 PM Middleware::Authentication Waiting for authentication timeout to pass

Wayne Workman

@LibraryMark Does this file exist on the host? C:\Program Files\FOG\token.dat And what version of Windows is this host?

LibraryMark

@Wayne-Workman
That file does not exist. Where should it come from?
The PC (well, VM actually) is running 32-bit Windows 7.

Wayne Workman

@LibraryMark The new client should place it when it’s installed.

LibraryMark

@Wayne-Workman
Right. Well, it didn’t.

Wayne Workman

@LibraryMark Does the computer you tried on have Internet access?

LibraryMark

@Wayne-Workman Yes. Why?

Wayne Workman

@LibraryMark Just asking questions to try to figure out what happened. I’m still thinking on it.