[7.080] ACC SSO works too well [CONFIRMED]

Funny Thing:

for testing i remove my asg-beta from acc, and disable/enable central managment on asg.
Than i check on acc if the asg rejoinded, so far ok.
So i try to up2date ASG thru ACC (ACC->Device Managment->Check ASG-> Up2Date), so far ok, no new updates [:)]

Switchig back to dashboard i noticed that user name changed from admin to CM__Admin ???
So i try to Log Off from ASG, but after Log Off Webmin relogs in, without asking for User/Pass.
So i close Firefox and start IE , after accepting cert, i was succsefull authentificated (No User/Pass question)
I Try this from differnet PC, but allways same result: no ask for user/pass, after accept cert and caching object, the browser goes to dashboard. Log Off result in Logoff and immediatly Logon.

After reboot asg and acc, disabling Central managment, still same procedure,
i`am loged in with CM__admin.

here the log from user auth daemon:


2007:11:21-14:52:43 (none) aua[28610]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="admin" caller="webadmin" engine="local"

2007:11:21-20:07:09 (none) aua[13533]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="admin" caller="webadmin" engine="local"

2007:11:21-20:50:14 (none) aua[15845]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="admin" caller="webadmin" engine="local"

2007:11:21-21:27:46 (none) aua[17683]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="admin" caller="webadmin" engine="local"

2007:11:21-22:04:40 (none) aua[20848]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="local"

2007:11:21-22:16:55 (none) aua[21444]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="local"

2007:11:21-22:31:23 (none) aua[22370]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="local"

2007:11:21-22:31:36 (none) aua[2823]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="Cached"

2007:11:21-22:32:26 (none) aua[2823]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="Cached"

2007:11:21-22:36:05 (none) aua[2823]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="Cached"

2007:11:21-22:36:14 (none) aua[2823]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="Cached"

2007:11:21-22:36:32 (none) aua[22717]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="local"

2007:11:21-22:37:44 (none) aua[2823]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.24" user="CM__admin" caller="webadmin" engine="Cached"

2007:11:21-22:37:55 (none) aua[2823]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.24" user="CM__admin" caller="webadmin" engine="Cached"

2007:11:21-22:38:37 (none) aua[2823]: id="3006" severity="info" sys="System" sub="auth" name="TERM signal received, shutting down daemon"

2007:11:21-22:40:02 (none) aua[2826]: id="3001" severity="info" sys="System" sub="auth" name="Daemon started successfully"

2007:11:21-22:42:50 (none) aua[6053]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="local"

2007:11:21-22:44:54 (none) aua[2826]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="Cached"

2007:11:21-22:46:34 (none) aua[2826]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="Cached"

2007:11:21-22:48:11 (none) aua[6645]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="local"

2007:11:21-22:50:24 (none) aua[2826]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="Cached"

2007:11:21-23:00:57 (none) aua[7473]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="local"

2007:11:21-23:08:21 (none) aua[8284]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="local"

2007:11:21-23:18:29 (none) aua[9364]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.254.150" user="CM__admin" caller="webadmin" engine="local"

Maybe i should try to delete CM__Admin ?

Gregor Kemter

Edit: If somebody tell me how to break this "autologin" loop, maybe i can reproduce this [;)]
Edit2: I am happy that i limit access to ASG to my internal net only, if not the thing would be not funny

Parents

0 gkemter over 17 years ago

after i went home, the "autologin" feature dont let me sleep, so i drive back to office, and try factory reset.
But after factory reset, the webmin stll try to login with CM__admin [:O]
, so i decide to make fresh install from cd .
Unfortunle my latest Sai-Iso was 7.006, but after feeding all the up2date files und config.backup the asg runs now.

Gregor Kemter
- asgbeta6.JPG
- View
- Hide
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 megaposer over 17 years ago in reply to gkemter

Hi Gregor!

Finally WebAdmin SSO seems to work ... *um* a little bit too well ...

ACC will create a user CM__admin on ASG V7 only if you press the WebAdmin button in ACC (from a monitoring view or registration). Then the auto-login to WebAdmin is performed. The user creation and auto-login will not happen if you just check for Up2Dates as you have described.

Anyway, there is an issue with credentials not properly invalidated after SSO, so you are stuck in this auto-login / never-logout forever-loop. It is fixed in the upcoming 7.085 beta.

As we knew of this beforehand Tom must decide if you still get any points - I mean you had the shock and the sleepless night ... Sorry for that.

As for breaking the auto-login loop, you can try the following:

# unlink /var/sec/chroot-httpd/var/webadmin/var/acc_credentials.ph

Cheers and thanks,
Henning
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 megaposer over 17 years ago in reply to gkemter

Hi Gregor!

Finally WebAdmin SSO seems to work ... *um* a little bit too well ...

ACC will create a user CM__admin on ASG V7 only if you press the WebAdmin button in ACC (from a monitoring view or registration). Then the auto-login to WebAdmin is performed. The user creation and auto-login will not happen if you just check for Up2Dates as you have described.

Anyway, there is an issue with credentials not properly invalidated after SSO, so you are stuck in this auto-login / never-logout forever-loop. It is fixed in the upcoming 7.085 beta.

As we knew of this beforehand Tom must decide if you still get any points - I mean you had the shock and the sleepless night ... Sorry for that.

As for breaking the auto-login loop, you can try the following:

# unlink /var/sec/chroot-httpd/var/webadmin/var/acc_credentials.ph

Cheers and thanks,
Henning
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 gkemter over 17 years ago in reply to megaposer

Hi Henning

The user creation and auto-login will not happen if you just check for Up2Dates as you have described.

I think i also try to start webmin thru ACC, but the webmin dont come up directly, so i close this new browser tab.
Maybe this was the issue

Gregor Kemter
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BrucekConvergent over 17 years ago in reply to gkemter

Still broken in 7.091... that is, the un-ending automatic login loop after an ACC SSO Sign-On.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 gkemter over 17 years ago in reply to BrucekConvergent

hehe, i was to lazy to try it again [:D]
One sleepless night with autologin was enough for me

Gregor Kemter
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BrucekConvergent over 17 years ago in reply to gkemter

It's a little different (at least in my setup) than what you experienced. WHen I attempt to connect via ACC, it starts to go, then I get a connection timed out (which is not a problem if I try to connect directly, from the same workstation)... I rebooted the unit using SSH, then I then attempt a login (directly to the unit, no ACC involved) using a TOTALLY DIFFERENT computer, and instead of getting a prompt for login, it jumps right to the dashboard using a CM_username account, the one that would have been used if my ACC login had worked properly.... seems maybe they've almost got it fixed.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BrucekConvergent over 17 years ago in reply to BrucekConvergent

Anyone else able to reproduce this? It seems like a somewhat serious security issue...

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

[7.080] ACC SSO works too well [CONFIRMED]

Submitted a Tech Support Case lately from the Support Portal?