Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't login into UI #42

Closed
logabot opened this issue Nov 15, 2019 · 11 comments
Closed

Can't login into UI #42

logabot opened this issue Nov 15, 2019 · 11 comments

Comments

@logabot
Copy link

logabot commented Nov 15, 2019

"version": mokey-0.5.3-1.el7.x86_64 rpm
When i enter valid credential, nothing happend, page reloads and offers to enter the credential again.

In log:

Nov 15 18:15:57 centos-vpn-test mokey: time="2019-11-15T18:15:57+03:00" level=info msg="Using template dir: /usr/share/mokey/templates/"
Nov 15 18:15:57 centos-vpn-test mokey: time="2019-11-15T18:15:57+03:00" level=info msg="IPA server: freeipa-server.onelya.auth"
Nov 15 18:15:57 centos-vpn-test mokey: time="2019-11-15T18:15:57+03:00" level=warning msg="**WARNING*** SSL/TLS not enabled. HTTP communication will not be encrypted and vulnerable to snooping."
Nov 15 18:15:57 centos-vpn-test mokey: time="2019-11-15T18:15:57+03:00" level=info msg="Running on http://10.4.0.152:8080/mokey"
Nov 15 18:15:57 centos-vpn-test mokey: ⇨ http server started on 10.4.0.152:8080
Nov 15 18:16:16 centos-vpn-test mokey: time="2019-11-15T18:16:16+03:00" level=info msg="Redirect URL" wyaf=/mokey
Nov 15 18:16:16 centos-vpn-test mokey: time="2019-11-15T18:16:16+03:00" level=info msg="Redirect URL" wyaf=/mokey
Nov 15 18:16:23 centos-vpn-test mokey: time="2019-11-15T18:16:23+03:00" level=info msg="Redirect URL" wyaf=/mokey

in browser:
image
@logabot
Copy link
Author

logabot commented Nov 15, 2019

But, when i try create new account, user is created in freeipa

@maateen
Copy link

maateen commented Nov 26, 2019

Hi Mate! This happens due to the Host mismatch. When you are trying this tool on a staging server, please ensure develop: true at /etc/mokey/mokey.yaml.

For the production usage, host Mokey on the same server where the FreeIPA master is hosted. You can achieve it by writing the following lines in /etc/httpd/conf.d/mokey.conf:

<Location "/mokey">
  ProxyPass "http://127.0.0.1:8081/mokey"
</Location>

To make the above config file usable, don't forget to ensure the following lines at /etc/mokey/mokey.yaml:

port: 8081
bind: "127.0.0.1"
path_prefix: "/mokey"
develop: false

@nop-sec
Copy link

nop-sec commented Jan 10, 2020
edited
Loading

I'm having the same issue as this. Mokey is running on the FreeIPA server, config file is the same as above for the httpd conf and the yaml file.

Running in debug mode, new user is created absolutely fine but when an existing user attempts to log in they are redirected back to /mokey with no session created.

INFO[0000] Using template dir: /usr/share/mokey/templates 
INFO[0000] IPA server:
WARN[0000] **WARNING*** SSL/TLS not enabled. HTTP communication will not be encrypted and vulnerable to snooping.
INFO[0000] Running on http://127.0.0.1:8081/mokey       
⇨ http server started on 127.0.0.1:8081
WARN[0040] New user account created                      email=test@test.com first=test homedir=/home/test last=test uid=test
WARN[0040] User password set successfully                uid=test
WARN[0040] New user account email sent successfully      email=test@test.com uid=test
INFO[0056] Redirect URL                                  wyaf=/mokey

When running with develop as true and intercepting with Burp I can see that no session cookies are being created as I would have expected.

Tested the /ipa/session/login_password api with the user and getting the 200 response so would have expected " setSessionID" to be called in ubccr/goIPA/ipa.go

FreeIPA, version: 4.6.5
mokey-0.5.3-1.el7.x86_64.rpm
Mokey

Is there anything you could advise as it looks perfect for our needs. Thanks

@aebruno
Copy link
Member

aebruno commented Jan 10, 2020

I would not advise running mokey on the same server as FreeIPA. Can you try running on a different server and remove the path_prefix setting? Note: the server running mokey will need to be enrolled in ipa (using ipa-client-install etc.)

@nop-sec
Copy link

nop-sec commented Jan 10, 2020
edited
Loading

Same issue on an Ubuntu 18.04 host that is registered with the domain with and without the path prefix. I moved it to the freeipa server based on the above comment but didn't help.

httpd Logs:

172.16.1.4 - - [10/Jan/2020:10:37:51 +0000] "GET /mokey/static/css/styles.css?v=6 HTTP/1.1" 200 518
172.16.1.4 - - [10/Jan/2020:10:37:51 +0000] "GET /mokey/static/css/font-awesome.min.css?v=6 HTTP/1.1" 200 7053
172.16.1.4 - - [10/Jan/2020:10:37:52 +0000] "GET /mokey/static/js/bootstrap.min.js?v=6 HTTP/1.1" 200 9833
172.16.1.4 - - [10/Jan/2020:10:37:52 +0000] "GET /mokey/static/js/jquery.min.js?v=6 HTTP/1.1" 200 33369
172.16.1.4 - - [10/Jan/2020:10:37:52 +0000] "GET /mokey/static/css/bootstrap.min.css?v=6 HTTP/1.1" 200 19744
172.16.1.4 - - [10/Jan/2020:10:38:12 +0000] "GET /mokey/auth/login HTTP/1.1" 200 1124
172.16.1.4 - - [10/Jan/2020:10:38:18 +0000] "GET /mokey/auth/signup HTTP/1.1" 200 1591
172.16.1.4 - - [10/Jan/2020:10:38:18 +0000] "GET /mokey/auth/captcha/4dzjU28ju96R8KbfG8mq.png HTTP/1.1" 200 1352
172.16.3.4 - mokey/gatewayfreeipa.EXAMPLE.LOCAL@EXAMPLE.LOCAL [10/Jan/2020:10:38:49 +0000] "POST /ipa/json HTTP/1.1" 200 609
172.16.3.4 - - [10/Jan/2020:10:38:49 +0000] "POST /ipa/session/change_password HTTP/1.1" 200 125
172.16.1.4 - - [10/Jan/2020:10:38:49 +0000] "POST /mokey/auth/signup HTTP/1.1" 200 785
172.16.1.4 - - [10/Jan/2020:10:38:54 +0000] "GET /mokey/auth/login HTTP/1.1" 200 1124
172.16.3.4 - - [10/Jan/2020:10:39:04 +0000] "GET /ipa/session/cookie HTTP/1.1" 301 263 "-" "python-requests/2.6.0 CPython/2.7.5 Linux/3.10.0-957.21.3.el7.x86_64"
172.16.3.4 - user@EXAMPLE.LOCAL [10/Jan/2020:10:39:04 +0000] "GET /ipa/session/cookie HTTP/1.1" 200 -
172.16.3.4 - - [10/Jan/2020:10:39:04 +0000] "POST /ipa/session/login_password HTTP/1.1" 200 -
172.16.3.4 - user@EXAMPLE.LOCAL [10/Jan/2020:10:39:04 +0000] "POST /ipa/session/json HTTP/1.1" 200 142
172.16.1.4 - - [10/Jan/2020:10:39:04 +0000] "POST /mokey/auth/login HTTP/1.1" 302 -
172.16.1.4 - - [10/Jan/2020:10:39:05 +0000] "GET /mokey HTTP/1.1" 302 -
172.16.1.4 - - [10/Jan/2020:10:39:05 +0000] "GET /mokey/auth/login HTTP/1.1" 200 1124
172.16.1.4 - user@EXAMPLE.LOCAL [10/Jan/2020:10:51:03 +0000] "POST /ipa/session/json HTTP/1.1" 200 297
172.16.1.4 - user@EXAMPLE.LOCAL [10/Jan/2020:10:51:03 +0000] "POST /ipa/session/json HTTP/1.1" 200 403
172.16.1.4 - user@EXAMPLE.LOCAL [10/Jan/2020:10:51:04 +0000] "POST /ipa/session/json HTTP/1.1" 200 1123
172.16.1.4 - user@EXAMPLE.LOCAL [10/Jan/2020:10:51:05 +0000] "POST /ipa/session/json HTTP/1.1" 200 349
172.16.1.4 - user@EXAMPLE.LOCAL [10/Jan/2020:10:51:05 +0000] "POST /ipa/session/json HTTP/1.1" 200 242
172.16.1.4 - - [10/Jan/2020:10:58:17 +0000] "GET /mokey/auth/login HTTP/1.1" 200 1124
172.16.3.4 - - [10/Jan/2020:10:58:26 +0000] "GET /ipa/session/cookie HTTP/1.1" 301 263 "-" "python-requests/2.6.0 CPython/2.7.5 Linux/3.10.0-957.21.3.el7.x86_64"
172.16.3.4 - user@EXAMPLE.LOCAL [10/Jan/2020:10:58:26 +0000] "GET /ipa/session/cookie HTTP/1.1" 200 -
172.16.3.4 - - [10/Jan/2020:10:58:26 +0000] "POST /ipa/session/login_password HTTP/1.1" 200 -
172.16.3.4 - user@EXAMPLE.LOCAL [10/Jan/2020:10:58:26 +0000] "POST /ipa/session/json HTTP/1.1" 200 142
172.16.1.4 - - [10/Jan/2020:10:58:26 +0000] "POST /mokey/auth/login HTTP/1.1" 302 -
172.16.1.4 - - [10/Jan/2020:10:58:26 +0000] "GET /mokey HTTP/1.1" 302 -
172.16.1.4 - - [10/Jan/2020:10:58:27 +0000] "GET /mokey/auth/login HTTP/1.1" 200 1124

@aebruno
Copy link
Member

aebruno commented Jan 10, 2020

Here's a few more things to check. Can you verify the ipa server is set correctly in /etc/ipa/default.conf. Ensure you have the auth and enc keys set in mokey.yaml per #40. Also, if you're running mokey http only (i.e. not running https) then set the develop: true here as cookies are set to secure mode by default. See here.

@nop-sec
Copy link

nop-sec commented Jan 10, 2020
edited
Loading

Server appears to be set correctly in the defaults, however server.go only seems to pick it up from the mokey.yaml using "log.Printf("IPA server: %s", viper.GetString("ipahost"))"

/etc/ipa/default.conf


[global]
basedn = dc=example,dc=local
realm = EXAMPLE.LOCAL
domain = example.local
server = freeipa.example.local
host = mokey.exampe.local
xmlrpc_uri = https://freeipa.example.local/ipa/xml
enable_ra = True

two 32bit keys have been set using:

openssl rand -hex 32
65dd79e4a6ba73c40e5984a8b58a512261fd977bc98ebf4dac68473876b96b58

develop: is set to true. As HTTPOnly attribute isn't being set I would expect to see them being created but none are when intercepting with burp.

@nop-sec
Copy link

nop-sec commented Jan 10, 2020

Requests and responses

POST /auth/login HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8081/auth/login
Content-Type: application/x-www-form-urlencoded
Content-Length: 78
Origin: http://127.0.0.1:8081
Connection: close
Cookie: _csrf=LF6zQ30RSFiUSlrx826cQminjUhtRVKh; csrftoken=hM1SYJ6OZLSlQlJT5MFTibCmvDo1DMfyUO6UoJlAOOK25d5ogpunL5uAw9XMZXZZ; _csrf=LF6zQ30RSFiUSlrx826cQminjUhtRVKh
Upgrade-Insecure-Requests: 1

uid=user&password=password1&csrf=LF6zQ30RSFiUSlrx826cQminjUhtRVK

The issue seems to be here, where the expected cookie isn't being set.

HTTP/1.1 302 Found
Location: /
Set-Cookie: _csrf=LF6zQ30RSFiUSlrx826cQminjUhtRVKh; Expires=Sat, 11 Jan 2020 15:11:02 GMT
Vary: Cookie
Date: Fri, 10 Jan 2020 15:11:02 GMT
Content-Length: 0
Connection: close

GET / HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8081/auth/login
Connection: close
Cookie: csrftoken=hM1SYJ6OZLSlQlJT5MFTibCmvDo1DMfyUO6UoJlAOOK25d5ogpunL5uAw9XMZXZZ; _csrf=LF6zQ30RSFiUSlrx826cQminjUhtRVKh
Upgrade-Insecure-Requests: 1

GET /auth/login HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8081/auth/login
Connection: close
Cookie: _csrf=LF6zQ30RSFiUSlrx826cQminjUhtRVKh; csrftoken=hM1SYJ6OZLSlQlJT5MFTibCmvDo1DMfyUO6UoJlAOOK25d5ogpunL5uAw9XMZXZZ; _csrf=LF6zQ30RSFiUSlrx826cQminjUhtRVKh
Upgrade-Insecure-Requests: 1

@aebruno
Copy link
Member

aebruno commented Jan 10, 2020

The issue is with the enc_key setting. Try using openssl rand -hex 16 for the value.

aebruno added a commit that referenced this issue Jan 10, 2020
@aebruno
Properly decode enc_key as hex string. See #42
c677e97
@aebruno
Copy link
Member

aebruno commented Jan 10, 2020

The enc_key was not being properly decoded. This should be fixed in the next release. Thanks for your help debugging this.

@nop-sec
Copy link

nop-sec commented Jan 10, 2020

Just downloaded and recompiled and works spot on now. Few issues with hydra sdk and urfav/cli changes but that's a problem for another day.

Thanks for your help and your good work!

@aebruno aebruno closed this as completed Feb 24, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@aebruno @maateen @logabot @nop-sec