[Freeipa-users] Fwd: 2-Factor and services
Dmitri Pal
dpal at redhat.com
Mon Mar 2 19:13:55 UTC 2015
On 03/02/2015 01:19 AM, Michael Lasevich wrote:
> There is actually a way to achieve what you most likely want to but
> not what you are asking for.
>
> I do not think there is currently a way to force 2fa based on service
> or host being authenticated - it is all or nothing. However, if all
> you want is ability to use 2fa against FreeIPA for OpenVPN
> authentication and use just password everywhere else - that is
> actually possible.
>
> This is how I achieved this - may not be an ideal setup but it works.
> As suggested, set up users to support both 2fa and password
> authentication. Forget about using PAM for OpenVPN authentication -
> instead use a plug-in script with credentials passed using via-env.
> You can write the plugin in any language you want (I used Python) and
> your logic should be something along the lines of:
>
> Parse password to separate OTP token from password. Use LDAP to
> authenticate with just password and then again with password AND OTP
> token. LDAP authentication happens on the IPA server and will support
> both methods. Authenticating twice is important to guarantee you do
> not have a smart-alec user who sets their password to end in 6 digits
> instead of actually enabling 2fa. Once you have successful
> authentication, you can use it to perform additional verifications -
> like checking membership(or lack thereof) in specific group, etc., etc.
>
> So, here is something else to think about. You may not want to allow
> the same accounts access to VPN and to the internal network. There is
> a reason why this is generally considered a bad practice. If someone,
> by some means (say another heartbleed-like exploit or some MITM attack
> or by gaining root access to the VPN serve) gains access to your
> user's VPN login credentials - the last thing you want is them having
> a full run of the network using those exact same credentials. Ideally
> it would be nice if 2fa "pin" (the non OTP portion of the 2fa) would
> be DIFFERENT from the password on the same account, but FreeIPA does
> not support that - at least not at this time. So what I would
> recommend is using a completely separate account in FreeIPA for VPN
> access. You can standardize this by using a standard prefix (so that
> for example user "username" would have an "ext-username" account for
> 2fa use with external authentication) - "ext" account would have no
> permissions to any data or internal login, just to access the network
> from outside and the main account would have no external access. To
> hack you, someone would then need to hack your OpenVPN box and then
> would still need to hack your internal authentication - which should
> be encrypted by TLS/SSH even over the VPN. You can also add the prefix
> automatically behind the scenes with the OpenVPN authentication
> script, as well as have the script only allow access for accounts that
> have no other privileges besides external access. Something to think
> about.
This customization is very specific to the conventions that you choose
for yourself to follow.
It is not a bad solution, just a bit too custom.
>
> HTH,
>
> -M
>
> On Sun, Mar 1, 2015 at 6:40 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> On 02/27/2015 11:37 AM, Matt Wells wrote:
>
> I see how that would work but as you mentioned, I no longer
> have SSO.
>
> My desktops are all 3. Linux, Mac and Windows however the Windows
> systems talk with AD and a trust exists to facilitate those
> communications and SSO between the systems.
>
> It doesn't sound like this is really possible without the
> heavy loss
> of functionality. This would be an amazing option to add
> though. The
> ability to define a service and prioritize an authentication
> mechanism.
>
>
> On Mac and Windows you would not get SSO anyways because Kerberos
> on thos platforms does not support latest RFCs related to 2FA at
> least yet and since they are proprietary it is unclear what their
> plans are.
>
> The problem we also have is that there is no way to be selective
> on the KDC/DS side - there is no way to determine what the client
> is and associate some policies to it.
> It would have to be the client that would have to have capability
> to enforce or not enforce 2FA if the server supports both. But
> again that means that Mac and Windows would have to keep up with
> this capability.
>
> Bottom line it is a popular request but it is unclear how we can
> satisfy it.
>
>
>
>
> On Thu, Feb 26, 2015 at 2:09 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> On 02/26/2015 12:40 PM, Matt Wells wrote:
>
> Had an error on my options for the list and the
> replies failed to get
> to me. We'll see if this reply works. :)
>
> @Dmitri - Anyone coming through this service/host
> (OpenVPN with pam)
> will be required to use 2-Factor. Their normal logins
> at their desk
> are not required for 2-factor, it's ok if they use it
> but it's not
> required at all.
> This VPN service is as assumed, exposed to the
> internet. We're
> wanting to protect ourselves as best we can with AAA.
>
>
> If we just talking about managing users in IdM and having
> tokens for them
> managed in IdM too then the recommendation is:
>
> - Set users to use OTP or password (set both check boxes)
> - Configure VPN to use Kerberos authentication against IPA
> - that will force
> use of 2FA with the policy above
> - Configure computers at the desk to use LDAP (you loose
> Kerberos SSO) -
> that would allow single factor with the policy above
>
> What are your desktops? Lunux? Mac?
> Is there any AD involved?
>
>
>
>
>
> -------------------------------
> I've got many of users setup with 2-Factor and I'd
> like to enforce it
> with some services.
> For example.
> Server vpn.example.com <http://vpn.example.com> is an
> openvpn servers setup to use PAM.
> Since he's tied to my 4.X IDM servers I can use
> 2-Factor with him.
> However I want to enforce that users from this
> system/service require
> 2-Factor.
> Can anyone point me in the right direction? My Google
> Foo is showing
> to be poor on this one and any guidance would be
> appreciated.
>
> As always thanks for taking the time to read over this.
>
>
> So do you want to use 2FA for some users and 1FA for
> others or do you
> want to have flexibility to use 2FA for the same user
> on one system
> and not another?
> Do you plan to use external tokens like RSA or you
> plan to use native
> OTP support in IPA?
>
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
>
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150302/c63d5206/attachment.htm>
More information about the Freeipa-users
mailing list