[Freeipa-users] OTP: using external validation server for Yubikeys?

Jochen Hein jochen at jochen.org
Sun Oct 30 10:58:10 UTC 2016 

Hi,

I'm running my own privacyidea instance to manage my Yubikey and other
OTP tokens. Right now I have to decide, in which system my Yubikey is
managed - right now it is in privacyidea. My token is in yubico mode, so
no HOTP/TOTP for now.

For now I run a FreeRADIUS as a frontend to privacyidea and use that in
FreeIPA to authenticate my user, but I think it is too complex and
fragile for my small installation. And FreeIPA is dependent on an
external userstore (for me Kolab's dirsrv right now) as well.

What I'd find useful is something like the following:

- A yubikey token generates a 44 character OTP, the first 12 characters
  identify the token. This could be a factory initialized token or a
  locally initialized one.

- A user has a yubikey token assigned (the 12 characters identifier) and
  a validation server that will check the OTP. Default servers could be
  yubico's validation servers
  (https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s) while it should
  be possible to use a self hosted infrastructure with yubico's software
  or something like privacyidea or linotp (somewhat similar to the
  RADIUS configuration)

  The validation protokoll is explained at
  https://developers.yubico.com/yubikey-val/Validation_Protocol_V2.0.html
  and is quite simple.
  
  Authentication option for the user would be password+OTP.

- When logging in the user is first asked for the first factor
  (password), and then the second factor (OTP). ipa-otp would hand off
  the validation to the external server and act according to the
  response.

That way a yubikey token you be used for other applications (like
Kolab/Roundcube, pam_yubico etc.) as well as for FreeIPA, because the
secret and counter are stored in one central system that is queried by
all applications.

Something like that would possibly require changes to the LDAP schema[1]
in addition to changes to ipa-otp, ipa, and the webui.  Do you think
something like that would be useful?

Jochen

[1] Kolab documents this at https://git.kolab.org/T414:
The Roundcube plugin is basically functional to run locally as of commit
rRPK9cd117d7. There's some documentation about the kolab_2fa plugin, its
components, installation and configuration in the README.md. Please note
that the Yubikey driver doesn't work with the LDAP storage due to
missing coverage in the FreeIPA schema.

-- 
The only problem with troubleshooting is that the trouble shoots back.

More information about the Freeipa-users mailing list