FreedomTunnel: Difference between revisions

From My Wiki
Jump to navigation Jump to search
← Older edit
imported>Charlesnw
No edit summary
imported>Charlesnw
No edit summary
 
(12 intermediate revisions by 3 users not shown)
Line 1: Line 1:
= FLOSS Single Sign On One Time Password System =
FreedomTunnel is a FLOSS ("free/libre open source software") Single Sign On ("SSO") One-Time-Password System.


== Introduction/Overview ==
See also [[FreedomTunnel/DeploymentNotes|DeploymentNotes]].
I've wanted to do this for some time. Create a fully open source/free software based system for one time password authentication.  


The idea is that I can login to a Windows/Mac/Linux system, enter a one time password (PIN number + 6 digit code), and be authenticated to everything I use that requires a password without further authentication prompts.
== Overview ==


The idea is that one can login to a Windows/Mac/Linux system, enter a one time password (PIN number + 6 digit code), and be authenticated to everything one can use that requires a password without further authentication prompts.


== Desired Features of the system ==
The core will probably be FreeIPA, which looks pretty compelling and will take care of a lot of the involved pieces (NTP/Ldap/Kerberos) in one shot. See [https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html this guide].
 
Add in RADIUS ([http://consultancy.edvoncken.net/index.php/HOWTO_Configure_Radius_with_an_IPA_Server via])
and [http://weblogin.org/ CoSign] for web SSO (found at http://forums.somethingawful.com/showthread.php?threadid=3459961) and you've got everything for single sign on / single password. Now we just need to add OTP.
 
== Desired Features ==


* Fully open source (all client and server pieces)
* Fully open source (all client and server pieces)
Line 14: Line 19:
* OTP generation client must support Android/Blackberry/Apple devices  
* OTP generation client must support Android/Blackberry/Apple devices  


User experience in different contexts:
* Login to local workstation: this is a standard username/password combination. No network connectivity is required for this to function. However, if the device is connected to network already, then login system will indicate this and accept username/enhanced password (PIN+random digits). So a maximum of two logins is all that is ever required for access to any resource one controls.


== User experience ==
* Login to local workstation. This is a standard username/password combination. No network connectivity is required for this to function. However, if the device is connected to network already, then login system will indicate this and accept username/enhanced password (PIN+random digits). So a maximum of two logins is all that is ever required for access to any resource I control.
* SSH to a server/network device or browse to a webapp I control and not have any login prompts.  
* SSH to a server/network device or browse to a webapp I control and not have any login prompts.  


 
Supported Authentication Clients:
== Supported Authentication Clients ==


* WPA-Enterprise 802.11 users on Windows, Mac, Linux  
* WPA-Enterprise 802.11 users on Windows, Mac, Linux  
* Workstation OS logins on Windows, Mac, Linux
* Workstation OS logins on Windows, Mac, Linux
* VPN users (IPSEC/OpenVPN)
* VPN users (IPSEC/OpenVPN)
* Web applications (Wordpress/MediaWiki/Status.net/Tattler/Drupal/Redmine and any other apps I use)
* Web applications (Wordpress/MediaWiki/Status.net/Tattler/Drupal/Redmine and any other apps)
 
 
== Project Execution phases ==
 
=== Centralized authentication ===
 
Setup everything on my network that takes a password (workstations/network gear/wpa/www apps etc) to talk to OpenLDAP/Kerberos/FreeRadius. This way I will have a centralized auth store with policy control etc. One password for everything. In the event I have an application that can't use SSO, I can still have a common password for it.
 
What do I have that is capable of talking to these back ends?
 
* All Linux boxes (use Kerberos/OpenLDAP for logins)
 
* All Windows boxes (use Kereros/OpenLDAP/FreeRadius for logins)
 
* Web apps (most support LDAP directly, some I use the kerberos module and pam auth)
 
* Cisco gear (FreeRadius)
 
* Nanostation2 based wireless access points running OpenWRT (wpa2 enterprise to FreeRadius backend)
 
=== One time password system ===
 
=== Single sign on ===
 
 
 
= Involved components =
 
* LDAP (this is the backend to everything else)
* 802.1x system for wired/wireless clients (one needs to be on the network in order to access auth backend). This would be a white list of authorized mac addresses. Any network access would result in prompt for credentials
* Kerberos (this is used for workstation logins)
* FreeRadius (this is used by cisco gear and for wireless user authentication)
* Clients authenticating
 
 
All the below components run on a VPS with Centos5.5. Up in the cloud (at my $dayjob which is a very large IAAS provider).
 
== LDAP ==
 
 
LDAP is the back end for everything else (freeradius/kerberos serves as authentication methods for clients, talking to LDAP as authorization system). So it is key to have a working LDAP installation before doing anything else.
 
Followed howto at http://www.linuxmail.info/openldap-setup-howto/
 
* yum install openldap-servers openldap-clients
* base.ldif
<pre>
dn: dc=knownelement,dc=com
dc: knownelement
objectClass: domain
</pre>
 
users.ldif
<pre>
[root@kno ~]# cat users.ldif
dn: ou=People,dc=knownelement,dc=com
ou: People
objectClass: organizationalUnit
 
dn: uid=charles,ou=People,dc=knownelement,dc=com
uid: charles
cn: Wyble Charles
displayName: Charles Wyble
givenName: Charles
sn: Wyble
objectClass: inetOrgPerson
userPassword: password
mail: charles@knownelement.com
[root@kno ~]#
</pre>
 
* ldapadd -x -D "cn=Manager,dc=knownelement,dc=com" -w secretstuff -f base.ldif
* ldapadd -x -D "cn=Manager,dc=knownelement,dc=com" -w secretstuff -f users.ldif
 
== Kerberos ==
 
* http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-kerberos.html
* http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-kerberos-clients.html
 
== FreeRADIUS ==
 
== 802.1x ==
 
== Clients ==
 
=== Web applications ===
 
* Tattler / Memex (drupal based applications)
* Thinkup
* Piwigo
* OpenDocMan
* Status.net
* Wordpress
* Redmine
* Mediawiki
* EyeOS
* Thunderbird
 
=== Network gear ===
* Cisco switches/routers
One howto for FreeRADIUS/LDAP and cisco gear is at http://jenniferhuber.blogspot.com/2010/07/using-open-source-radius-server-in-your.html
 
* OpenWRT wireless gear
 
=== Workstations ===
* Windows
* Linux
** Debian
** RedHat
 
= Source material =
 
Here are links to various howtos I referenced to put this wiki page together.
 
http://blog.harritronics.com/2011/06/primer-authentication-radius-kerberos.html#comment-form
 
http://techpubs.spinlocksolutions.com/dklar/kerberos.html


http://techpubs.spinlocksolutions.com/dklar/ldap.html


http://www.rjsystems.nl/en/2100-d6-openldap-provider.php#tree
== More Resources ==


http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS
* [[FreedomTunnel/DeploymentNotes]]
* [http://chili.freenetworkfoundation.org/projects/freedomtunnel Chili project page]


http://www.eduroamus.org/node/45
{{FNFProject}}

Latest revision as of 03:44, 18 June 2012

FreedomTunnel is a FLOSS ("free/libre open source software") Single Sign On ("SSO") One-Time-Password System.

See also DeploymentNotes.

Overview

The idea is that one can login to a Windows/Mac/Linux system, enter a one time password (PIN number + 6 digit code), and be authenticated to everything one can use that requires a password without further authentication prompts.

The core will probably be FreeIPA, which looks pretty compelling and will take care of a lot of the involved pieces (NTP/Ldap/Kerberos) in one shot. See this guide.

Add in RADIUS (via) and CoSign for web SSO (found at http://forums.somethingawful.com/showthread.php?threadid=3459961) and you've got everything for single sign on / single password. Now we just need to add OTP.

Desired Features

  • Fully open source (all client and server pieces)
  • Runs in a highly available master/(multi)slave fashion in multiple data centers.
  • Must be seamless (login process is just username + password. Everything else is handled behind the scenes)
  • OTP generation client must support Android/Blackberry/Apple devices

User experience in different contexts:

  • Login to local workstation: this is a standard username/password combination. No network connectivity is required for this to function. However, if the device is connected to network already, then login system will indicate this and accept username/enhanced password (PIN+random digits). So a maximum of two logins is all that is ever required for access to any resource one controls.
  • SSH to a server/network device or browse to a webapp I control and not have any login prompts.

Supported Authentication Clients:

  • WPA-Enterprise 802.11 users on Windows, Mac, Linux
  • Workstation OS logins on Windows, Mac, Linux
  • VPN users (IPSEC/OpenVPN)
  • Web applications (Wordpress/MediaWiki/Status.net/Tattler/Drupal/Redmine and any other apps)


More Resources

Free Network Infrastructure Projects (edit)
Box - Node - Tower - Tunnel - Link
Network Operations Center - Lab - VoIP - Stack - Overview
Retrieved from "https://commons.thefnf.net/index.php?title=FreedomTunnel&oldid=1511"