|
|
| (11 intermediate revisions by 3 users not shown) |
| Line 1: |
Line 1: |
| = FLOSS Single Sign On One Time Password System =
| | FreedomTunnel is a FLOSS ("free/libre open source software") Single Sign On ("SSO") One-Time-Password System. |
|
| |
|
| == Introduction/Overview ==
| | See also [[FreedomTunnel/DeploymentNotes|DeploymentNotes]]. |
| I've wanted to do this for some time. Create a fully open source/free software based system for one time password authentication.
| |
|
| |
|
| The idea is that I can login to a Windows/Mac/Linux system, enter a one time password (PIN number + 6 digit code), and be authenticated to everything I use that requires a password without further authentication prompts.
| | == Overview == |
|
| |
|
| | The idea is that one can login to a Windows/Mac/Linux system, enter a one time password (PIN number + 6 digit code), and be authenticated to everything one can use that requires a password without further authentication prompts. |
|
| |
|
| == Desired Features of the system == | | The core will probably be FreeIPA, which looks pretty compelling and will take care of a lot of the involved pieces (NTP/Ldap/Kerberos) in one shot. See [https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html this guide]. |
| | |
| | Add in RADIUS ([http://consultancy.edvoncken.net/index.php/HOWTO_Configure_Radius_with_an_IPA_Server via]) |
| | and [http://weblogin.org/ CoSign] for web SSO (found at http://forums.somethingawful.com/showthread.php?threadid=3459961) and you've got everything for single sign on / single password. Now we just need to add OTP. |
| | |
| | == Desired Features == |
|
| |
|
| * Fully open source (all client and server pieces) | | * Fully open source (all client and server pieces) |
| Line 14: |
Line 19: |
| * OTP generation client must support Android/Blackberry/Apple devices | | * OTP generation client must support Android/Blackberry/Apple devices |
|
| |
|
| | User experience in different contexts: |
| | |
| | * Login to local workstation: this is a standard username/password combination. No network connectivity is required for this to function. However, if the device is connected to network already, then login system will indicate this and accept username/enhanced password (PIN+random digits). So a maximum of two logins is all that is ever required for access to any resource one controls. |
|
| |
|
| == User experience ==
| |
| * Login to local workstation. This is a standard username/password combination. No network connectivity is required for this to function. However, if the device is connected to network already, then login system will indicate this and accept username/enhanced password (PIN+random digits). So a maximum of two logins is all that is ever required for access to any resource I control.
| |
| * SSH to a server/network device or browse to a webapp I control and not have any login prompts. | | * SSH to a server/network device or browse to a webapp I control and not have any login prompts. |
|
| |
|
| | | Supported Authentication Clients: |
| == Supported Authentication Clients ==
| |
|
| |
|
| * WPA-Enterprise 802.11 users on Windows, Mac, Linux | | * WPA-Enterprise 802.11 users on Windows, Mac, Linux |
| * Workstation OS logins on Windows, Mac, Linux | | * Workstation OS logins on Windows, Mac, Linux |
| * VPN users (IPSEC/OpenVPN) | | * VPN users (IPSEC/OpenVPN) |
| * Web applications (Wordpress/MediaWiki/Status.net/Tattler/Drupal/Redmine and any other apps I use) | | * Web applications (Wordpress/MediaWiki/Status.net/Tattler/Drupal/Redmine and any other apps) |
| | |
| | |
| == Project Execution phases ==
| |
| | |
| === Centralized authentication ===
| |
| | |
| Setup everything on my network that takes a password (workstations/network gear/wpa/www apps etc) to talk to OpenLDAP/Kerberos/FreeRadius. This way I will have a centralized auth store with policy control etc. One password for everything. In the event I have an application that can't use SSO, I can still have a common password for it.
| |
| | |
| What do I have that is capable of talking to these back ends?
| |
| | |
| * All Linux boxes (use Kerberos/OpenLDAP for logins)
| |
| | |
| * All Windows boxes (use Kereros/OpenLDAP/FreeRadius for logins)
| |
| | |
| * Web apps (most support LDAP directly, some I use the kerberos module and pam auth)
| |
| | |
| * Cisco gear (FreeRadius)
| |
| | |
| * Nanostation2 based wireless access points running OpenWRT (wpa2 enterprise to FreeRadius backend)
| |
| | |
| === One time password system ===
| |
| | |
| === Single sign on ===
| |
| | |
| | |
| | |
| = Involved components =
| |
| | |
| * LDAP (this is the backend to everything else)
| |
| * 802.1x system for wired/wireless clients (one needs to be on the network in order to access auth backend). This would be a white list of authorized mac addresses. Any network access would result in prompt for credentials
| |
| * Kerberos (this is used for workstation logins)
| |
| * FreeRadius (this is used by cisco gear and for wireless user authentication)
| |
| * Clients authenticating
| |
| | |
| | |
| All the below components run on a VPS with Centos5.5. Up in the cloud (at my $dayjob which is a very large IAAS provider).
| |
| | |
| == LDAP ==
| |
| | |
| | |
| LDAP is the back end for everything else (freeradius/kerberos serves as authentication methods for clients, talking to LDAP as authorization system). So it is key to have a working LDAP installation before doing anything else.
| |
| | |
| Followed howto at http://www.linuxmail.info/openldap-setup-howto/
| |
| | |
| * yum install openldap-servers openldap-clients
| |
| * base.ldif
| |
| <pre>
| |
| dn: dc=knownelement,dc=com
| |
| dc: knownelement
| |
| objectClass: domain
| |
| </pre>
| |
| | |
| users.ldif
| |
| <pre>
| |
| [root@kno ~]# cat users.ldif
| |
| dn: ou=People,dc=knownelement,dc=com
| |
| ou: People
| |
| objectClass: organizationalUnit
| |
| | |
| dn: uid=charles,ou=People,dc=knownelement,dc=com
| |
| uid: charles
| |
| cn: Wyble Charles
| |
| displayName: Charles Wyble
| |
| givenName: Charles
| |
| sn: Wyble
| |
| objectClass: inetOrgPerson
| |
| userPassword: password
| |
| mail: charles@knownelement.com
| |
| [root@kno ~]#
| |
| </pre>
| |
| | |
| * ldapadd -x -D "cn=Manager,dc=knownelement,dc=com" -w secretstuff -f base.ldif
| |
| * ldapadd -x -D "cn=Manager,dc=knownelement,dc=com" -w secretstuff -f users.ldif
| |
| | |
| == Kerberos ==
| |
| | |
| * http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-kerberos.html
| |
| * http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-kerberos-clients.html
| |
| | |
| == FreeRADIUS ==
| |
| | |
| == 802.1x ==
| |
| | |
| == Clients ==
| |
| | |
| === Web applications ===
| |
| | |
| * Tattler / Memex (drupal based applications)
| |
| * Thinkup
| |
| * Piwigo
| |
| * OpenDocMan
| |
| * Status.net
| |
| * Wordpress
| |
| * Redmine
| |
| * Mediawiki
| |
| * EyeOS
| |
| * Thunderbird
| |
| | |
| === Network gear ===
| |
| * Cisco switches/routers
| |
| One howto for FreeRADIUS/LDAP and cisco gear is at http://jenniferhuber.blogspot.com/2010/07/using-open-source-radius-server-in-your.html
| |
| | |
| * OpenWRT wireless gear
| |
| | |
| === Workstations ===
| |
| * Windows
| |
| * Linux
| |
| ** Debian
| |
| ** RedHat
| |
| | |
| = Source material =
| |
| | |
| Here are links to various howtos I referenced to put this wiki page together.
| |
| | |
| http://blog.harritronics.com/2011/06/primer-authentication-radius-kerberos.html#comment-form
| |
| | |
| http://techpubs.spinlocksolutions.com/dklar/kerberos.html
| |
| | |
| http://techpubs.spinlocksolutions.com/dklar/ldap.html
| |
| | |
| http://www.rjsystems.nl/en/2100-d6-openldap-provider.php#tree
| |
| | |
| http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS
| |
| | |
| http://www.eduroamus.org/node/45
| |
| | |
| http://serverfault.com/questions/206054/how-to-integrate-radius-with-kerberos << highly relevant
| |
| | |
| Copy/paste of relevant bits
| |
| | |
| | |
| Here's how you make freeradius check a user/password combo against a Kerberos server, and authorize against your LDAP backend---stick this in your radius.conf:
| |
| | |
| modules {
| |
| krb5 {
| |
| keytab = ${confdir}/radius.keytab
| |
| service_principal = radius/radius.example.com
| |
| }
| |
| | |
| ldap {
| |
| cache = no
| |
| server = "ldap"
| |
| identity = "uid=freeradius,ou=Accounts,dc=example,dc=com"
| |
| password = secret
| |
| basedn = "dc=com"
| |
| filter = "(krbPrincipalName=%{User-Name})"
| |
| base_filter = "(objectClass=radiusprofile)"
| |
| | |
| tls {
| |
| start_tls = no
| |
| # tls_cacertfile = /path/to/cacert.pem
| |
| # tls_cacertdir = /path/to/ca/dir/
| |
| # tls_certfile = /path/to/radius.crt
| |
| # tls_keyfile = /path/to/radius.key
| |
| # tls_randfile = /path/to/rnd
| |
| # tls_require_cert = "demand"
| |
| }
| |
| | |
| default_profile = "uid=freeradius,ou=Accounts,dc=example,dc=com"
| |
| profile_attribute = "radiusProfileDn"
| |
| access_attr = "dialupAccess"
| |
| | |
| dictionary_mapping = ${raddbdir}/ldap.attrmap
| |
|
| |
|
| ldap_connections_number = 5
| |
|
| |
|
| groupname_attribute = cn
| | == More Resources == |
| groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
| |
| #groupmembership_attribute = radiusGroupName
| |
| timeout = 4
| |
| timelimit = 3
| |
| net_timeout = 1
| |
| # compare_check_items = yes
| |
| # do_xlat = yes
| |
| # access_attr_used_for_allow = yes
| |
|
| |
|
| # set_auth_type = yes
| | * [[FreedomTunnel/DeploymentNotes]] |
| }
| | * [http://chili.freenetworkfoundation.org/projects/freedomtunnel Chili project page] |
| }
| |
|
| |
|
| This assumes you've added the correct radius schema (ships with freeradius, IIRC) into your LDAP directory, and it should point you in the right direction---I don't do 802.1X, but I do use this config to handle other kerberos-via-radius access control scenarios, and it's been running in production for a while now. Obviously, users are logging in with their full kerberos principals (rather than just usernames).
| | {{FNFProject}} |
FreedomTunnel is a FLOSS ("free/libre open source software") Single Sign On ("SSO") One-Time-Password System.
See also DeploymentNotes.
Overview
The idea is that one can login to a Windows/Mac/Linux system, enter a one time password (PIN number + 6 digit code), and be authenticated to everything one can use that requires a password without further authentication prompts.
The core will probably be FreeIPA, which looks pretty compelling and will take care of a lot of the involved pieces (NTP/Ldap/Kerberos) in one shot. See this guide.
Add in RADIUS (via)
and CoSign for web SSO (found at http://forums.somethingawful.com/showthread.php?threadid=3459961) and you've got everything for single sign on / single password. Now we just need to add OTP.
Desired Features
- Fully open source (all client and server pieces)
- Runs in a highly available master/(multi)slave fashion in multiple data centers.
- Must be seamless (login process is just username + password. Everything else is handled behind the scenes)
- OTP generation client must support Android/Blackberry/Apple devices
User experience in different contexts:
- Login to local workstation: this is a standard username/password combination. No network connectivity is required for this to function. However, if the device is connected to network already, then login system will indicate this and accept username/enhanced password (PIN+random digits). So a maximum of two logins is all that is ever required for access to any resource one controls.
- SSH to a server/network device or browse to a webapp I control and not have any login prompts.
Supported Authentication Clients:
- WPA-Enterprise 802.11 users on Windows, Mac, Linux
- Workstation OS logins on Windows, Mac, Linux
- VPN users (IPSEC/OpenVPN)
- Web applications (Wordpress/MediaWiki/Status.net/Tattler/Drupal/Redmine and any other apps)
More Resources