FreedomTunnel: Difference between revisions

From My Wiki
Jump to navigation Jump to search
Newer edit →
imported>Charlesnw
Created page with "= FLOSS Single Sign On One Time Password System = == Introduction/Overview == I've wanted to do this for some time. Create a fully open source/free software based system for one..."
 
imported>Charlesnw
No edit summary
Line 135: Line 135:
** Debian
** Debian
** RedHat
** RedHat
== Source material ==
http://blog.harritronics.com/2011/06/primer-authentication-radius-kerberos.html#comment-form
http://techpubs.spinlocksolutions.com/dklar/kerberos.html
http://techpubs.spinlocksolutions.com/dklar/ldap.html
http://www.rjsystems.nl/en/2100-d6-openldap-provider.php#tree

Revision as of 16:24, 8 February 2012

FLOSS Single Sign On One Time Password System

Introduction/Overview

I've wanted to do this for some time. Create a fully open source/free software based system for one time password authentication.

The idea is that I can login to a Windows/Mac/Linux system, enter a one time password (PIN number + 6 digit code), and be authenticated to everything I use that requires a password without further authentication prompts.


Desired Features of the system

  • Fully open source (all client and server pieces)
  • Runs in a highly available master/(multi)slave fashion in multiple data centers.
  • Must be seamless (login process is just username + password. Everything else is handled behind the scenes)
  • OTP generation client must support Android/Blackberry/Apple devices


User experience

  • Login to local workstation. This is a standard username/password combination. No network connectivity is required for this to function. However, if the device is connected to network already, then login system will indicate this and accept username/enhanced password (PIN+random digits). So a maximum of two logins is all that is ever required for access to any resource I control.
  • SSH to a server/network device or browse to a webapp I control and not have any login prompts.


Supported Authentication Clients

  • WPA-Enterprise 802.11 users on Windows, Mac, Linux
  • Workstation OS logins on Windows, Mac, Linux
  • VPN users (IPSEC/OpenVPN)
  • Web applications (Wordpress/MediaWiki/Status.net/Tattler/Drupal/Redmine and any other apps I use)


Project Execution phases

Centralized authentication

Setup everything on my network that takes a password (workstations/network gear/wpa/www apps etc) to talk to OpenLDAP/Kerberos/FreeRadius. This way I will have a centralized auth store with policy control etc. One password for everything. In the event I have an application that can't use SSO, I can still have a common password for it.

What do I have that is capable of talking to these back ends?

  • All Linux boxes (use Kerberos/OpenLDAP for logins)
  • All Windows boxes (use Kereros/OpenLDAP/FreeRadius for logins)
  • Web apps (most support LDAP directly, some I use the kerberos module and pam auth)
  • Cisco gear (FreeRadius)
  • Nanostation2 based wireless access points running OpenWRT (wpa2 enterprise to FreeRadius backend)

One time password system

Single sign on

Involved components

  • LDAP (this is the backend to everything else)
  • 802.1x system for wired/wireless clients (one needs to be on the network in order to access auth backend). This would be a white list of authorized mac addresses. Any network access would result in prompt for credentials
  • Kerberos (this is used for workstation logins)
  • FreeRadius (this is used by cisco gear and for wireless user authentication)
  • Clients authenticating


All the below components run on a VPS with Centos5.5. Up in the cloud (at my $dayjob which is a very large IAAS provider).

LDAP

LDAP is the back end for everything else (freeradius/kerberos serves as authentication methods for clients, talking to LDAP as authorization system). So it is key to have a working LDAP installation before doing anything else.

Followed howto at http://www.linuxmail.info/openldap-setup-howto/

  • yum install openldap-servers openldap-clients
  • base.ldif
dn: dc=knownelement,dc=com
dc: knownelement
objectClass: domain

users.ldif 

[root@kno ~]# cat users.ldif 
dn: ou=People,dc=knownelement,dc=com
ou: People
objectClass: organizationalUnit

dn: uid=charles,ou=People,dc=knownelement,dc=com
uid: charles
cn: Wyble Charles
displayName: Charles Wyble
givenName: Charles
sn: Wyble
objectClass: inetOrgPerson
userPassword: password
mail: charles@knownelement.com
[root@kno ~]#
  • ldapadd -x -D "cn=Manager,dc=knownelement,dc=com" -w secretstuff -f base.ldif
  • ldapadd -x -D "cn=Manager,dc=knownelement,dc=com" -w secretstuff -f users.ldif

Kerberos

FreeRADIUS

802.1x

Clients

Web applications

  • Tattler / Memex (drupal based applications)
  • Thinkup
  • Piwigo
  • OpenDocMan
  • Status.net
  • Wordpress
  • Redmine
  • Mediawiki
  • EyeOS
  • Thunderbird

Network gear

  • Cisco switches/routers

One howto for FreeRADIUS/LDAP and cisco gear is at http://jenniferhuber.blogspot.com/2010/07/using-open-source-radius-server-in-your.html

  • OpenWRT wireless gear

Workstations

  • Windows
  • Linux
    • Debian
    • RedHat

Source material

http://blog.harritronics.com/2011/06/primer-authentication-radius-kerberos.html#comment-form

http://techpubs.spinlocksolutions.com/dklar/kerberos.html

http://techpubs.spinlocksolutions.com/dklar/ldap.html

http://www.rjsystems.nl/en/2100-d6-openldap-provider.php#tree

Retrieved from "https://commons.thefnf.net/index.php?title=FreedomTunnel&oldid=1495"