FreedomTunnel: Difference between revisions
imported>Isaac categorized |
imported>Charlesnw m moved NetworkAuthentication to FreedomTunnel: Consistency of naming |
(No difference)
| |
Revision as of 20:47, 21 April 2012
FLOSS Single Sign On One Time Password System
Short and sweet version
FreeIPA looks pretty compelling and will take care of a lot of the involved pieces (NTP/Ldap/Kerberos) in one shot.
https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html
Add in radius via
http://consultancy.edvoncken.net/index.php/HOWTO_Configure_Radius_with_an_IPA_Server
and
CoSign for web sso (found at http://forums.somethingawful.com/showthread.php?threadid=3459961)
and you've got everything for single sign on / single password.
Now just need to add OTP.
Introduction/Overview
I've wanted to do this for some time. Create a fully open source/free software based system for one time password authentication.
The idea is that I can login to a Windows/Mac/Linux system, enter a one time password (PIN number + 6 digit code), and be authenticated to everything I use that requires a password without further authentication prompts.
Desired Features of the system
- Fully open source (all client and server pieces)
- Runs in a highly available master/(multi)slave fashion in multiple data centers.
- Must be seamless (login process is just username + password. Everything else is handled behind the scenes)
- OTP generation client must support Android/Blackberry/Apple devices
User experience
- Login to local workstation. This is a standard username/password combination. No network connectivity is required for this to function. However, if the device is connected to network already, then login system will indicate this and accept username/enhanced password (PIN+random digits). So a maximum of two logins is all that is ever required for access to any resource I control.
- SSH to a server/network device or browse to a webapp I control and not have any login prompts.
Supported Authentication Clients
- WPA-Enterprise 802.11 users on Windows, Mac, Linux
- Workstation OS logins on Windows, Mac, Linux
- VPN users (IPSEC/OpenVPN)
- Web applications (Wordpress/MediaWiki/Status.net/Tattler/Drupal/Redmine and any other apps I use)
Project Execution phases
Centralized authentication
Setup everything on my network that takes a password (workstations/network gear/wpa/www apps etc) to talk to OpenLDAP/Kerberos/FreeRadius. This way I will have a centralized auth store with policy control etc. One password for everything. In the event I have an application that can't use SSO, I can still have a common password for it.
What do I have that is capable of talking to these back ends?
- All Linux boxes (use Kerberos/OpenLDAP for logins)
- All Windows boxes (use Kereros/OpenLDAP/FreeRadius for logins)
- Web apps (most support LDAP directly, some I use the kerberos module and pam auth)
- Cisco gear (FreeRadius)
- Nanostation2 based wireless access points running OpenWRT (wpa2 enterprise to FreeRadius backend)
One time password system
Single sign on
Involved components
- LDAP (this is the backend to everything else)
- 802.1x system for wired/wireless clients (one needs to be on the network in order to access auth backend). This would be a white list of authorized mac addresses. Any network access would result in prompt for credentials
- Kerberos (this is used for workstation logins)
- FreeRadius (this is used by cisco gear and for wireless user authentication)
- Clients authenticating
All the below components run on a VPS with Centos5.5. Up in the cloud (at my $dayjob which is a very large IAAS provider).
LDAP
LDAP is the back end for everything else (freeradius/kerberos serves as authentication methods for clients, talking to LDAP as authorization system). So it is key to have a working LDAP installation before doing anything else.
Followed howto at http://www.linuxmail.info/openldap-setup-howto/
- yum install openldap-servers openldap-clients
- base.ldif
dn: dc=knownelement,dc=com dc: knownelement objectClass: domain
users.ldif
[root@kno ~]# cat users.ldif dn: ou=People,dc=knownelement,dc=com ou: People objectClass: organizationalUnit dn: uid=charles,ou=People,dc=knownelement,dc=com uid: charles cn: Wyble Charles displayName: Charles Wyble givenName: Charles sn: Wyble objectClass: inetOrgPerson userPassword: password mail: charles@knownelement.com [root@kno ~]#
- ldapadd -x -D "cn=Manager,dc=knownelement,dc=com" -w secretstuff -f base.ldif
- ldapadd -x -D "cn=Manager,dc=knownelement,dc=com" -w secretstuff -f users.ldif
Kerberos
- http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-kerberos.html
- http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-kerberos-clients.html
FreeRADIUS
802.1x
Clients
Web applications
- Tattler / Memex (drupal based applications)
- Thinkup
- Piwigo
- OpenDocMan
- Status.net
- Wordpress
- Redmine
- Mediawiki
- EyeOS
- Thunderbird
Network gear
- Cisco switches/routers
One howto for FreeRADIUS/LDAP and cisco gear is at http://jenniferhuber.blogspot.com/2010/07/using-open-source-radius-server-in-your.html
- OpenWRT wireless gear
Workstations
- Windows
- Linux
- Debian
- RedHat
Source material
Here are links to various howtos I referenced to put this wiki page together.
http://blog.harritronics.com/2011/06/primer-authentication-radius-kerberos.html#comment-form
http://techpubs.spinlocksolutions.com/dklar/kerberos.html
http://techpubs.spinlocksolutions.com/dklar/ldap.html
http://www.rjsystems.nl/en/2100-d6-openldap-provider.php#tree
http://www.eduroamus.org/node/45
http://serverfault.com/questions/206054/how-to-integrate-radius-with-kerberos << highly relevant
Copy/paste of relevant bits
Here's how you make freeradius check a user/password combo against a Kerberos server, and authorize against your LDAP backend---stick this in your radius.conf:
modules {
krb5 {
keytab = ${confdir}/radius.keytab
service_principal = radius/radius.example.com
}
ldap {
cache = no
server = "ldap"
identity = "uid=freeradius,ou=Accounts,dc=example,dc=com"
password = secret
basedn = "dc=com"
filter = "(krbPrincipalName=%{User-Name})"
base_filter = "(objectClass=radiusprofile)"
tls {
start_tls = no
# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"
}
default_profile = "uid=freeradius,ou=Accounts,dc=example,dc=com"
profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
#groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
# set_auth_type = yes }
}
This assumes you've added the correct radius schema (ships with freeradius, IIRC) into your LDAP directory, and it should point you in the right direction---I don't do 802.1X, but I do use this config to handle other kerberos-via-radius access control scenarios, and it's been running in production for a while now. Obviously, users are logging in with their full kerberos principals (rather than just usernames).
Radius / krb integration http://wiki.freeradius.org/Rlm_krb5
http://danieljamesscott.org/index.php << various java/apache/ldap/krb resources
802.1x/radius/wifi (the whole kit and kaboodle from the looks of things:)
- http://www.readmespot.com/question/f/47815/setting-up-radius---ldap-for-wpa2-on-ubuntu
- http://vuksan.com/linux/dot1x/802-1x-LDAP.html
- http://vuksan.com/linux/LDAP_authentication_under_Linux.html
- http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html
- http://tldp.org/HOWTO/html_single/8021X-HOWTO/#confradius