FreedomTunnel

FreedomTunnel is a FLOSS ("free/libre open source software") Single Sign On ("SSO") One-Time-Password System.

See also DeploymentNodes.

Overview

The idea is that one can login to a Windows/Mac/Linux system, enter a one time password (PIN number + 6 digit code), and be authenticated to everything one can use that requires a password without further authentication prompts.

The core will probably be FreeIPA, which looks pretty compelling and will take care of a lot of the involved pieces (NTP/Ldap/Kerberos) in one shot. See this guide.

Add in RADIUS (via) and CoSign for web SSO (found at http://forums.somethingawful.com/showthread.php?threadid=3459961) and you've got everything for single sign on / single password. Now we just need to add OTP.

Desired Features

• Fully open source (all client and server pieces)
• Runs in a highly available master/(multi)slave fashion in multiple data centers.
• Must be seamless (login process is just username + password. Everything else is handled behind the scenes)
• OTP generation client must support Android/Blackberry/Apple devices

User experience in different contexts:

• Login to local workstation: this is a standard username/password combination. No network connectivity is required for this to function. However, if the device is connected to network already, then login system will indicate this and accept username/enhanced password (PIN+random digits). So a maximum of two logins is all that is ever required for access to any resource one controls.

• SSH to a server/network device or browse to a webapp I control and not have any login prompts.

Supported Authentication Clients:

• WPA-Enterprise 802.11 users on Windows, Mac, Linux
• Workstation OS logins on Windows, Mac, Linux
• VPN users (IPSEC/OpenVPN)
• Web applications (Wordpress/MediaWiki/Status.net/Tattler/Drupal/Redmine and any other apps)

More Resources

• FreedomTunnel/DeploymentNotes
• Chili project page