Re: [Freeipa-users] FreeIPA and Application Specific Passwords
On 19/02/15 02:06, Jan Pazdziora wrote: On Wed, Feb 18, 2015 at 04:06:39PM -0800, Martin Minkus wrote: Except where we don't want single sign on, and separate passwords are advantageous or even required: - Web logins Could you elaborate on the use cases when you'd want your users to log in using their passwords on a Web login, instead of using SSO, be it Kerberos or SAML? Is that purely the application not supporting it or are there some other reasons (you say we don't want single sign on which sounds like a political or compliance issue, not technical one). Hi, thanks for your response. It seems to be related to a compliance issue. We need to be pci compliant as some of our systems handle credit card data. We already use two factor auth for vpn's using Duo but it seems management would like to store vpn passwords in our FreeIPA directory but have it be a separate and different password to the usual login password. Anyway, I guess we will figure out a technical solution that works for us. Thanks, Martin. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and Application Specific Passwords
On Wed, Feb 18, 2015 at 04:06:39PM -0800, Martin Minkus wrote: Except where we don't want single sign on, and separate passwords are advantageous or even required: - Web logins Could you elaborate on the use cases when you'd want your users to log in using their passwords on a Web login, instead of using SSO, be it Kerberos or SAML? Is that purely the application not supporting it or are there some other reasons (you say we don't want single sign on which sounds like a political or compliance issue, not technical one). -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and Application Specific Passwords
On 19.2.2015 02:47, Steven Jones wrote: Hi, There is always a tradeoff between ease of use, complexity/cost and security. Looking at what you have written suggests to me that your entire system lacks a proper security / network architecture model and you are trying to enforce a policy from one point, IPA. regards Steven From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on behalf of Martin Minkus martin.min...@sonic.com Sent: Thursday, 19 February 2015 1:06 p.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA and Application Specific Passwords Hello all, Am wondering what support FreeIPA has for Application Specific Passwords? My research seems to indicate 'none'. I've seen quite a few people ask about this, usually the example is wanting a separate password for dovecot etc. Google itself implemented this, allowing multiple passwords for imap accounts in gmail so that a stolen phone or ipad doesn't give the thief complete unfettered access to the entire google account. The single password can be easily changed or locked out and even if it is not, it only has access to email. I work for an organisation and we are looking at standardising on FreeIPA for all our single sign on and auth requirements. Except where we don't want single sign on, and separate passwords are advantageous or even required: - Web logins If I understand correctly, your biggest worry is that somebody will steal user credentials via web form, right? IMHO the best option is to get rid of passwords in web apps completely and use true single-sign-on. The simplest thing may be just to use mod_auth_kerb and put the application behind Kerberos but more complex/flexible/fancy approaches are possible too, see http://www.freeipa.org/page/Web_App_Authentication This is 'The Approach' we are trying to pursue in FreeIPA project - authenticate only once (when logging in to a machine) and never type password again. This allows you to use two-factor authentication without apps knowing about it etc. Alternative is to use SAML/OpenID/other web technology to tie web apps to web-based authentication portal which may allow SSO from Kerberos (without mod_auth_kerb) or to simply have single trusted place to log-in from web form. I hope Jan or Simo can correct my misunderstandings and add more details. Have a nice day! Petr^2 Spacek - VPN logins - Tacacs I'm assuming it's somewhat understandable to want to keep web logins separate - web sites are notoriously insecure, and we wouldn't want an employee's web login getting stolen/phished/etc giving an attacker vpn access, kerberos/ldap access to all our linux servers, and tacacs access to network infrastructure. The solution I've seen suggested to others that have asked about FreeIPA or OpenLDAP and Application Specific Passwords seems to be: Just create a separate user login for each application. Messy, but sure. I also see we could extend the schema and add in extra fields like webPassword and vpnPassword, but we'd have to maintain those fields/enforce complexity and length requirements/password expiry ourselves which is less than ideal. Or the final option might just be to run separate ldap instances for each application, so the username stays the same group membership is application specific in each ldap instance, and it gives us the password separation we desire. Also, most users don't need tacacs access or vpn access, though most(all) users will need web application access. Anyway. I'm wondering if there are any other potential options that I have missed? Or some better way we should be going about this? Yeah, we should probably trust our employees with their passwords more but apparently that is not the case. Thanks, Martin. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and Application Specific Passwords
On 02/19/2015 01:06 AM, Martin Minkus wrote: Hello all, Am wondering what support FreeIPA has for Application Specific Passwords? My research seems to indicate 'none'. I've seen quite a few people ask about this, usually the example is wanting a separate password for dovecot etc. Google itself implemented this, allowing multiple passwords for imap accounts in gmail so that a stolen phone or ipad doesn't give the thief complete unfettered access to the entire google account. The single password can be easily changed or locked out and even if it is not, it only has access to email. I work for an organisation and we are looking at standardising on FreeIPA for all our single sign on and auth requirements. Except where we don't want single sign on, and separate passwords are advantageous or even required: - Web logins - VPN logins - Tacacs I'm assuming it's somewhat understandable to want to keep web logins separate - web sites are notoriously insecure, and we wouldn't want an employee's web login getting stolen/phished/etc giving an attacker vpn access, kerberos/ldap access to all our linux servers, and tacacs access to network infrastructure. I am not sure what exactly is the fear here. If FreeIPA Web Authentication modules are used (http://www.freeipa.org/page/Web_App_Authentication), the user credentials are not stored on the web server, they go straight to SSSD where the user get's authenticated to remote LDAP (FreeIPA/AD). Alternatively, you could also set up SAML with mod_auth_mellon and Ipsilon to get a federated login where the web app would never get to the actual password. The solution I've seen suggested to others that have asked about FreeIPA or OpenLDAP and Application Specific Passwords seems to be: Just create a separate user login for each application. Messy, but sure. I also see we could extend the schema and add in extra fields like webPassword and vpnPassword, but we'd have to maintain those fields/enforce complexity and length requirements/password expiry ourselves which is less than ideal. Or the final option might just be to run separate ldap instances for each application, so the username stays the same group membership is application specific in each ldap instance, and it gives us the password separation we desire. Also, most users don't need tacacs access or vpn access, though most(all) users will need web application access. Anyway. I'm wondering if there are any other potential options that I have missed? Or some better way we should be going about this? Yeah, we should probably trust our employees with their passwords more but apparently that is not the case. Thanks, Martin. I think we have exactly this request tracked: https://fedorahosted.org/freeipa/ticket/4510 It already contains long discussion on the topics with some ideas. We still miss the horsepower to actually add support for it though. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and Application Specific Passwords
On 02/19/2015 05:23 PM, Dmitri Pal wrote: On 02/19/2015 05:06 AM, Jan Pazdziora wrote: On Wed, Feb 18, 2015 at 04:06:39PM -0800, Martin Minkus wrote: Except where we don't want single sign on, and separate passwords are advantageous or even required: - Web logins Could you elaborate on the use cases when you'd want your users to log in using their passwords on a Web login, instead of using SSO, be it Kerberos or SAML? Is that purely the application not supporting it or are there some other reasons (you say we don't want single sign on which sounds like a political or compliance issue, not technical one). IMO the case is: I have a phone and a tablet and a laptop. I do not want to use one password for all three. On the phone and tablet people save their passwords so I do not want to have same password cached on all devices. I want to have a password per device. IMO the way to go is certs rather than passwords. Certs would certainly help in this case. However, the UX would need to be really good in order to beat saved password in GMail style, IMO. We are not there yet but with upcoming changes we will get much closer. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and Application Specific Passwords
On 02/19/2015 11:29 AM, Martin Kosek wrote: On 02/19/2015 05:23 PM, Dmitri Pal wrote: On 02/19/2015 05:06 AM, Jan Pazdziora wrote: On Wed, Feb 18, 2015 at 04:06:39PM -0800, Martin Minkus wrote: Except where we don't want single sign on, and separate passwords are advantageous or even required: - Web logins Could you elaborate on the use cases when you'd want your users to log in using their passwords on a Web login, instead of using SSO, be it Kerberos or SAML? Is that purely the application not supporting it or are there some other reasons (you say we don't want single sign on which sounds like a political or compliance issue, not technical one). IMO the case is: I have a phone and a tablet and a laptop. I do not want to use one password for all three. On the phone and tablet people save their passwords so I do not want to have same password cached on all devices. I want to have a password per device. IMO the way to go is certs rather than passwords. Certs would certainly help in this case. However, the UX would need to be really good in order to beat saved password in GMail style, IMO. I imagine Ipsilon based SSO when Ipsilon can make a decision which assertions to issue depending on the cert you have. We are not there yet but with upcoming changes we will get much closer. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and Application Specific Passwords
On 02/19/2015 05:06 AM, Jan Pazdziora wrote: On Wed, Feb 18, 2015 at 04:06:39PM -0800, Martin Minkus wrote: Except where we don't want single sign on, and separate passwords are advantageous or even required: - Web logins Could you elaborate on the use cases when you'd want your users to log in using their passwords on a Web login, instead of using SSO, be it Kerberos or SAML? Is that purely the application not supporting it or are there some other reasons (you say we don't want single sign on which sounds like a political or compliance issue, not technical one). IMO the case is: I have a phone and a tablet and a laptop. I do not want to use one password for all three. On the phone and tablet people save their passwords so I do not want to have same password cached on all devices. I want to have a password per device. IMO the way to go is certs rather than passwords. We are not there yet but with upcoming changes we will get much closer. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and Application Specific Passwords
Hi, There is always a tradeoff between ease of use, complexity/cost and security. Looking at what you have written suggests to me that your entire system lacks a proper security / network architecture model and you are trying to enforce a policy from one point, IPA. regards Steven From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on behalf of Martin Minkus martin.min...@sonic.com Sent: Thursday, 19 February 2015 1:06 p.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA and Application Specific Passwords Hello all, Am wondering what support FreeIPA has for Application Specific Passwords? My research seems to indicate 'none'. I've seen quite a few people ask about this, usually the example is wanting a separate password for dovecot etc. Google itself implemented this, allowing multiple passwords for imap accounts in gmail so that a stolen phone or ipad doesn't give the thief complete unfettered access to the entire google account. The single password can be easily changed or locked out and even if it is not, it only has access to email. I work for an organisation and we are looking at standardising on FreeIPA for all our single sign on and auth requirements. Except where we don't want single sign on, and separate passwords are advantageous or even required: - Web logins - VPN logins - Tacacs I'm assuming it's somewhat understandable to want to keep web logins separate - web sites are notoriously insecure, and we wouldn't want an employee's web login getting stolen/phished/etc giving an attacker vpn access, kerberos/ldap access to all our linux servers, and tacacs access to network infrastructure. The solution I've seen suggested to others that have asked about FreeIPA or OpenLDAP and Application Specific Passwords seems to be: Just create a separate user login for each application. Messy, but sure. I also see we could extend the schema and add in extra fields like webPassword and vpnPassword, but we'd have to maintain those fields/enforce complexity and length requirements/password expiry ourselves which is less than ideal. Or the final option might just be to run separate ldap instances for each application, so the username stays the same group membership is application specific in each ldap instance, and it gives us the password separation we desire. Also, most users don't need tacacs access or vpn access, though most(all) users will need web application access. Anyway. I'm wondering if there are any other potential options that I have missed? Or some better way we should be going about this? Yeah, we should probably trust our employees with their passwords more but apparently that is not the case. Thanks, Martin. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA and Application Specific Passwords
Hello all, Am wondering what support FreeIPA has for Application Specific Passwords? My research seems to indicate 'none'. I've seen quite a few people ask about this, usually the example is wanting a separate password for dovecot etc. Google itself implemented this, allowing multiple passwords for imap accounts in gmail so that a stolen phone or ipad doesn't give the thief complete unfettered access to the entire google account. The single password can be easily changed or locked out and even if it is not, it only has access to email. I work for an organisation and we are looking at standardising on FreeIPA for all our single sign on and auth requirements. Except where we don't want single sign on, and separate passwords are advantageous or even required: - Web logins - VPN logins - Tacacs I'm assuming it's somewhat understandable to want to keep web logins separate - web sites are notoriously insecure, and we wouldn't want an employee's web login getting stolen/phished/etc giving an attacker vpn access, kerberos/ldap access to all our linux servers, and tacacs access to network infrastructure. The solution I've seen suggested to others that have asked about FreeIPA or OpenLDAP and Application Specific Passwords seems to be: Just create a separate user login for each application. Messy, but sure. I also see we could extend the schema and add in extra fields like webPassword and vpnPassword, but we'd have to maintain those fields/enforce complexity and length requirements/password expiry ourselves which is less than ideal. Or the final option might just be to run separate ldap instances for each application, so the username stays the same group membership is application specific in each ldap instance, and it gives us the password separation we desire. Also, most users don't need tacacs access or vpn access, though most(all) users will need web application access. Anyway. I'm wondering if there are any other potential options that I have missed? Or some better way we should be going about this? Yeah, we should probably trust our employees with their passwords more but apparently that is not the case. Thanks, Martin. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project