[Freeipa-users] Using Native OTP for auth from specific hosts
Ok, I am trying to figure out how to use native OTP capabilities in FreeIPA4 to authenticate users but I am not finding enough docs on how to USE OTP. Specifically I would like to force OTP authentication on specific servers while allowing password auth in other cases. As I understand authentication, you can either select OTP or password or both authentications, but if you select both, the user can use password instead of otp from ANY server. Is there any way to block password auth based on source (HBAC rules?) So far the only way I can figure out is to create a second account, which is less than optimal. Thanks, -M -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Using Native OTP for auth from specific hosts
On Mon, 11 Aug 2014, Michael Lasevich wrote: Ok, I am trying to figure out how to use native OTP capabilities in FreeIPA4 to authenticate users but I am not finding enough docs on how to USE OTP. Specifically I would like to force OTP authentication on specific servers while allowing password auth in other cases. As I understand authentication, you can either select OTP or password or both authentications, but if you select both, the user can use password instead of otp from ANY server. That is correct. Is there any way to block password auth based on source (HBAC rules?) So far the only way I can figure out is to create a second account, which is less than optimal. No, this functionality is not supported. One particular issue is that we'll need to authenticate before applying HBAC rules, not after, so some other means to validate the request chain are needed. Additionally, Kerberos authentication requires to enter your credentials only when obtaining a ticket granting ticket (TGT) which happens before a client will ask for a ticket to a specific service. Also, renewing the ticket might be possible without original credentials. Perhaps we could add a flag into TGT that would tell how strong were credentials (how many factors were in use) when TGT was obtained and then use it in a policy to see if a ticket to the target service principal could be granted. It worth to file an RFE, anyway. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Using Native OTP for auth from specific hosts
Thanks for quick response, further questions inline. On Mon, Aug 11, 2014 at 11:49 AM, Alexander Bokovoy aboko...@redhat.com wrote: On Mon, 11 Aug 2014, Michael Lasevich wrote: Ok, I am trying to figure out how to use native OTP capabilities in FreeIPA4 to authenticate users but I am not finding enough docs on how to USE OTP. Specifically I would like to force OTP authentication on specific servers while allowing password auth in other cases. As I understand authentication, you can either select OTP or password or both authentications, but if you select both, the user can use password instead of otp from ANY server. That is correct. So, it is NOT intended to use for border-style 2FA authentication (i.e. VPN) - which seems may be a common use case for 2FA? Is there any way to block password auth based on source (HBAC rules?) So far the only way I can figure out is to create a second account, which is less than optimal. No, this functionality is not supported. One particular issue is that we'll need to authenticate before applying HBAC rules, not after, so some other means to validate the request chain are needed. Additionally, Kerberos authentication requires to enter your credentials only when obtaining a ticket granting ticket (TGT) which happens before a client will ask for a ticket to a specific service. Also, renewing the ticket might be possible without original credentials. Perhaps we could add a flag into TGT that would tell how strong were credentials (how many factors were in use) when TGT was obtained and then use it in a policy to see if a ticket to the target service principal could be granted. I think I understand - HBAC has no way to know how you authenticated - so you cannot make rules based on that? Is there a way to test OTP token auth while bypassing kerberos? For example, you can validate user's password via a LDAP login, - can you do a similar validation of OTP token directly? Thanks, -M -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Using Native OTP for auth from specific hosts
On Mon, 11 Aug 2014, Michael Lasevich wrote: So, it is NOT intended to use for border-style 2FA authentication (i.e. VPN) - which seems may be a common use case for 2FA? You can always supplement authentication check with some host-specific information at the VPN concentrator. We don't have ready to use solution here but it is definitely possible to use such scheme against FreeIPA 2FA. Is there any way to block password auth based on source (HBAC rules?) So far the only way I can figure out is to create a second account, which is less than optimal. No, this functionality is not supported. One particular issue is that we'll need to authenticate before applying HBAC rules, not after, so some other means to validate the request chain are needed. Additionally, Kerberos authentication requires to enter your credentials only when obtaining a ticket granting ticket (TGT) which happens before a client will ask for a ticket to a specific service. Also, renewing the ticket might be possible without original credentials. Perhaps we could add a flag into TGT that would tell how strong were credentials (how many factors were in use) when TGT was obtained and then use it in a policy to see if a ticket to the target service principal could be granted. I think I understand - HBAC has no way to know how you authenticated - so you cannot make rules based on that? Yes, these are different stages in the PAM stack and unless all modules are cooperating you have no means to get them in accord. Is there a way to test OTP token auth while bypassing kerberos? For example, you can validate user's password via a LDAP login, - can you do a similar validation of OTP token directly? Just try to bind to LDAP, it will work the same way regardless whether you are using a password or 2FA -- if only 2FA is enabled, only 2FA login will be accepted over LDAP bind. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Using Native OTP for auth from specific hosts
On Mon, Aug 11, 2014 at 12:30 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Mon, 11 Aug 2014, Michael Lasevich wrote: So, it is NOT intended to use for border-style 2FA authentication (i.e. VPN) - which seems may be a common use case for 2FA? You can always supplement authentication check with some host-specific information at the VPN concentrator. We don't have ready to use solution here but it is definitely possible to use such scheme against FreeIPA 2FA. Sorry, I am not following. What do you mean by host-specific information? If system has no way to detect how many factors were involved in authentication, how would I be able to guarantee that only 2FA is allowed via this box? I suppose this can work: I can write code that will: 1 - detects if there are OTP numbers at the end of the password 2 - authenticates using full 2FA 3 - authenticates using just password without 2FA And then authenticate only if all 3 conditions are satisfied. Seems a bit hacky, but that is the only way I can think that may work. Alternative is to set up 2 users for each actual user, one for border and one for internal auth. Force 2fa on border user. Only allow border users on border boxes. Am I missing anything? -M -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Using Native OTP for auth from specific hosts
On Mon, 11 Aug 2014, Michael Lasevich wrote: On Mon, Aug 11, 2014 at 12:30 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Mon, 11 Aug 2014, Michael Lasevich wrote: So, it is NOT intended to use for border-style 2FA authentication (i.e. VPN) - which seems may be a common use case for 2FA? You can always supplement authentication check with some host-specific information at the VPN concentrator. We don't have ready to use solution here but it is definitely possible to use such scheme against FreeIPA 2FA. Sorry, I am not following. What do you mean by host-specific information? If system has no way to detect how many factors were involved in authentication, how would I be able to guarantee that only 2FA is allowed via this box? I suppose this can work: I can write code that will: 1 - detects if there are OTP numbers at the end of the password 2 - authenticates using full 2FA 3 - authenticates using just password without 2FA And then authenticate only if all 3 conditions are satisfied. Seems a bit hacky, but that is the only way I can think that may work. 2 and 3 are the same from IPA point of view, just an LDAP bind. Ideally SSSD could handle this as part of a PAM stack by providing PAM feedback that could be used by other modules. There was no request for this functionality before. However, I was mostly thinking that you may have an authentication sequence where past successful auth you would check tokens associated with the user to see if there is a recent update within the same time period on one of tokens. This would work right now, though it is a bit a hack -- a better one than the 2-accounts-per-user. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Using Native OTP for auth from specific hosts
On 08/11/2014 08:49 PM, Alexander Bokovoy wrote: On Mon, 11 Aug 2014, Michael Lasevich wrote: Ok, I am trying to figure out how to use native OTP capabilities in FreeIPA4 to authenticate users but I am not finding enough docs on how to USE OTP. Specifically I would like to force OTP authentication on specific servers while allowing password auth in other cases. As I understand authentication, you can either select OTP or password or both authentications, but if you select both, the user can use password instead of otp from ANY server. That is correct. Is there any way to block password auth based on source (HBAC rules?) So far the only way I can figure out is to create a second account, which is less than optimal. No, this functionality is not supported. One particular issue is that we'll need to authenticate before applying HBAC rules, not after, so some other means to validate the request chain are needed. Additionally, Kerberos authentication requires to enter your credentials only when obtaining a ticket granting ticket (TGT) which happens before a client will ask for a ticket to a specific service. Also, renewing the ticket might be possible without original credentials. Perhaps we could add a flag into TGT that would tell how strong were credentials (how many factors were in use) when TGT was obtained and then use it in a policy to see if a ticket to the target service principal could be granted. It worth to file an RFE, anyway. We already have these RFEs and they are in plans. They have not been implemented because it required a lot of the upstream Kerberos standards work. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Using Native OTP for auth from specific hosts
On 08/11/2014 10:04 PM, Alexander Bokovoy wrote: On Mon, 11 Aug 2014, Michael Lasevich wrote: On Mon, Aug 11, 2014 at 12:30 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Mon, 11 Aug 2014, Michael Lasevich wrote: So, it is NOT intended to use for border-style 2FA authentication (i.e. VPN) - which seems may be a common use case for 2FA? You can always supplement authentication check with some host-specific information at the VPN concentrator. We don't have ready to use solution here but it is definitely possible to use such scheme against FreeIPA 2FA. Sorry, I am not following. What do you mean by host-specific information? If system has no way to detect how many factors were involved in authentication, how would I be able to guarantee that only 2FA is allowed via this box? I suppose this can work: I can write code that will: 1 - detects if there are OTP numbers at the end of the password 2 - authenticates using full 2FA 3 - authenticates using just password without 2FA And then authenticate only if all 3 conditions are satisfied. Seems a bit hacky, but that is the only way I can think that may work. 2 and 3 are the same from IPA point of view, just an LDAP bind. Ideally SSSD could handle this as part of a PAM stack by providing PAM feedback that could be used by other modules. There was no request for this functionality before. However, I was mostly thinking that you may have an authentication sequence where past successful auth you would check tokens associated with the user to see if there is a recent update within the same time period on one of tokens. This would work right now, though it is a bit a hack -- a better one than the 2-accounts-per-user. Here is more info: 1) Right now there is no way to scope the 2FA to different hosts. It is all or nothing. 2) There are plans to be able to differentiate which services would require 2FA and which would allow just a single factor. We might not have filed specific RFEs in IPA because most of the work needs to happen in Kerberos. There are two approaches: a) Allow users authenticate using 2FA or single factor at their discretion but centrally control which services can be accessed with ticket that is acquired with single factor. That would prevent users from accessing the services that require 2FA. b) For smarter services (which do not exist yet and would have be implemented) they would be able to look into the ticket themselves and see the information how ticket was acquired and then make a decision based on that. The place where the information of how the authentication was performed is called CAMMAC - http://k5wiki.kerberos.org/wiki/Projects/Authentication_indicator HTH -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Using Native OTP for auth from specific hosts
My thought is that while 2 and 3 are same from IPA point of view, since I am guaranteed to be sending a different credentials in those cases I am guaranteed to be checking both password and otp. Prevents a case where user's password ends in a string of digits similar to OTP. I will look into checking the tokens for changes, but that seems a bit more complicated and error-prone. -M On Mon, Aug 11, 2014 at 1:04 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Mon, 11 Aug 2014, Michael Lasevich wrote: On Mon, Aug 11, 2014 at 12:30 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Mon, 11 Aug 2014, Michael Lasevich wrote: So, it is NOT intended to use for border-style 2FA authentication (i.e. VPN) - which seems may be a common use case for 2FA? You can always supplement authentication check with some host-specific information at the VPN concentrator. We don't have ready to use solution here but it is definitely possible to use such scheme against FreeIPA 2FA. Sorry, I am not following. What do you mean by host-specific information? If system has no way to detect how many factors were involved in authentication, how would I be able to guarantee that only 2FA is allowed via this box? I suppose this can work: I can write code that will: 1 - detects if there are OTP numbers at the end of the password 2 - authenticates using full 2FA 3 - authenticates using just password without 2FA And then authenticate only if all 3 conditions are satisfied. Seems a bit hacky, but that is the only way I can think that may work. 2 and 3 are the same from IPA point of view, just an LDAP bind. Ideally SSSD could handle this as part of a PAM stack by providing PAM feedback that could be used by other modules. There was no request for this functionality before. However, I was mostly thinking that you may have an authentication sequence where past successful auth you would check tokens associated with the user to see if there is a recent update within the same time period on one of tokens. This would work right now, though it is a bit a hack -- a better one than the 2-accounts-per-user. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
