未加星标

FreeIPA and Selective 2FA with Kerbreros Authentication Indicators

字体大小 | |
[系统(linux) 所属分类 系统(linux) | 发布者 店小二04 | 时间 2016 | 作者 红领巾 ] 0人收藏点击收藏

One of the major new features in FreeIPA 4.4 is the introduction of Authentication Indicators in Kerberos tickets. This allows you to selectively enforce 2FA.

Usecases

Usually a linux environment consists on a lot of different services. Some of them are security sensitive such as payroll systems while others are more relaxed such as simple Intranet Webservers.

Some services do not nicely play with 2FA, see https://blog.delouw.ch/2015/04/09/2fa-with-free-ipa-the-good-the-bad-and-the-ugly/ . With Authentication Indicators you can allow users accessing this services without 2FA while deploying 2FA on all other services.

One of the obstacles for 2FA is user acceptance. With selective 2FA you can enforce it on the critical servers and/or services only.

Limitations

At the moment, selective 2FA with Authentication Indicators is only working with Fedora 24 and 25. There is no support (yet) for RHEL and its EL clones such as CentOS. Support for Authentication was added in SSSD 1.14, please also see the Release notes for SSSD 1.14 .

At the moment, users on RHEL clients always need to provide the second factor. This probably will change for RHEL 7.3. Please also see Bugzilla #1290381 . It is already included in public Beta.

Testing the new release

FreeIPA 4.4.2 is available in Fedora 25 Beta. SSSD 1.14 is available on Fedora 24 and newer and in RHEL 7.3 Beta.

Installing FreeIPA 4.4

Get Fedora 25 Beta and install four servers with it. (two replicas, two clients). Fedora 25 Beta can be downloaded here .

[[email protected] ~]# dnf -y install freeipa-server freeipa-server-dns

Dependencies will be resolved automatically.

Configure FreeIPA

For tests only, you can disable firewalld to avoid connectivity problems.

[[email protected] ~]# systemctl stop firewalld
[[email protected] ~]# systemctl disable firewalld

Note: the allow-zone-overlap is only needed if you make tests with existing DNS domains such as example.com. Usually you should not use this parameter to not violate the highlander principle.

[[email protected] ~]# ipa-server-install --subject="O=EXAMPLE.COM 2016101501" --allow-zone-overlap --setup-dns --forwarder=8.8.8.8 --forwarder=8.8.4.4 Install a replica

The second replica is first set up as a normal IPA Client and will then be promoted to be a replica.

Be sure you point your DNS to the first replica to allow detection of SRV DNS entries to correctly setup the client.

[[email protected] ~]# dnf -y install freeipa-server freeipa-server-dns

Now setup the replica as a client

[[email protected] ~]# ipa-client-install

Get a Kerberos Ticket as admin user

[[email protected] ~]# kinit admin

Promote to be a replica

[[email protected] ~]# ipa-replica-install --setup-dns --setup-ca --forwarder=8.8.8.8 --forwarder=8.8.4.4 Enroll two or more clients

For our tests we need some clients, enroll some

Enable 2FA Authentication

As a default, 2FA is not enabled, lets change that

[[email protected] ~]# ipa config-mod --user-auth-type={password,otp} Add some users

Add one or more users and set a password. Log in and set a new valid password

To be able to authenticate with both, Password only and 2FA, we need to provide that information when creating a new user. You also need to set an initial password.

[[email protected] ~]# ipa user-add --user-auth-type={password,otp} --first Joe --last Doe --shell=/bin/bash jdoe
[[email protected] ~]# ipa passwd jdoe

Get a Kerberos Ticket for jdoe, you will be promted to set a new password.

[[email protected] ~]# kinit jdoe
Password for [email protected]:
Password expired. You must change it now.
Enter new password:
Enter it again:
[[email protected] ~]# Add a 2FA Soft token

You can assign yourself a soft token with the CLI or WebUI.

[[email protected] ~]# ipa otptoken-add jdoe
----------------------
Added OTP token "jdoe"
----------------------
Unique ID: jdoe
Type: TOTP
Owner: jdoe
Manager: jdoe
Algorithm: sha1
Digits: 6
Clock interval: 30
URI: otpauth:[email protected]:jdoe?digits=6&secret=NOBAETXGLCVEW7BSINC6II4XLSPTFPDK.=30&algorithm=SHA1&issuer=jdoe%40EXAMPLE.COM
%

本文系统(linux)相关术语:linux系统 鸟哥的linux私房菜 linux命令大全 linux操作系统

主题: Linux
分页:12
转载请注明
本文标题:FreeIPA and Selective 2FA with Kerbreros Authentication Indicators
本站链接:http://www.codesec.net/view/483635.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(linux) | 评论(0) | 阅读(18)