Secure Authentication

Size: px

Start display at page:

Download "Secure Authentication"

Christopher Farmer
6 years ago
Views:

1 Secure Authentication Two Factor Authentication LDAP Based SSH Keys Mark Gardner UMB Financial Corporation Noor Kreadly Federal Reserve Bank of Kansas City

2 Prerequisites 2

3 Software Used edirectory 9.0 imanager 3 Nmashotp utility - Bundled with nmas Yubikey Personalization tool 3

4 Directory Setup Needs CA configured Must have Intruder Detection enabled for Lockout Password Policy that Enables Universal Password 4

5 Other Setup Configure the CA thm 5

6 Hashed One Time Passwords (HOTP) 6

7 What is HOTP What is OAUTH? Most Have familiarity with TOTP - Google Authenticator - RSA Secure ID token 7

8 Comparison of HOTP and TOTP Hashed One Time Password Secret Counter HMAC = Short Token Timed One Time Password Secret Time Hashed to Generate Token Can be appended to normal password Typically Requires client awareness 8

9 Using Yubikey as a HOTP provider 9

Yubikey by Yubico Innovative keys offer strong authentication via Yubico one-time passwords (OTP), FIDO Universal 2nd Factor (U2F), and smart card (PIV,

10 Yubikey by Yubico Innovative keys offer strong authentication via Yubico one-time passwords (OTP), FIDO Universal 2nd Factor (U2F), and smart card (PIV, OpenPGP, OATH) all with a simple tap or touch of a button. YubiKeys protect access for everyone from individual home users to the world s largest organizations. 10

11 Yubikey Customization Tool 11

12 Enable Users to Require HOTP 12

13 NMAS has HOTP already Hashed One Time Password was developed in 2005 Included with NMAS in 2007 Requires tool nmashotpconf - Currently packaged with Identity Assurance Suite - Nmashotp requires libraries from 8.8 but works just fine with edirectory 9 - Missing libraries can be extracted from 8.8 rpms with cpio, or just take the shortcut and get it from my blog 13

14 Get nmashotpconf 1. Extract edirectry to /usr/local/src/ 2. Extract nmas3333-client.tgz to /usr/local/src 3. Move all the nams files to /root/bin/ 4. cp /usr/local/src/3333/linux_x64/final/* /root/bin/ 5. rpm2cpio /usr/local/src/edirectory/setup/novell-nldapbase x86_64.rpm cpio -ivd./opt/novell/edirectory/lib64/libldapssl.so* 6. rpm2cpio /usr/local/src/edirectory/setup/novell-nldapbase x86_64.rpm cpio -ivd./opt/novell/edirectory/lib64/libldapx.so* 7. rpm2cpio /usr/local/src/edirectory/setup/novell-nldapsdk x86_64.rpm cpio - ivd./opt/novell/edirectory/lib64/libldapsdk.so* 8. mv opt/novell/edirectory/lib64/*. 14

15 Configuration Notes Once the token has been configured the output file contains the counter and the RAW secret. This information needs to be protected and will be used in a later step. For Internal Use Only 15

16 Alternative OTP Providers Fortunately OATH is an open standard and anyone can create a device/software that is HOTP compatible. Google Authenticator Yes, it has a HTOP mode DuoKey Fortinet Tokens SafeID For Internal Use Only 16

17 Configure the Account Use nmashotpconf The public key in pem format is required for this to work../nmashotpconf -h ldap.gtopia.org -p 636 -d cn=admin,o=gtopia -w ******* -e /usr/local/src/gtopia.crt -t B64 -r 6 -y 6 -u cn=mark,ou=users,o=gtopia -d 8 -c 0 -o ENABLE -s f5110f3be09fdb06d8fc0382c1f20da001ce85cf -f RAW For Internal Use Only 17

18 DEMO # ndslogin mark.users.gtopia -p markus edirectory Login: logged in as.cn=mark.ou=users.o=gtopia.gtopia. #./nmashotpconf -h ldap.gtopia.org -p 636 -D cn=admin,o=gtopia -w ***** \ -e /usr/local/src/gtopia.crt -t B64 -r 6 -y 6 -u cn=mark,ou=users,o=gtopia \ -d 8 -c 0 -o ENABLE -s f5110f3be09fdb06d8fc0382c1f20da001ce85cf -f RAW # ndslogin mark.users.gtopia -p markus Login for mark.users.gtopia.gtopia: failed, system failure (-632) # ndslogin mark.users.gtopia -p markus edirectory Login: logged in as.cn=mark.ou=users.o=gtopia.gtopia. # ndslogin mark.users.gtopia -p markus Login for mark.users.gtopia.gtopia: failed, failed authentication (-669) # ndslogin mark.users.gtopia -p markus edirectory Login: logged in as.cn=mark.ou=users.o=gtopia.gtopia. For Internal Use Only 18

19 Lockout Demonstration # ndslogin mark.users.gtopia -p markus [1] Instance at /etc/opt/novell/edirectory/conf/nds.conf: ldap.ou=servers.o=gtopia.gtopia Login for mark.users.gtopia.gtopia: failed, failed authentication (-669) # ndslogin mark.users.gtopia -p markus [1] Instance at /etc/opt/novell/edirectory/conf/nds.conf: ldap.ou=servers.o=gtopia.gtopia Login for mark.users.gtopia.gtopia: failed, failed authentication (-669) # ndslogin mark.users.gtopia -p markus4860 [1] Instance at /etc/opt/novell/edirectory/conf/nds.conf: ldap.ou=servers.o=gtopia.gtopia Login for mark.users.gtopia.gtopia: failed, login lockout (-197) # ndslogin mark.users.gtopia -p markus [1] Instance at /etc/opt/novell/edirectory/conf/nds.conf: ldap.ou=servers.o=gtopia.gtopia Login for mark.users.gtopia.gtopia: failed, login lockout (-197) For Internal Use Only 19

20 Configure SSSD 20

21 Prepare LDAP for SSH Keys Schema Extensions to Add - Other option would be to Extend the PosixUser Class to add an optional openssh Public Key Attribute dn: cn=openssh-openldap,cn=schema,cn=config objectclass: olcschemaconfig cn: openssh-openldap olcattributetypes: {0}( NAME 'sshpublickey' DES C 'MANDATORY: OpenSSH Public key' EQUALITY octetstringmatch SYNTAX ) olcobjectclasses: {0}( NAME 'ldappublickey' DESC 'MANDATORY: OpenSSH LPK objectclass' SUP top AUXILIARY MUST ( sshpublickey $ uid ) ) For Internal Use Only 21

22 The SSSD configuration Next, add the option to your /etc/sssd/sssd.conf file: [sssd] config_file_version = 2 services = nss,pam,ssh 22

23 Configure SSH Daemon The final step is to add a couple of lines to your /etc/ssh/sshd_config file. Using #vim /etc/ssh/sshd_config AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser root 23

25 Thank You 25

26 Unpublished Work of SUSE LLC. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE LLC. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All thirdparty trademarks are the property of their respective owners. 26

Managing Linux Servers Comparing SUSE Manager and ZENworks Configuration Management

Managing Linux Servers Comparing SUSE Manager and ZENworks Configuration Management Product Support As of September 30,2012, Novell no longer offers general support and will only provide limited updates