Secure Authentication

Similar documents
Managing Linux Servers Comparing SUSE Manager and ZENworks Configuration Management

SUSE Manager and Salt

Docker Networking In OpenStack What you need to know now. Fawad Khaliq

SaltStack and SUSE Systems and Configuration Management that Scales and is Easy to Extend

Best practices with SUSE Linux Enterprise Server Starter System and extentions Ihno Krumreich

How To Make Databases on SUSE Linux Enterprise Server Highly Available Mike Friesenegger

SUSE Manager Roadmap OS Lifecycle Management from the Datacenter to the Cloud

BOV89296 SUSE Best Practices Sharing Expertise, Experience and Knowledge. Christoph Wickert Technical Writer SUSE /

Linux and z Systems in the Datacenter Berthold Gunreben

SUSE OpenStack Cloud. Enabling your SoftwareDefined Data Center. SUSE Expert Days. Nyers Gábor Trainer &

Linux High Availability on IBM z Systems

SUSE Manager in Large Scale 17220

Cloud in a box. Fully automated installation of SUSE Openstack Cloud 5 on Dell VRTX. Lars Everbrand. Software Developer

Essentials. Johannes Meixner. about Disaster Recovery (abbreviated DR) with Relax-and-Recover (abbreviated ReaR)

Using Linux Containers as a Virtualization Option

SUSE Linux Enterprise Kernel Back to the Future

Provisioning with SUSE Enterprise Storage. Nyers Gábor Trainer &

Exploring History with Hawk

Novell SLES 10/Xen. Roadmap Presentation. Clyde R. Griffin Manager, Xen Virtualization Novell, Inc. cgriffin at novell.com.

Saving Real Storage with xip2fs and DCSS. Ihno Krumreich Project Manager for SLES on System z

YubiKey Mac Operating System Login Guide

Expert Days SUSE Enterprise Storage

Open Enterprise & Open Community

Protect your server with SELinux on SUSE Linux Enterprise Server 11 SP Sander van Vugt

YubiKey Personalization Tool. User's Guide

Build with SUSE Studio, Deploy with SUSE Linux Enterprise Point of Service and Manage with SUSE Manager Case Study

Building a Secure and Compliant Cloud Infrastructure. Ben Goodman Principal Strategist, Identity, Compliance and Security Novell, Inc.

Welcome to SUSE Expert Days 2017 Service Delivery with DevOps

Gaps and Overlaps in Identity Management Solutions OASIS Pre-conference Workshop, EIC 2009

Samba HA Cluster on SLES 9

Introduction to Software Defined Infrastructure SUSE Linux Enterprise 15

Define Your Future with SUSE

Using Crowbar to Deploy Your OpenStack Cloud. Adam Spiers Vincent Untz John H Terpstra

Novell Infiniband and XEN

YubiKey PIV Manager User's Guide

VSP16. Venafi Security Professional 16 Course 04 April 2016

Too Many Metas A high level look at building a metadata desktop. Joe Shaw

SUSE An introduction...

SUSE Linux Enterprise High Availability Extension

RSA Identity Governance and Lifecycle Collector Data Sheet For IBM Tivoli Directory Server

Exploring the High Availability Storage Infrastructure. Tutorial 323 Brainshare Jo De Baer Technology Specialist Novell -

SICOOB. The Second Largest Linux on IBM System z Implementation in the World. Thiago Sobral. Claudio Kitayama

OATH-HOTP. Yubico Best Practices Guide. OATH-HOTP: Yubico Best Practices Guide Yubico 2016 Page 1 of 11

YubiKey Smart Card Minidriver User Guide. Installation and Usage YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO, YubiKey NEO-n

YubiKey Smart Card Minidriver User Guide. Installation and Usage YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO, YubiKey NEO-n

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Tableau Server

IO110: Open Enterprise Server 2. Hardware you can hit with a hammer, software you can only curse at...

NetIQ Advanced Authentication Framework. OATH Authentication Provider User's Guide. Version 5.1.0

openssh-ldap-pubkey Documentation

SafeNet Authentication Service

Secure All The Things Using a Yubikey for 2-Factor on (Almost) All Your Accounts. Jesse Stengel The University of Arizona

SafeNet Authentication Client

DevOps with SUSE: How SUSE Manager, SUSE Studio and SUSE Cloud APIs Facilitate Continuous Software Delivery. Wolfgang Engel.

AES Key Upload Guide. Version 2.0

DUO SECURITY Integration GUIDE

Collecting data from IoT devices using Sigfox network

Saving Your Bacon Recovering From Common Linux Startup Failures

openqa features capabilities bugs Ondrej Holecek /aaannz/

YUBIKEY AUTHENTICATION FOR CYBERARK PAS

SafeNet Authentication Service

Client Certificate Authentication Guide. June 28, 2018 Version 9.4

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

Smart Card Authentication Guide

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Okta

Implementing Avaya Flare Experience for Windows

From GIT to a custom OS image in a few click OS image made easy

Smart Card Authentication Guide

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with SonicWALL E-Class Secure Remote Access

SafeNet Authentication Manager

SafeNet Authentication Service

SafeNet Authentication Manager

Oracle Banking Digital Experience

Client Certificate Authentication Guide

Software Defined. All The Way with OpenStack. T. R. Bosworth Senior Product Manager SUSE OpenStack Cloud

SafeNet Authentication Manager

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for SonicWALL Secure Remote Access

Integration Guide. SafeNet Authentication Manager. Using RADIUS Protocol for Citrix NetScaler 10.5

This product may require export authorization from the U.S. Department of Commerce prior to exporting from the U.S. or Canada.

Driver for Avaya PBX Implementation Guide

Breaking FIDO Yubico. Are Exploits in There?

A Carrier-Grade Cloud Phone System

Using Manage Alarm Tool

Online documentation: Novell Documentation Web site. ( documentation/securelogin70/index.html)

4TRESS FT2011 Out-of-Band Authentication and Juniper Secure Access

Novell. NetWare 6. NETWARE WEBACCESS OVERVIEW AND INSTALLATION

One Identity Quick Connect for Base Systems 2.4. Administrator Guide

Oracle Banking Digital Experience

SafeNet Authentication Service

Novell NetWare NETIDENTITY ADMINISTRATION GUIDE. December 19, 2003

SafeNet Authentication Service

One Identity Manager 8.0. Administration Guide for Connecting to Cloud Applications

Troubleshooting Your SUSE TUT6113. Cloud. Paul Thompson SUSE Technical Consultant. Dirk Müller SUSE OpenStack Engineer

Novell. imanager ADMINISTRATION GUIDE

April Understanding Federated Single Sign-On (SSO) Process

Yubico with Centrify for Mac - Deployment Guide

The Novell Client for SUSE Linux Enterprise 11 Service Pack1(SLE 11 SP1) requires workstations / servers running one of the following:

Novell Identity Manager

StoneGate SSL VPN Release Notes for Version 1.3.1

DIGIPASS Authentication for NETASQ

Novell Identity Manager

Transcription:

Secure Authentication Two Factor Authentication LDAP Based SSH Keys Mark Gardner UMB Financial Corporation Noor Kreadly Federal Reserve Bank of Kansas City

Prerequisites 2

Software Used edirectory 9.0 imanager 3 Nmashotp utility https://download.novell.com/download?buildid=bfnncvx8u_i - Bundled with nmas Yubikey Personalization tool 3

Directory Setup Needs CA configured Must have Intruder Detection enabled for Lockout Password Policy that Enables Universal Password 4

Other Setup Configure the CA https://en.wikipedia.org/wiki/elliptic_curve_digital_signature_algori thm 5

Hashed One Time Passwords (HOTP) 6

What is HOTP What is OAUTH? Most Have familiarity with TOTP - Google Authenticator - RSA Secure ID token 7

Comparison of HOTP and TOTP Hashed One Time Password Secret Counter HMAC = Short Token Timed One Time Password Secret Time Hashed to Generate Token Can be appended to normal password Typically Requires client awareness 8

Using Yubikey as a HOTP provider 9

Yubikey by Yubico Innovative keys offer strong authentication via Yubico one-time passwords (OTP), FIDO Universal 2nd Factor (U2F), and smart card (PIV, OpenPGP, OATH) all with a simple tap or touch of a button. YubiKeys protect access for everyone from individual home users to the world s largest organizations. 10

Yubikey Customization Tool 11

Enable Users to Require HOTP 12

NMAS has HOTP already Hashed One Time Password was developed in 2005 Included with NMAS in 2007 Requires tool nmashotpconf - Currently packaged with Identity Assurance Suite - Nmashotp requires libraries from 8.8 but works just fine with edirectory 9 - Missing libraries can be extracted from 8.8 rpms with cpio, or just take the shortcut and get it from my blog 13

Get nmashotpconf 1. Extract edirectry 8.8.8.8 to /usr/local/src/ 2. Extract nmas3333-client.tgz to /usr/local/src 3. Move all the nams files to /root/bin/ 4. cp /usr/local/src/3333/linux_x64/final/* /root/bin/ 5. rpm2cpio /usr/local/src/edirectory/setup/novell-nldapbase-8.8.8.8-0.x86_64.rpm cpio -ivd./opt/novell/edirectory/lib64/libldapssl.so* 6. rpm2cpio /usr/local/src/edirectory/setup/novell-nldapbase-8.8.8.8-0.x86_64.rpm cpio -ivd./opt/novell/edirectory/lib64/libldapx.so* 7. rpm2cpio /usr/local/src/edirectory/setup/novell-nldapsdk-8.8.8.8-0.x86_64.rpm cpio - ivd./opt/novell/edirectory/lib64/libldapsdk.so* 8. mv opt/novell/edirectory/lib64/*. 14

Configuration Notes Once the token has been configured the output file contains the counter and the RAW secret. This information needs to be protected and will be used in a later step. For Internal Use Only 15

Alternative OTP Providers Fortunately OATH is an open standard and anyone can create a device/software that is HOTP compatible. Google Authenticator Yes, it has a HTOP mode DuoKey Fortinet Tokens SafeID For Internal Use Only 16

Configure the Account Use nmashotpconf The public key in pem format is required for this to work../nmashotpconf -h ldap.gtopia.org -p 636 -d cn=admin,o=gtopia -w ******* -e /usr/local/src/gtopia.crt -t B64 -r 6 -y 6 -u cn=mark,ou=users,o=gtopia -d 8 -c 0 -o ENABLE -s f5110f3be09fdb06d8fc0382c1f20da001ce85cf -f RAW For Internal Use Only 17

DEMO # ndslogin mark.users.gtopia -p markus edirectory Login: logged in as.cn=mark.ou=users.o=gtopia.gtopia. #./nmashotpconf -h ldap.gtopia.org -p 636 -D cn=admin,o=gtopia -w ***** \ -e /usr/local/src/gtopia.crt -t B64 -r 6 -y 6 -u cn=mark,ou=users,o=gtopia \ -d 8 -c 0 -o ENABLE -s f5110f3be09fdb06d8fc0382c1f20da001ce85cf -f RAW # ndslogin mark.users.gtopia -p markus Login for mark.users.gtopia.gtopia: failed, system failure (-632) # ndslogin mark.users.gtopia -p markus96147987 edirectory Login: logged in as.cn=mark.ou=users.o=gtopia.gtopia. # ndslogin mark.users.gtopia -p markus96147987 Login for mark.users.gtopia.gtopia: failed, failed authentication (-669) # ndslogin mark.users.gtopia -p markus48607419 edirectory Login: logged in as.cn=mark.ou=users.o=gtopia.gtopia. For Internal Use Only 18

Lockout Demonstration # ndslogin mark.users.gtopia -p markus48607419 [1] Instance at /etc/opt/novell/edirectory/conf/nds.conf: ldap.ou=servers.o=gtopia.gtopia Login for mark.users.gtopia.gtopia: failed, failed authentication (-669) # ndslogin mark.users.gtopia -p markus4860741 [1] Instance at /etc/opt/novell/edirectory/conf/nds.conf: ldap.ou=servers.o=gtopia.gtopia Login for mark.users.gtopia.gtopia: failed, failed authentication (-669) # ndslogin mark.users.gtopia -p markus4860 [1] Instance at /etc/opt/novell/edirectory/conf/nds.conf: ldap.ou=servers.o=gtopia.gtopia Login for mark.users.gtopia.gtopia: failed, login lockout (-197) # ndslogin mark.users.gtopia -p markus10802444 [1] Instance at /etc/opt/novell/edirectory/conf/nds.conf: ldap.ou=servers.o=gtopia.gtopia Login for mark.users.gtopia.gtopia: failed, login lockout (-197) For Internal Use Only 19

Configure SSSD 20

Prepare LDAP for SSH Keys Schema Extensions to Add - Other option would be to Extend the PosixUser Class to add an optional openssh Public Key Attribute dn: cn=openssh-openldap,cn=schema,cn=config objectclass: olcschemaconfig cn: openssh-openldap olcattributetypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshpublickey' DES C 'MANDATORY: OpenSSH Public key' EQUALITY octetstringmatch SYNTAX 1.3.6.1.4. 1.1466.115.121.1.40 ) olcobjectclasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldappublickey' DESC 'MANDATORY: OpenSSH LPK objectclass' SUP top AUXILIARY MUST ( sshpublickey $ uid ) ) For Internal Use Only 21

The SSSD configuration Next, add the option to your /etc/sssd/sssd.conf file: [sssd] config_file_version = 2 services = nss,pam,ssh 22

Configure SSH Daemon The final step is to add a couple of lines to your /etc/ssh/sshd_config file. Using #vim /etc/ssh/sshd_config AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser root 23

Thank You 25

Unpublished Work of SUSE LLC. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE LLC. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All thirdparty trademarks are the property of their respective owners. 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback