Posts Tagged ‘Android’

2FA with (Free) IPA. The good, the bad and the ugly

Thursday, April 9th, 2015

Two factor authentication (2FA) is more and more emerging which is good to enhance security. Since the release of IPA4 it comes with 2FA included.

Over time I made a lot of experiments and experience I wanted to share with you. Its is easy to set up and maintain as long as you use it only for system authentication. If you are using such things as webmail, it fails. This post shows you the capabilities as they are of today. Almost all bad issues apply not only to Fee(IPA) but 2FA in general.

The good
All your systems are Fedora 21, RHEL 7.1 or Ubuntu 14.02 all is working fine as the included SSSD is new enough to handle 2FA. All kerberized services can be used with 2FA w/o logging in again during the validity of your Kerberos ticket. Very convenient, very secure.

3rd Party applications can use LDAP authentication (Depending on the usecase)

The bad
Systems with older distributions such as RHEL6.6 come with a SSSD version which is to outdated to handle kerberized 2FA at all. This will probably change soon.


  • Use LDAP authentication (See later on)
  • Use a Jump host with a recent Linux distribution

If you are logging in to your workstation with a local user, you can not grab a Kerberos ticket with kinit and use this ticket further on. (i.e for ssh logins on remote server, mail etc.)


  • Switch to a IPA managed user if your workstation is recent enough.
  • Use a Jump host with a recent Linux distribution
  • Wait until krb5-PAKE is in place, software is being developed, see and
    • The ugly

      Looks like most mobile applications such as the IMAP client in Android do not prompt for the password, they expect it configured. Needless to say that you can not reconfigure the password each time you want to check your emails with your phone.


      • 3rd party email app? One that prompts for the password if needed
      • Configure IPA to accepts password and 2FA which lets the user choose to either use the password only or 2FA. Needless to say that this makes 2FA less useful as people tend to be lazy
      • Turn off 2FA in IPA and use a Yubikey with a static password (spit password). This is not a real 2FA it is a single password split in two. Password change is a horror.
      • Accessing Webmail clients (I tested roundcube mail) causes headaches as well. They authenticate the users with IMAP and use this credentials to access the mail storage. As the second factor is a one time password (OTP) this will result in failure to retrieve mails after logging in.

        Workaround: Same as for mobile applications. I would appreciate if someone can point me to a webmail software which can handle this.

        Offline usage

        One sentence: Offline usage does not work because it can not work.


        • Create a local user and use a Yubikey and configure it with a static password (split password). This is not a real 2FA it is a single password split in two. Password change is a horror.
        • Install a IPA server on your Notebook 😉 This will scale up to 18 Notebooks (plus two replicas in the datacenter) but introduce a lot of other problems, so: Not seriously to be considered.

        LDAP Authentication as a Workaround
        Configure PAM/SSSD to use LDAP authentication for your users. IPA comes with a very nice feature called ipa-advise.

        [root@ipa1 ~]# ipa-advise config-redhat-nss-pam-ldapd
        # ----------------------------------------------------------------------
        # Instructions for configuring a system with nss-pam-ldapd as a IPA
        # client. This set of instructions is targeted for platforms that
        # include the authconfig utility, which are all Red Hat based platforms.
        # ----------------------------------------------------------------------
        # Schema Compatibility plugin has not been configured on this server. To
        # configure it, run "ipa-adtrust-install --enable-compat"
        # Install required packages via yum
        yum install -y wget openssl nss-pam-ldapd pam_ldap authconfig
        # NOTE: IPA certificate uses the SHA-256 hash function. SHA-256 was
        # introduced in RHEL5.2. Therefore, clients older than RHEL5.2 will not
        # be able to interoperate with IPA server 3.x.
        # Please note that this script assumes /etc/openldap/cacerts as the
        # default CA certificate location. If this value is different on your
        # system the script needs to be modified accordingly.
        # Download the CA certificate of the IPA server
        mkdir -p -m 755 /etc/openldap/cacerts
        wget -O /etc/openldap/cacerts/ipa.crt
        # Generate hashes for the openldap library
        command -v cacertdir_rehash
        if [ $? -ne 0 ] ; then
         wget "" -O cacertdir_rehash ;
         chmod 755 ./cacertdir_rehash ;
         ./cacertdir_rehash /etc/openldap/cacerts/ ;
         cacertdir_rehash /etc/openldap/cacerts/ ;
        # Use the authconfig to configure nsswitch.conf and the PAM stack
        authconfig --updateall --enableldap --enableldapauth --ldapserver=ldap:// --ldapbasedn=cn=compat,dc=example,dc=com
        [root@ipa1 ~]#

        The output actually reflects your environment, will be replaced with your domain, its copy-paste ready. I love this feature 🙂 For other Linux systems, run ipa-advise without parameters to see which advises are available.

        2FA works well, convenient and secure in a datacenter and office environment. Notebooks are fine as well as long as there is a network connection available. The mobile world (Smartphones and Tablets) is not yet ready for 2FA. Some issues can be worked around (with some drawbacks) while others render 2FA not usable at all (offline usage).

        Hopefully there will be some smart solutions available for mobile usage soon, as mobile usage causes the most of the security headaches.

How to transfer files to the Google Nexus 7

Sunday, September 9th, 2012

It looks like a silly question, but it is not. The device does not support USB Mass storage, but some stuff called MTP. Unfortunately it does not work as expected with Linux.

The first try was to yum -y install libmtp.x86_64 libmtp-examples.x86_64 and mount the device with fuse: mtpfs /mnt. However, it seems it is not mature enough yet to use it.

If you just want to put some sound files on to your device, Amarok works pretty fine. But what if you want to put some i.e Movies on your device?

The only quick solution I figured out was to use adb with comes with the Android SDK. As root do the following:

yum -y install android-tools.x86_64
adb start-server
for i in /home/user/Movies/*; do
  adb push $i /sdcard/Movies

As you can read on the Wikipedia Article about Media Transfer Protocol it is a standard described by Microsoft and originally designed for managing photographs on cameras.

The idea behind it is that every operating system comes with its own file system(s) and when using USB Mass Storage, the common filesystem is FAT32. As you may know, FAT32 has some limitations. Unfortunately there is no other common file system available.

In the case of Linux users, it would be perfect to have USB Mass Storage support, because the file system used is ext4, also on the pseudo sdcard storage built in into the device.

The “successor” of FAT is called exFAT and is Microsoft proprietary and thus out of question for the next 20 years (Software Patents). There, the standardization organisation have completely failed to establish a free and open standard as a common file system suited for applications such as USB-Sticks, Smart Phones and others.

I have no clue how many software patents are related to MTP. I hope there are not any at all, so every operating system vendor can implement it as it seems to get the standard for such devices. Currently, the only “native” support for MTP comes with Windows Media Player. There is some software available for MacOS X provided by Google, and the FUSE implementation for Linux which I call experimental.

I’m sure someone would now bring in the argument that sound and movies can be accessed from the “cloud”. Well sure, but UMTS is too slow and too expensive for HD-Movies, WLAN is – at least in Europeen Hotels – even more expensive. The only way to store media is locally, at least for nomads like me.

Having fun? Not really…

Updated my Nexus one to Gingerbread

Sunday, February 27th, 2011

Google has finally released Gingerbread (Android 2.3.3) for the Nexus one mobile phone. Until the rollout via OTA (Over the Air) will be completed, it will take a few weeks.

I was not willing to wait for such a long time.

So, I just downloaded the image from Google and updated my phone manually.

    Steps needed:

  • Download the image from here
  • Rename the image file to and copy it to your phone SD card’s root
  • Shut down you phone
  • Press the trackball while powering on the phone
  • Select bootloader (use the volume keys to navigate) and press the power button again
  • When the exclamation mark show up on the screen hold down the power key and then press volume up
  • Navigate to Apply and confirm the action by pressing the track ball
  • Reboot after successfully update your Android to 2.3.3

Benefits of Gingerbread for the Nexus one

  • The overall-speed has been improved, it feels much more snappy now
  • Re-worked user interface. The UI is now much darker than before and has some nice effects like the “glowing” when reaching the top or bottom of a list. A cool eye-candy appears when locking the screen.
  • Improved virtual keyboard. Its is more comfortable than the old versions

Googles definition of “soon”
Google was announcing the availability of the Android 2.3 SDK on early December last year. On December, 20t, Google promised to release Gingerbread for the Nexus One in the “coming weeks”. Later on, rumours that it will be released during the “Mobile World Congress” on Barcelona, Spain have proven wrong.

Since the announcement of Gingerbread to the OTA roll-out to the Nexus One, we had to wait for almost three months. What kept Google back to release it earlier?

Hopefully we do not need to wait such a long time for “Ice Cream” (Android version 4?).

It was worth to buy a Google phone. Its is already the second major version that hit my phone. Other phone manufacturers do either not release any update or roll them out with a delay of a few months.

Have fun!

Android 2.2 SDK released

Sunday, May 23rd, 2010

On 2010-05-20 Google released the SDK version 2.2 of its Android Linux OS for Mobile devices. It will take some time before the software will be available for the phones.

Main features enhancements is performance improvements due to the Dalvik JIT. Performance will be up by factor 2 to 5. This brings me to the question: Was is intentionally that slow before? Just to be able to announce a major breakthrough later on? Anyway: Good to know that the speed has improved.

The major new feature for me is the ability to install apps on SD-storage. Myself I’m using the CyanogenMod version 5.0.6 and already got this feature on my Nexus One. The tricky thing is to partition the SD Card. To be able to install apps on SD, there must be a partition with ext2, ext3 or ext4 filesystem. Search the internet for howto’s.

I’m also looking forward to test the better exchange support or if Touchdown pro is still needed to get it working.

Finally you can automatically update apps, plus the ability to update all application with a single tap without 3rd party software such as aTrackDog.

Have fun!