Posts Tagged ‘Mobile Internet’

2FA with (Free) IPA. The good, the bad and the ugly

Thursday, April 9th, 2015

Two factor authentication (2FA) is more and more emerging which is good to enhance security. Since the release of IPA4 it comes with 2FA included.

Over time I made a lot of experiments and experience I wanted to share with you. Its is easy to set up and maintain as long as you use it only for system authentication. If you are using such things as webmail, it fails. This post shows you the capabilities as they are of today. Almost all bad issues apply not only to Fee(IPA) but 2FA in general.

The good
All your systems are Fedora 21, RHEL 7.1 or Ubuntu 14.02 all is working fine as the included SSSD is new enough to handle 2FA. All kerberized services can be used with 2FA w/o logging in again during the validity of your Kerberos ticket. Very convenient, very secure.

3rd Party applications can use LDAP authentication (Depending on the usecase)

The bad
Systems with older distributions such as RHEL6.6 come with a SSSD version which is to outdated to handle kerberized 2FA at all. This will probably change soon.

Workaround:

  • Use LDAP authentication (See later on)
  • Use a Jump host with a recent Linux distribution

If you are logging in to your workstation with a local user, you can not grab a Kerberos ticket with kinit and use this ticket further on. (i.e for ssh logins on remote server, mail etc.)

Workaround:

  • Switch to a IPA managed user if your workstation is recent enough.
  • Use a Jump host with a recent Linux distribution
  • Wait until krb5-PAKE is in place, software is being developed, see http://k5wiki.kerberos.org/wiki/Projects/Improve_OTP_deployability and https://github.com/npmccallum/krb5-pake
    • The ugly

      Looks like most mobile applications such as the IMAP client in Android do not prompt for the password, they expect it configured. Needless to say that you can not reconfigure the password each time you want to check your emails with your phone.

      Workaround:

      • 3rd party email app? One that prompts for the password if needed
      • Configure IPA to accepts password and 2FA which lets the user choose to either use the password only or 2FA. Needless to say that this makes 2FA less useful as people tend to be lazy
      • Turn off 2FA in IPA and use a Yubikey with a static password (spit password). This is not a real 2FA it is a single password split in two. Password change is a horror.
      • Accessing Webmail clients (I tested roundcube mail) causes headaches as well. They authenticate the users with IMAP and use this credentials to access the mail storage. As the second factor is a one time password (OTP) this will result in failure to retrieve mails after logging in.

        Workaround: Same as for mobile applications. I would appreciate if someone can point me to a webmail software which can handle this.

        Offline usage

        One sentence: Offline usage does not work because it can not work.

        Workaround:

        • Create a local user and use a Yubikey and configure it with a static password (split password). This is not a real 2FA it is a single password split in two. Password change is a horror.
        • Install a IPA server on your Notebook ;-) This will scale up to 18 Notebooks (plus two replicas in the datacenter) but introduce a lot of other problems, so: Not seriously to be considered.

        LDAP Authentication as a Workaround
        Configure PAM/SSSD to use LDAP authentication for your users. IPA comes with a very nice feature called ipa-advise.

        [root@ipa1 ~]# ipa-advise config-redhat-nss-pam-ldapd
        #!/bin/sh
        # ----------------------------------------------------------------------
        # Instructions for configuring a system with nss-pam-ldapd as a IPA
        # client. This set of instructions is targeted for platforms that
        # include the authconfig utility, which are all Red Hat based platforms.
        # ----------------------------------------------------------------------
        # Schema Compatibility plugin has not been configured on this server. To
        # configure it, run "ipa-adtrust-install --enable-compat"
        # Install required packages via yum
        yum install -y wget openssl nss-pam-ldapd pam_ldap authconfig
        
        # NOTE: IPA certificate uses the SHA-256 hash function. SHA-256 was
        # introduced in RHEL5.2. Therefore, clients older than RHEL5.2 will not
        # be able to interoperate with IPA server 3.x.
        # Please note that this script assumes /etc/openldap/cacerts as the
        # default CA certificate location. If this value is different on your
        # system the script needs to be modified accordingly.
        # Download the CA certificate of the IPA server
        mkdir -p -m 755 /etc/openldap/cacerts
        wget http://ipa1.example.com/ipa/config/ca.crt -O /etc/openldap/cacerts/ipa.crt
        
        # Generate hashes for the openldap library
        command -v cacertdir_rehash
        if [ $? -ne 0 ] ; then
         wget "https://fedorahosted.org/authconfig/browser/cacertdir_rehash?format=txt" -O cacertdir_rehash ;
         chmod 755 ./cacertdir_rehash ;
         ./cacertdir_rehash /etc/openldap/cacerts/ ;
        else
         cacertdir_rehash /etc/openldap/cacerts/ ;
        fi
        
        # Use the authconfig to configure nsswitch.conf and the PAM stack
        authconfig --updateall --enableldap --enableldapauth --ldapserver=ldap://ipa1.example.com --ldapbasedn=cn=compat,dc=example,dc=com
        
        [root@ipa1 ~]#
        

        The output actually reflects your environment, example.com will be replaced with your domain, its copy-paste ready. I love this feature :-) For other Linux systems, run ipa-advise without parameters to see which advises are available.

        Conclusion
        2FA works well, convenient and secure in a datacenter and office environment. Notebooks are fine as well as long as there is a network connection available. The mobile world (Smartphones and Tablets) is not yet ready for 2FA. Some issues can be worked around (with some drawbacks) while others render 2FA not usable at all (offline usage).

        Hopefully there will be some smart solutions available for mobile usage soon, as mobile usage causes the most of the security headaches.

Usability Fedora vs Windows

Tuesday, November 30th, 2010

I’m writing this post sitting in a train, connected to the internet via UMTS. The device is a Huawai E220 HSDPA modem connected via USB. Guess who is the winner?

Procedure to get the device running on Fedora (first time usage):

  • Plug in the device on any USB port
  • Enter the PIN in the pop-up
  • Enjoy mobile Internet connection

Steps: 3
Time: approx. 5sec.

Procedure on Windows XP (first time usage):

  • Decide on what USB port you will plug in the device an memorize it, because subsequently it will only work on that USB port
  • Plug in the device
  • A virtual CDROM drive gets mounted, a window with some drivers is appearing
  • Install the driver
  • reboot your notebook
  • Finding and starting the previously installed software
  • Getting a pop-up asking for the PIN
  • Enjoy mobile Internet connection

Steps: 8
Time: approx 10min

[update]
Procedure on Windows 7 (first time usage):

  • Decide on what USB port you will plug in the device an memorize it, because subsequently it will only work on that USB port
  • Plug in the device
  • A virtual CDROM drive gets mounted, a window with some drivers is appearing
  • When autorun.inf is enabled, the driver installs automatically (on enterprise systems mostly disabled). if not enabled, read some documentation what to do
  • Finding and starting the previously installed software
  • Getting a pop-up asking for the PIN
  • Enjoy mobile Internet connection

Steps: 7
Time: Between 5min and 30min (depending on your Windows 7 knowledge)
[/update]

For the subsequent usage on Fedora proceed as it is the first time usage.

On Windows (XP and 7) you need to remember which port you plugged in the device when you installed it. Otherwise you need to uninstall the drivers, reboot and install the drivers again and reboot again. [update]On Windows 7 you do not need a reboot.[/update]

Having fun? With Fedora yes :-) With Windows? Not really…