One of the major new features in FreeIPA 4.4 is the introduction of Authentication Indicators in Kerberos tickets. This allows you to selectively enforce 2FA.
Usecases
Usually a Linux environment consists on a lot of different services. Some of them are security sensitive such as payroll systems while others are more relaxed such as simple Intranet Webservers.
Some services do not nicely play with 2FA, see https://blog.delouw.ch/2015/04/09/2fa-with-free-ipa-the-good-the-bad-and-the-ugly/. With Authentication Indicators you can allow users accessing this services without 2FA while deploying 2FA on all other services.
One of the obstacles for 2FA is user acceptance. With selective 2FA you can enforce it on the critical servers and/or services only.
Limitations
At the moment, selective 2FA with Authentication Indicators is only working with Fedora 24 and 25. There is no support (yet) for RHEL and its EL clones such as CentOS. Support for Authentication was added in SSSD 1.14, please also see the Release notes for SSSD 1.14.
At the moment, users on RHEL clients always need to provide the second factor. This probably will change for RHEL 7.3. Please also see Bugzilla #1290381. It is already included in public Beta.
Testing the new release
FreeIPA 4.4.2 is available in Fedora 25 Beta. SSSD 1.14 is available on Fedora 24 and newer and in RHEL 7.3 Beta.
Installing FreeIPA 4.4
Get Fedora 25 Beta and install four servers with it. (two replicas, two clients). Fedora 25 Beta can be downloaded here.
[root@ipa1 ~]# dnf -y install freeipa-server freeipa-server-dns
Dependencies will be resolved automatically.
Configure FreeIPA
For tests only, you can disable firewalld to avoid connectivity problems.
[root@ipa2 ~]# systemctl stop firewalld [root@ipa2 ~]# systemctl disable firewalld
Note: the –allow-zone-overlap is only needed if you make tests with existing DNS domains such as example.com. Usually you should not use this parameter to not violate the highlander principle.
[root@ipa1 ~]# ipa-server-install --subject="O=EXAMPLE.COM 2016101501" --allow-zone-overlap --setup-dns --forwarder=8.8.8.8 --forwarder=8.8.4.4
Install a replica
The second replica is first set up as a normal IPA Client and will then be promoted to be a replica.
Be sure you point your DNS to the first replica to allow detection of SRV DNS entries to correctly setup the client.
[root@ipa2 ~]# dnf -y install freeipa-server freeipa-server-dns
Now setup the replica as a client
[root@ipa2 ~]# ipa-client-install
Get a Kerberos Ticket as admin user
[root@ipa2 ~]# kinit admin
Promote to be a replica
[root@ipa2 ~]# ipa-replica-install --setup-dns --setup-ca --forwarder=8.8.8.8 --forwarder=8.8.4.4
Enroll two or more clients
For our tests we need some clients, enroll some
Enable 2FA Authentication
As a default, 2FA is not enabled, lets change that
[root@ipa2 ~]# ipa config-mod --user-auth-type={password,otp}
Add some users
Add one or more users and set a password. Log in and set a new valid password
To be able to authenticate with both, Password only and 2FA, we need to provide that information when creating a new user. You also need to set an initial password.
[root@ipa2 ~]# ipa user-add --user-auth-type={password,otp} --first Joe --last Doe --shell=/bin/bash jdoe
[root@ipa2 ~]# ipa passwd jdoe
Get a Kerberos Ticket for jdoe, you will be promted to set a new password.
[root@ipa2 ~]# kinit jdoe Password for jdoe@EXAMPLE.COM: Password expired. You must change it now. Enter new password: Enter it again: [root@ipa2 ~]#
Add a 2FA Soft token
You can assign yourself a soft token with the CLI or WebUI.
[root@ipa2 ~]# ipa otptoken-add jdoe ---------------------- Added OTP token "jdoe" ---------------------- Unique ID: jdoe Type: TOTP Owner: jdoe Manager: jdoe Algorithm: sha1 Digits: 6 Clock interval: 30 URI: otpauth://totp/jdoe@EXAMPLE.COM:jdoe?digits=6&secret=NOBAETXGLCVEW7BSINC6II4XLSPTFPDK&period=30&algorithm=SHA1&issuer=jdoe%40EXAMPLE.COM █████████████████████████████████████████████████████████ █████████████████████████████████████████████████████████ ████ ▄▄▄▄▄ ██ ▀▄▄▀▄▄█▄█ ▀█ ▄▀█▀█▀ ▄█▄█▄ ▀▀ █ ▄▄▄▄▄ ████ ████ █ █ █ ▄▀▄█▀ ▄▀█▀██▄▄ ▀▀ ▀█▄ ▀ ▀▀█ ▄█ █ █ ████ ████ █▄▄▄█ █ ▀▀▀ ▀█▄ ▀█▄ ▄▄▄ ▄▄▀▀▀▄▀▀▀▀ ▀███ █▄▄▄█ ████ ████▄▄▄▄▄▄▄█ ▀▄▀ █ █ █ █▄▀ █▄█ ▀ ▀ ▀▄▀▄█▄▀ █ █▄▄▄▄▄▄▄████ ████▄▀▄▄ ▄▄██▀▀███▄▄▄▀▄▀██ ▄█▀ ▀ ▄ ▀█ ▀██▄█ ▄▄ ▄██████ ████ ▀ ▄▄▄▄ ▀▀█▄▀▄█ ▀▀ ▀▄▄█▄█▀ ▄▀▄ ▄█▄▄█▄█▄ ▀█▀██▄▀████ ████▄▀ ▄▀▄▄▄████▄ ██ ▄█▀▀▄ ▄▄██ █ █▄█▄ ▄▄▄█▀▀ ▀▀█▀ █████ ████ ▄▀▀█▄▄██▀▄██▀▄▄▀▄▀ ▄ ▄▀█▄ █ ▄███ ▄▀ ▀▄▀▀▄▀ ▀ ▄████ █████▄ █▀▀▄▄▄▄ █ ▀▄█▄▀█ ▄▀█▄▄▀▀ ▀█▄ ▄ ▄█ ▀█▀ ▄▄▄█████ ████ ▄ ▄▀▄ █▀█ █▀██ ▄ ▀▄█▀▀▀▄▀ ▄▄▄█▄▀ █▄▀▀ ▀▄█ ▀████ ████ ▀▀ ▄▀▄▀▄█▄ ▄ ▀▀ █▀ ▄███▀ ▄ ▄▀█ ▄█▄█▀█ ▄██ ██ ▄▀████ ████▀▀ ▄▄▄ ▀ ▀ ██▀ ██ ▄▄▄ █▄█ █▄▄▄▄▀ █ ▄▄▄ ▀█ ████ ████▀▀▀▄ █▄█ █▄██▄▄▄ ▀█▀ ▀ █▄█ ▀ ▀ ▄▄█▀█▀▄█ █▄█ ▄▄█████ █████▄█▄▄ ▄ █▀▀█ ▄ ▄▄ ▄ ▄▄▄▄█▀█ ▄▄▄▄███ ▄▄▄▀ ████ ████▄███▀█▄ ▀ ▄▄▀▄▀▀ ▄█▄██▄▀▄█▄███▀██▀▄█ ▄▄▄ ██▀█▄▄▄█████ ████ ▄▀▄██▄▄▄▄██▄▀▀ ▀▄█▀█▀█▀█▄▄█ ▀█ ▄█ █▀▀▀▄█▀▄ █▄ ████ ████▀█▄█▀▄▄█▄▀ ▀ ▀█▄▄▄▀▀█ ▀█▀█▄▄█▄ ▀█▀██ ▄ ▄▀█▀ █ █▄ ████ ████▀█▀█▀▄▄▄██ ▀▀██▀ ▀▀▀ ▄▀ ▄█▄▄█▄▄███▀▀ ▀ ▄▀▀▄▀▄▄██▀████ ████▀▄██ ▀▄█▀█ ▀ ▀▀█▄▄▀▄ ▄▄▄██ ▄▀ ▀█▄█▄ ▄▄▀▄ ▀▄▄ ▀████ █████ ▀▀█▄▄▀ █ ▄▄█▄█▀ ███▄▄▄▄▄█ ▄ ▄█▄▄▄ ██▄▀▀ ▄▄████ ████▄▄▄███▄▄▀█ ███▄▀▀█ ▄ ▄▄▄ ▄█▀ ██ ███▀ ▄▄▄ ▄██ ████ ████ ▄▄▄▄▄ █▀█▄▄▄ ▄▀▄██▀▀▀ █▄█ ▀ █▀▄█▄▄ ██▄▀ █▄█ ▀▄█▀████ ████ █ █ █ ▄█▀▄ █▄▄▄▀▀ ▄ ▄▄█▄▀▀ █ ▄ ▀▄█ ▄▀ ▀████ ████ █▄▄▄█ █▄▀▄▀█▄ █ ▀▀ ▀▄█▀▄█ █▀▄▄██▀ ▄█▄▄ ▀█ █▄ █ ████ ████▄▄▄▄▄▄▄█▄▄█▄▄▄▄█▄███▄▄▄▄▄▄██▄██▄▄▄▄▄▄█▄▄▄▄█████▄▄████ █████████████████████████████████████████████████████████ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ [root@ipa2 ~]#
You can add this QR code with the FreeOTP or Google Authenticator
Enforcing 2FA on a host principal
To enforce 2FA on a host, alter the host configuration as follows:
[root@ipa2 ~]# ipa host-mod --auth-ind=otp ipaclient44-fedora24.example.com
You now can try to log in with one and two factors on that host and on some other hosts to see the difference.
Enforcing 2FA on a service
Enforcing of 2FA can also be done on a single (Kerberized) service.
[root@ipa2 ~]# ipa service-mod --auth-ind=otp http/ipaclient.example.com
Further reading
There are plenty of documents available on the internet, here is a choice:
- FreeIPA design document about Authentication Indicators http://www.freeipa.org/page/V4/Authentication_Indicators
- Authenticator Indicators Test Document http://www.freeipa.org/page/V4/Authentication_Indicators/Test_Plan
- MIT Kerberos 5 Documentation https://web.mit.edu/kerberos/krb5-devel/doc/admin/auth_indicator.html
Have fun 🙂
Hello,
It’s required to set the owner of the OTP on the user himself.
For example if you run the ipa otptoken-add command as admin for a certain user. The user admin becomes the owner, which will result in login failures.
Therefor add the option –owner as well. (by default it takes self)
Of course if you run the command as the user himself, you don’t have the issue. But that will be another story about the correct rights for it 😉
Daniel
For soft tokens the best method is self-enrolling by the users via the WebUI. Regular users can not set the owner.
For Yubikeys you better add them as an admin user and provide the –owner parameter accordingly.
Hi all
Regarding the software 2-FA using Google Authentication app, we tested both the LastPass and Authy Android apps and the provided token was differed from the FreeOTP provided.
Are there any known issues with Authy and LastPass?
I only tested FreeOTP and Google Authenticator. As long as the tokens you used for your tests follow the TOTP or HOTP algos, it should work
Hello!
It is not clear to me how to prevent the use of OTP on some selected servers. I’m trying to avoid the 2FA on RHEL6 servers, because is not supported there, but it is enabled by default in all servers registered in my FreeIPA installation if the user has an OTP Token enabled.
For instance, if I disable my OTP Token (or if I don’t have one), I can log into my RHEL6 servers correctly, but I still receive a request for the “Second Factor” on my RHEL7 servers. If I re-enable my (or add an) OTP Token, then I can log successfully in my RHEL7 servers, but not anymore in my RHEL6 servers.
Is there a way to achieve what I’m looking for?