In order to meet modern security standards, supporting 2FA is necessary. I don’t know of an exact solution, but OTP support for LDAP should exist, right?
One option is to move away from the basic OpenLDAP + SSOwat to a more out-of-the-box full fledged auth system like FreeIPA, which does support OTP.
An important thing to keep in mind is that it must remain as easy as possible for third party apps to integrate with it.
Anyone has experience with a system that can do this?
As far as I know there is no other FOSS solution than SSOwat for a LDAP based web SSO that support nginx (except maybe lemonLDAP but nginx support is at a very early stage…) so unless you code 2FA for SSOwat there is no solution for Yunohost.
FreeIPA looks very heavy for a system like Yunohost and I don’t think it provide a web SSO.
2FA could be as simple as entering a more complex password every time. That way the SSO does not need to know, only the LDAP backend.
F.e. a password consisting of your regular password + an OTP code. It’s the LDAP server that tells the SSO wether the password is fine. Of course UI support for separately entering your OTP would be more convenient, but as far as I’m concerened, having the option of 2FA is far more important than how convenient the solution is.
Google Authenticator open source. How hard would that be to implement?
Reviving this topic a bit…
The new kid in town for 2FA is U2F which has some advantages over OTP.
From my recent readings, it should be possible to implement U2F (and/or OTP) in SSOwat. Libraries, or full server with REST apis, exists for managing these protocols, and could be interfaced with the Yunohost SSO.
The Yubico developer website is full of resources about this.
The U2F/OTP would be an additionnal authentication layer, on top of the existing LDAP password. This would not be plugged directly in the LDAP server.
I just bought a Yubikey 4 and will experiment a few things for fun, as time permits. Adding U2F for SSOwat would probably be my first game.
Still this won’t solve the whole problem : having 2FA for the SSO does not mean you have it for the other open doors on your server (IMAP/POP, SMTP, XMPP, …). Protecting all authenticated services of our ynh servers would require different approaches, and more effort. For example, enforcing connections to those services only from a VPN, with the VPN certificate being stored and protected on a hardware device, might be the beginning of a solution.
Hi Juju !
I am currently starting to get a (noob’s) interest in all this stuff… Getting my hands on GPG and KeePassX at the same time makes my brains boil a bit but it should prove useful on the long term.
I will probably buy a couple of Yubikeys too (possibly a nano for my future Pyra and also a normal one for other devices, but this one would stay at home). Or an equivalent, don’t know yet (not sure about that proprietary stuff but these seem to be mechanically better, which is also important to me).
Anyway, if something comes around in Yunohost and you need a noob with an Internet Cube for testing beta, I can probably help
I prefer to post on this topic instead of creating another one. So I am currently looking for a 2 factor authentication solution for company. I have tested OpenOTP but the offline authentication, which is very important for my company, isn’t possible.
So I am asking you, if you know any solution that support OS login with a second factor even when the laptop is offline (for Windows, Linux and Mac OS). Moreover, the solution has to support SAML 2.0 and SSO. And off course, if you have an idea of the price it will be wonderful
There’s any news about OTP/2FA support on yunohost?
Looking on the forum and on the news, i can’t find any updated information, but i think that it will be a huge feature for security’s shake
Btw there’s a follow-up issue for people interested : https://github.com/YunoHost/issues/issues/238
My goal is to install MFA to Yunohost. As MFA solution, I am using Privacyidea.
Step 1 connecting Privacyidea to the Ldap of yunohost.
Config in Privacyidea
Add a new resolver. Go to Config → Users->New Ldapresolver
TLS version 1.2
Base DN: ou=users,dc=yunohost,dc=org
Bind DN uid=admin_user,ou=users,dc=yunohost,dc=org
Bind Type ; Simple
Bind Password The password of a user thaht is in the admin group
Preset : OpenLdap
Config in Yunohost server
URI ldap://localhost:389 ldaps://local_IP_of_yuno_server:636
yunohost firewall allow TCP 636
systemctl restart slapd.service
SLAPD_SERVICES="ldap://127.0.0.1:389/ ldap://local_IP_of_yuno_server:389 ldaps:/// ldapi:///"`
yunohost firewall allow TCP 389
systemctl restart slapd.service
Step 2 Connectig Privacyidea to Yunohost
I found this plugin LUA based NGINX Authentication plugin for privacyIDEA.
It allows connecting Privacyidea to a NGINX server.
It is written in LUA. So all the conditions are here to work with the ssowat of Yunohost.
But I don’t know how to implement it.
Which config file of NGINX in Yunohost should I Alter. The ssowat.conf or the global.conf or both ?