SUSE® Presentation (44 pt.) · What is OAUTH? Most Have familiarity with TOTP -Google...

Secure AuthenticationTwo Factor Authentication

LDAP Based SSH Keys

Mark Gardner | UMB Financial Corporation

Noor Kreadly | Federal Reserve Bank of Kansas City

Prerequisites

2

Software Used

• eDirectory 9.0

• iManager 3

• Nmashotp utility

• https://download.novell.com/Download?buildid=BfnNcVX8U_I

- Bundled with nmas

• Yubikey Personalization tool

3

Directory Setup

• Needs CA configured

• Must have Intruder Detection enabled for Lockout

• Password Policy that Enables Universal Password

4

Other Setup

Configure the CA

https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algori

thm

5

Hashed One Time Passwords (HOTP)

6

What is HOTP

What is OAUTH?

Most Have familiarity with TOTP

- Google Authenticator

- RSA Secure ID token

7

Comparison of HOTP and TOTP

• Secret

• Counter

• HMAC = Short “Token”

• Can be appended to normal password

Hashed One Time Password

• Secret

• Time

• Hashed to Generate “Token”

• Typically Requires client awareness

Timed One Time Password

8

Using Yubikey as a HOTP provider

9

Yubikey by Yubico

Innovative keys offer strong authentication via Yubico one-time passwords

(OTP), FIDO Universal 2nd Factor (U2F), and smart card (PIV, OpenPGP,

OATH) — all with a simple tap or touch of a button. YubiKeys protect

access for everyone from individual home users to the world’s largest

organizations.

10

Yubikey Customization Tool

11

Enable Users to Require HOTP

12

NMAS has HOTP already

• Included with NMAS in 2007

• Requires tool nmashotpconf

- Currently packaged with “Identity Assurance Suite”

- Nmashotp requires libraries from 8.8 but works just fine with eDirectory 9

- Missing libraries can be extracted from 8.8 rpms with cpio, or just take the shortcut and get it from my blog

Hashed One Time Password was developed in 2005

13

Get nmashotpconf1. Extract eDirectry 8.8.8.8 to /usr/local/src/

2. Extract nmas3333-client.tgz to /usr/local/src

3. Move all the nams files to /root/bin/

4. cp /usr/local/src/3333/linux_x64/final/* /root/bin/

5. rpm2cpio /usr/local/src/eDirectory/setup/novell-NLDAPbase-8.8.8.8-0.x86_64.rpm | cpio-ivd ./opt/novell/eDirectory/lib64/libldapssl.so*

6. rpm2cpio /usr/local/src/eDirectory/setup/novell-NLDAPbase-8.8.8.8-0.x86_64.rpm | cpio-ivd ./opt/novell/eDirectory/lib64/libldapx.so*

7. rpm2cpio /usr/local/src/eDirectory/setup/novell-NLDAPsdk-8.8.8.8-0.x86_64.rpm |cpio -ivd ./opt/novell/eDirectory/lib64/libldapsdk.so*

8. mv opt/novell/eDirectory/lib64/* .

14

Configuration Notes

Once the token has been configured the output file contains the

counter and the RAW secret. This information needs to be

protected and will be used in a later step.

15For Internal Use Only

Alternative OTP Providers

Fortunately OATH is an open standard and anyone can create a

device/software that is HOTP compatible.

• Google Authenticator

• Yes, it has a HTOP mode

• DuoKey

• Fortinet Tokens

• SafeID

16For Internal Use Only

Configure the Account

• The public key in pem format is required for this to work.

• ./nmashotpconf -h ldap.gtopia.org -p 636 -d cn=admin,o=gtopia -w ******* -e

/usr/local/src/GTOPIA.crt -t B64 -r 6 -y 6 -u cn=mark,ou=users,o=gtopia -d 8 -c 0 -o ENABLE

-s f5110f3be09fdb06d8fc0382c1f20da001ce85cf -f RAW

Use nmashotpconf

17For Internal Use Only

DEMO# ndslogin mark.users.gtopia -p markus

eDirectory Login: logged in as .CN=mark.OU=users.O=gtopia.GTOPIA.

# ./nmashotpconf -h ldap.gtopia.org -p 636 -D cn=admin,o=gtopia -w ***** \

-e /usr/local/src/GTOPIA.crt -t B64 -r 6 -y 6 -u cn=mark,ou=users,o=gtopia \

-d 8 -c 0 -o ENABLE -s f5110f3be09fdb06d8fc0382c1f20da001ce85cf -f RAW

# ndslogin mark.users.gtopia -p markus

Login for mark.users.gtopia.GTOPIA: failed, system failure (-632)

# ndslogin mark.users.gtopia -p markus96147987

eDirectory Login: logged in as .CN=mark.OU=users.O=gtopia.GTOPIA.

# ndslogin mark.users.gtopia -p markus96147987

Login for mark.users.gtopia.GTOPIA: failed, failed authentication (-669)

# ndslogin mark.users.gtopia -p markus48607419

eDirectory Login: logged in as .CN=mark.OU=users.O=gtopia.GTOPIA.

For Internal Use Only 18

Lockout Demonstration# ndslogin mark.users.gtopia -p markus48607419

[1] Instance at /etc/opt/novell/eDirectory/conf/nds.conf: ldap.OU=servers.O=gtopia.GTOPIA

Login for mark.users.gtopia.GTOPIA: failed, failed authentication (-669)

# ndslogin mark.users.gtopia -p markus4860741

[1] Instance at /etc/opt/novell/eDirectory/conf/nds.conf: ldap.OU=servers.O=gtopia.GTOPIA

Login for mark.users.gtopia.GTOPIA: failed, failed authentication (-669)

# ndslogin mark.users.gtopia -p markus4860

[1] Instance at /etc/opt/novell/eDirectory/conf/nds.conf: ldap.OU=servers.O=gtopia.GTOPIA

Login for mark.users.gtopia.GTOPIA: failed, login lockout (-197)

# ndslogin mark.users.gtopia -p markus10802444

[1] Instance at /etc/opt/novell/eDirectory/conf/nds.conf: ldap.OU=servers.O=gtopia.GTOPIA

Login for mark.users.gtopia.GTOPIA: failed, login lockout (-197)

For Internal Use Only 19

Configure SSSD

20

Prepare LDAP for SSH Keys

Schema Extensions to Add

- Other option would be to Extend the PosixUser Class to add an

optional openSSH Public Key Attributedn: cn=openssh-openldap,cn=schema,cn=config

objectClass: olcSchemaConfig

cn: openssh-openldap

olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DES

C 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.

1.1466.115.121.1.40 )

olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' DESC

'MANDATORY: OpenSSH LPK objectclass' SUP top AUXILIARY MUST ( sshPublicKey $

uid ) )

21For Internal Use Only

The SSSD configuration

Next, add the option to your /etc/sssd/sssd.conf file:

[sssd]

config_file_version = 2

services = nss,pam,ssh

22

Configure SSH Daemon

The final step is to add a couple of lines to your

/etc/ssh/sshd_config file. Using

#vim /etc/ssh/sshd_config“

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys

AuthorizedKeysCommandUser root

23

Thank You

25

26

Unpublished Work of SUSE LLC. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE LLC.

Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their

assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated,

abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE.

Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a

product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making

purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and

specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The

development, release, and timing of features or functionality described for SUSE products remains at the sole discretion

of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time,

without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this

presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-

party trademarks are the property of their respective owners.