View previous topic :: View next topic |
Author |
Message |
slis Retired Dev
Joined: 11 Oct 2010 Posts: 67 Location: Limanowa
|
Posted: Mon Jul 15, 2013 12:06 pm Post subject: Simple two-factor authentication module - brief |
|
|
Hi all!
I'll start with a bit of background. I am writing a pam module for two-factor authentication. I've it almost ready, implemented in Python using pam_python, but unfortunately pam python module and python bindings for pam, so I'm unable to finish it that way (I'm re-writing the module in C).
But, maybe someone want to use this little script? if so, please let me know.
What it does:
- authentication by time and ip address (configurable)
- sms (via gnokii) & email notification, for both: defined administrators and account owner
- two-factor authentication (not finished, as I'm unable to finish it that way, but if someone will write some simple backend for temporary code verification, it's ready from the module side)
How this module works (in short):
1. Admin defines timeperiods (day of week and hour of the day) between users are allowed to use simple (one factor) authentication
2. Admin defines IPs, from which users use simple authentication
3. If any of (1 or 2) fails, user is forced to use two factor authentication (but only if user is listed in allowed to use it)
4. SMS with generated temporary code is sent to user
5. User openes prepared web app (this is where pam modules are conflicting ) and enters auth data + temporary code
6. Temporary session is opened for user on specified Ip address
7. Now, user may open webapps (using pwauth or similar), read mails through imap, send mails and so
There are some weak points in this, for example opening a session for another ip address (opening session for mobile mail reader from PC), but all of those could be fixed quite easily.
When I'll be ready with c module and someone would be interested, I may publish it as well.
Best regards,
Sławek |
|
Back to top |
|
|
grey_dot Tux's lil' helper
Joined: 15 Jul 2012 Posts: 142
|
Posted: Tue Jul 16, 2013 2:38 pm Post subject: |
|
|
Are you sure you need pam? Using it for external services (e.g. email) authentication is not a really wise idea. And using pam together with python is just wrong since each alone is already slow enough.
What you really need is LDAP. |
|
Back to top |
|
|
slis Retired Dev
Joined: 11 Oct 2010 Posts: 67 Location: Limanowa
|
Posted: Tue Jul 16, 2013 3:56 pm Post subject: |
|
|
Thanks for your advice. I'm using PAM couse I just do not need LDAP and all of it's features. PAM is more than enough for me.
And as of using python - it was great for me when testing the solution. Now, as I noted in my first post, I'm re-writing all module into C. I won't be able to compare speed of those two solutions, because python-written pam module is conflicting in some point.
I wrote this post so maybe someone will need some day something similar and I would be able to help.
Can you please elaborate a bit more about what you mean that it's not wise idea?
Thanks! |
|
Back to top |
|
|
steveL Watchman
Joined: 13 Sep 2006 Posts: 5153 Location: The Peanut Gallery
|
Posted: Wed Jul 17, 2013 1:08 pm Post subject: |
|
|
I'm not sure why you have to do this via a webapp: it sounds like a bad idea to me, because you're adding many layers that are known to be problematic in security terms. It's fine for the webapp itself (there's no other way to run a webapp, after all) but not for opening up access to the network, imo.
I'd use net-misc/knock if I were you. You can set up login via ssh, after a shared-known sequence. So the ssh port isn't open normally. |
|
Back to top |
|
|
grey_dot Tux's lil' helper
Joined: 15 Jul 2012 Posts: 142
|
Posted: Wed Jul 17, 2013 7:13 pm Post subject: |
|
|
slis wrote: | Thanks for your advice. I'm using PAM couse I just do not need LDAP and all of it's features. PAM is more than enough for me.
And as of using python - it was great for me when testing the solution. Now, as I noted in my first post, I'm re-writing all module into C. I won't be able to compare speed of those two solutions, because python-written pam module is conflicting in some point.
I wrote this post so maybe someone will need some day something similar and I would be able to help.
Can you please elaborate a bit more about what you mean that it's not wise idea?
Thanks! |
Mostly because you expose users present in your system to third parties, and because anyone can try to authenticate through your pam module. Imagine if it or pam itself has a security hole. With your approach it will result in your system being compromised, which I suppose is not what you are trying to achieve. |
|
Back to top |
|
|
slis Retired Dev
Joined: 11 Oct 2010 Posts: 67 Location: Limanowa
|
Posted: Wed Jul 17, 2013 7:39 pm Post subject: |
|
|
steveL: thanks for the idea, but it's not that I need right now. My users are not IT professionals, they just want to get access into their mail accounts and some webapps. I need something that: 1. will notify me, and the user, when someone (also the user itself) will access account from external network or beyond workhours; 2. will add extra verification step in such situation.
The webapp will not open access itself, it will only be used to pass user data somewhere, so the pam module could reach it later. Technically there is even no possibility to tell if data entered are correct, or not (asymmetric encryption used).
grey_dot: but pam is widely used any system can have (and probably have) holes. I agree, that my pam module can be compromised easier that pam itself, indeed, it was main reason that refrain me from writing such module for a long time. But, I thought, if I won't start it won't be done, and any hole could be fixed, right?
And one more: as you've suggested, I should use LDAP. In my opinion, pam is simpler that ldap, and more simple is library, the harder work is to compromise it, and if something is more complex, the easier admin could fail on configuration.
Also, I think pam is hard to f**k up, as even when my module will be completely broken, allowing any person to enter, they are all other (system) modules, which will not.
Any suggestions are welcome! And thanks for your interests.
Sławek |
|
Back to top |
|
|
grey_dot Tux's lil' helper
Joined: 15 Jul 2012 Posts: 142
|
Posted: Wed Jul 17, 2013 8:56 pm Post subject: |
|
|
slis wrote: | grey_dot: but pam is widely used any system can have (and probably have) holes. I agree, that my pam module can be compromised easier that pam itself, indeed, it was main reason that refrain me from writing such module for a long time. But, I thought, if I won't start it won't be done, and any hole could be fixed, right?
And one more: as you've suggested, I should use LDAP. In my opinion, pam is simpler that ldap, and more simple is library, the harder work is to compromise it, and if something is more complex, the easier admin could fail on configuration. |
You miss the point. If you have compromised LDAP (given that you do not have your system authentication set up through that LDAP, and your LDAP server is running chrooted), all that is compromised is LDAP server. On the other hand, if somebody breaks pam, the whole system is screwed. You can use whatever you find pleasing, but it's a very bad idea to mix system and services accounts. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|