Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Simple two-factor authentication module - brief
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
slis
Retired Dev
Retired Dev


Joined: 11 Oct 2010
Posts: 67
Location: Limanowa

PostPosted: Mon Jul 15, 2013 12:06 pm    Post subject: Simple two-factor authentication module - brief Reply with quote

Hi all!

I'll start with a bit of background. I am writing a pam module for two-factor authentication. I've it almost ready, implemented in Python using pam_python, but unfortunately pam python module and python bindings for pam, so I'm unable to finish it that way (I'm re-writing the module in C).

But, maybe someone want to use this little script? if so, please let me know.
What it does:
- authentication by time and ip address (configurable)
- sms (via gnokii) & email notification, for both: defined administrators and account owner
- two-factor authentication (not finished, as I'm unable to finish it that way, but if someone will write some simple backend for temporary code verification, it's ready from the module side)

How this module works (in short):
1. Admin defines timeperiods (day of week and hour of the day) between users are allowed to use simple (one factor) authentication
2. Admin defines IPs, from which users use simple authentication
3. If any of (1 or 2) fails, user is forced to use two factor authentication (but only if user is listed in allowed to use it)
4. SMS with generated temporary code is sent to user
5. User openes prepared web app (this is where pam modules are conflicting :( ) and enters auth data + temporary code
6. Temporary session is opened for user on specified Ip address
7. Now, user may open webapps (using pwauth or similar), read mails through imap, send mails and so

There are some weak points in this, for example opening a session for another ip address (opening session for mobile mail reader from PC), but all of those could be fixed quite easily.


When I'll be ready with c module and someone would be interested, I may publish it as well.

Best regards,
Sławek
Back to top
View user's profile Send private message
grey_dot
Tux's lil' helper
Tux's lil' helper


Joined: 15 Jul 2012
Posts: 142

PostPosted: Tue Jul 16, 2013 2:38 pm    Post subject: Reply with quote

Are you sure you need pam? Using it for external services (e.g. email) authentication is not a really wise idea. And using pam together with python is just wrong since each alone is already slow enough.

What you really need is LDAP.
Back to top
View user's profile Send private message
slis
Retired Dev
Retired Dev


Joined: 11 Oct 2010
Posts: 67
Location: Limanowa

PostPosted: Tue Jul 16, 2013 3:56 pm    Post subject: Reply with quote

Thanks for your advice. I'm using PAM couse I just do not need LDAP and all of it's features. PAM is more than enough for me.

And as of using python - it was great for me when testing the solution. Now, as I noted in my first post, I'm re-writing all module into C. I won't be able to compare speed of those two solutions, because python-written pam module is conflicting in some point.

I wrote this post so maybe someone will need some day something similar and I would be able to help.

Can you please elaborate a bit more about what you mean that it's not wise idea?

Thanks!
Back to top
View user's profile Send private message
steveL
Watchman
Watchman


Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery

PostPosted: Wed Jul 17, 2013 1:08 pm    Post subject: Reply with quote

I'm not sure why you have to do this via a webapp: it sounds like a bad idea to me, because you're adding many layers that are known to be problematic in security terms. It's fine for the webapp itself (there's no other way to run a webapp, after all) but not for opening up access to the network, imo.

I'd use net-misc/knock if I were you. You can set up login via ssh, after a shared-known sequence. So the ssh port isn't open normally.
Back to top
View user's profile Send private message
grey_dot
Tux's lil' helper
Tux's lil' helper


Joined: 15 Jul 2012
Posts: 142

PostPosted: Wed Jul 17, 2013 7:13 pm    Post subject: Reply with quote

slis wrote:
Thanks for your advice. I'm using PAM couse I just do not need LDAP and all of it's features. PAM is more than enough for me.

And as of using python - it was great for me when testing the solution. Now, as I noted in my first post, I'm re-writing all module into C. I won't be able to compare speed of those two solutions, because python-written pam module is conflicting in some point.

I wrote this post so maybe someone will need some day something similar and I would be able to help.

Can you please elaborate a bit more about what you mean that it's not wise idea?

Thanks!


Mostly because you expose users present in your system to third parties, and because anyone can try to authenticate through your pam module. Imagine if it or pam itself has a security hole. With your approach it will result in your system being compromised, which I suppose is not what you are trying to achieve.
Back to top
View user's profile Send private message
slis
Retired Dev
Retired Dev


Joined: 11 Oct 2010
Posts: 67
Location: Limanowa

PostPosted: Wed Jul 17, 2013 7:39 pm    Post subject: Reply with quote

steveL: thanks for the idea, but it's not that I need right now. My users are not IT professionals, they just want to get access into their mail accounts and some webapps. I need something that: 1. will notify me, and the user, when someone (also the user itself) will access account from external network or beyond workhours; 2. will add extra verification step in such situation.
The webapp will not open access itself, it will only be used to pass user data somewhere, so the pam module could reach it later. Technically there is even no possibility to tell if data entered are correct, or not (asymmetric encryption used).

grey_dot: but pam is widely used any system can have (and probably have) holes. I agree, that my pam module can be compromised easier that pam itself, indeed, it was main reason that refrain me from writing such module for a long time. But, I thought, if I won't start it won't be done, and any hole could be fixed, right?
And one more: as you've suggested, I should use LDAP. In my opinion, pam is simpler that ldap, and more simple is library, the harder work is to compromise it, and if something is more complex, the easier admin could fail on configuration.

Also, I think pam is hard to f**k up, as even when my module will be completely broken, allowing any person to enter, they are all other (system) modules, which will not.

Any suggestions are welcome! And thanks for your interests.

Sławek
Back to top
View user's profile Send private message
grey_dot
Tux's lil' helper
Tux's lil' helper


Joined: 15 Jul 2012
Posts: 142

PostPosted: Wed Jul 17, 2013 8:56 pm    Post subject: Reply with quote

slis wrote:
grey_dot: but pam is widely used any system can have (and probably have) holes. I agree, that my pam module can be compromised easier that pam itself, indeed, it was main reason that refrain me from writing such module for a long time. But, I thought, if I won't start it won't be done, and any hole could be fixed, right?
And one more: as you've suggested, I should use LDAP. In my opinion, pam is simpler that ldap, and more simple is library, the harder work is to compromise it, and if something is more complex, the easier admin could fail on configuration.


You miss the point. If you have compromised LDAP (given that you do not have your system authentication set up through that LDAP, and your LDAP server is running chrooted), all that is compromised is LDAP server. On the other hand, if somebody breaks pam, the whole system is screwed. You can use whatever you find pleasing, but it's a very bad idea to mix system and services accounts.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum