Dear all,
I am investigating if it is possible to use the TOTP overlay in the following concept:
Many thanks for any
- nis related data of users are in ldap - user ssh access to the system is pubkey only - after successful authentication also request TOTP via PAM call to slapd (only TOTP, no password)
Does this make sense and can this be achieved?
Thanks in advance,
Bastian Tweddell wrote:
Dear all,
I am investigating if it is possible to use the TOTP overlay in the following concept:
Many thanks for any
- nis related data of users are in ldap
- user ssh access to the system is pubkey only
- after successful authentication also request TOTP via PAM call to slapd (only TOTP, no password)
Does this make sense and can this be achieved?
Sounds more like a question for your SSH server, and whether you can configure it to use PAM after a successful pubkey authentication.
On 17Jan23 17:33+0000, Howard Chu wrote:
Sounds more like a question for your SSH server, and whether you can configure it to use PAM after a successful pubkey authentication.
Yes, PAM is enabled for sshd.
I do not have the full picture how slap-totp works. For me, there two open questions:
1. From openldap pov: How would I make the bind call to slapd, so that only the TOTP is checked? Would the following be sufficient to achieve 2FA only:
```ldif: userPassword: {TOTP512}$BASE64 # assuming the overlay is confgured properly ```
Would it be possible to use another attribute than `userPassword`?
2. PAM integration: This is not a question to this group here, but maybe there are some related ideas. How or which PAM module can be used?
The aim is to avoid copying the TOTP secret of users to the local systems (which are the public accessible hosts).
Many thanks, Cheers, -- Bastian Tweddell Juelich Supercomputing Centre phone: +49 (2461) 61-6586 HPC in Neuroscience, HPS
Bastian Tweddell wrote:
On 17Jan23 17:33+0000, Howard Chu wrote:
Sounds more like a question for your SSH server, and whether you can configure it to use PAM after a successful pubkey authentication.
Yes, PAM is enabled for sshd.
I do not have the full picture how slap-totp works. For me, there two open questions:
- From openldap pov: How would I make the bind call to slapd, so that only the TOTP is checked?
If you're talking about the totp module in the contrib source directory, all you need to do is a normal LDAP Simple Bind. LDAP modules for PAM would do this already.
Would the following be sufficient to achieve 2FA only:
userPassword: {TOTP512}$BASE64 # assuming the overlay is confgured properly
Yes.
Would it be possible to use another attribute than `userPassword`?
Not with the existing code, no.
- PAM integration: This is not a question to this group here, but maybe there are some related ideas. How or which PAM module can be used?
nsspam-ldapd / nslcd, whatever the latest supported version is.
The aim is to avoid copying the TOTP secret of users to the local systems (which are the public accessible hosts).
Many thanks, Cheers, -- Bastian Tweddell Juelich Supercomputing Centre phone: +49 (2461) 61-6586 HPC in Neuroscience, HPS
Many thanks to all for your comments. I think I know how this feature can integrated into our infrastructure. I'll bring this into a testing environment now.
Cheers,
On 17Jan23 21:27+0000, Howard Chu wrote:
Bastian Tweddell wrote:
On 17Jan23 17:33+0000, Howard Chu wrote:
Sounds more like a question for your SSH server, and whether you can configure it to use PAM after a successful pubkey authentication.
Yes, PAM is enabled for sshd.
I do not have the full picture how slap-totp works. For me, there two open questions:
- From openldap pov: How would I make the bind call to slapd, so that only the TOTP is checked?
If you're talking about the totp module in the contrib source directory, all you need to do is a normal LDAP Simple Bind. LDAP modules for PAM would do this already.
Would the following be sufficient to achieve 2FA only:
userPassword: {TOTP512}$BASE64 # assuming the overlay is confgured properlyYes.
Would it be possible to use another attribute than `userPassword`?
Not with the existing code, no.
- PAM integration: This is not a question to this group here, but maybe there are some related ideas. How or which PAM module can be used?
nsspam-ldapd / nslcd, whatever the latest supported version is.
The aim is to avoid copying the TOTP secret of users to the local systems (which are the public accessible hosts).
Many thanks, Cheers, -- Bastian Tweddell Juelich Supercomputing Centre phone: +49 (2461) 61-6586 HPC in Neuroscience, HPS
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
While working on this matter I discovered that there is not only the slap-totp contrib module, but also the slapo-otp openldap module.
With that one, I managed to get bind-authentication + 2FA to work; thanks to the test code in openldap. This work so far when the user entry has a userPassword attribute and is allowed to bind. The bind call also gives the userpassword and 2FA token in the credentials.
Now I would like to achieve, that only TOTP authentication is done. Would this be possible with slapo-otp? Or am I in a dead end here?
(see attached info.txt ldif, console and slapd debug)
Many thanks,
Bastian Tweddell wrote:
While working on this matter I discovered that there is not only the slap-totp contrib module, but also the slapo-otp openldap module.
With that one, I managed to get bind-authentication + 2FA to work; thanks to the test code in openldap. This work so far when the user entry has a userPassword attribute and is allowed to bind. The bind call also gives the userpassword and 2FA token in the credentials.
Now I would like to achieve, that only TOTP authentication is done. Would this be possible with slapo-otp? Or am I in a dead end here?
Use the contrib module instead, it only does TOTP and nothing else.
On 18Jan23 16:53+0000, Howard Chu wrote:
Use the contrib module instead, it only does TOTP and nothing else.
In the meahnwhile we have working testbed and I would like to thank you for your valuable input.
Cheers,
openldap-technical@openldap.org
-
Bastian Tweddell -
Howard Chu