I realize that 2fa for cockpit landed in nethserver which is amazing! Thanks for all the good work.
Recently I was asked, if I can implement user logins on windows 10 clients to nethserver active directory created domain to require a second factor, and startet digging the net for 2fa. There are different opensource and commercial options out there, and I am still reading, but decided to ask here too, what would be possible solutions. We are a limited userbase (<15).
I am starting looking into privacyIDEA, a fork of linotp. It is opensource and should work with a privacyIDEA server and their Credential Provider which can be bought or compiled by oneself. So I start reading their documentation and I will post my results here, but I also would be glad, if there are other suggestions to look at and/or if someone wants to share his experiences/expertise.
After I have disabled firewalld (systemctl mask --now firewalld) I can access privacyIDEA server.
Rollout of a token of the local root user is very easy. Then installed freeotp scanned the QR code, and tested the 6-digit token -> success.
I need help as I have no idea yet, on how to link this with domain users from my nethserver active directory domain. Maybe someone could step in and see if it is possible to integrate this in nethserver itself? In the meantime my next steps will be to look on howto compile the credential provider that will have to be installed on the windows 10 systems, and reading their documentation in general. Frankly atm I have no idea on how their credential provider can be compiled. There is no documentation, as you they sell the msi.
I would love to help testing within nethserver but I don’t know howto proceed, so thanks in advance for your help.
I know, and as they sell a compiled msi, they do not document how to compile it, but I hope they will provide the needed info in the issue, I opened.
In the meantime I can report, the the ldap binding works fine. I have put the following infos:
Base-DN: ou=user(in our case: Benutzer),dc=ad,dc=ourdomain,dc=com
Bind Password: Found under Nethserver/System/User&Groups/Details
So now I am able to query my ad users, and assign them a token. Furthermore, I could test the token and and it reports successfull when entering the otp generated with freeotp app on my android phone.
So all good, as soon as the credential provider installer is successfully compiled, the solution will work.
I don’t know though, how and where the privacyIDEA server installation could be implemented in nethserver. Maybe someone else is willing to integrate this feature? The need of a separate vm for the privacyIDEA server would then become obsolete, as installatin in centos7 is supported and documented. Like this we could have a nice opensource and beautifully working solution within nethserver.
As it turns out, our boss now is not sure anymore if 2fa on local logins are really mandatory. I will nevertheless inform in this thread if I get any informations on the last remaining issue regarding the compilation of the credentialprovider needed to be installed on windows 10 clients.
But I must implement 2fa for vpn connections, so the question on that is,
Do we have something implemented for this within nethserver?
privacyIDEA aparently supports pam and radius for openVPN - could those be used and does it make sense? (I don’t know much about radius frankly, so I am open to any suggestions)
Last but not least - having an opnsense router securing my network (thanks Andy ) I will also have a look what can be done on that layer.
Right now, I am trying to establish an ldap connection from opnSense to nethserver ldap as I did with privacyIDEA, but I did not succeed yet.