I realize that 2fa for cockpit landed in nethserver which is amazing! Thanks for all the good work.
Recently I was asked, if I can implement user logins on windows 10 clients to nethserver active directory created domain to require a second factor, and startet digging the net for 2fa. There are different opensource and commercial options out there, and I am still reading, but decided to ask here too, what would be possible solutions. We are a limited userbase (<15).
I am starting looking into privacyIDEA, a fork of linotp. It is opensource and should work with a privacyIDEA server and their Credential Provider which can be bought or compiled by oneself. So I start reading their documentation and I will post my results here, but I also would be glad, if there are other suggestions to look at and/or if someone wants to share his experiences/expertise.
These are the steps, I took so far to install the privacyIDEA (linotp fork) server:
Grab nethserver cd, and install centOS7 on a new vm, which is located in my red network. (I do not want to screw my nethserver vm, thus I decided to test privacyIDEA on e separate centos7 vm)
After I have disabled firewalld (systemctl mask --now firewalld) I can access privacyIDEA server.
Rollout of a token of the local root user is very easy. Then installed freeotp scanned the QR code, and tested the 6-digit token -> success.
I need help as I have no idea yet, on how to link this with domain users from my nethserver active directory domain. Maybe someone could step in and see if it is possible to integrate this in nethserver itself? In the meantime my next steps will be to look on howto compile the credential provider that will have to be installed on the windows 10 systems, and reading their documentation in general. Frankly atm I have no idea on how their credential provider can be compiled. There is no documentation, as you they sell the msi.
I would love to help testing within nethserver but I don’t know howto proceed, so thanks in advance for your help.
Thanks, I’ll try so and report back. In the meantime I opened an issue, as I am not able yet to compile their credential provider. See here, maybe someone knows, what my vs2019 is missing:
Aparently the dlls cannot be compiled, because some include files missing?
I know, and as they sell a compiled msi, they do not document how to compile it, but I hope they will provide the needed info in the issue, I opened.
In the meantime I can report, the the ldap binding works fine. I have put the following infos:
ServerURI: ldaps://ad.ourdomain.com
Base-DN: ou=user(in our case: Benutzer),dc=ad,dc=ourdomain,dc=com
Bind-DN: ldapservice@ad.ourdomain.work
Bind Password: Found under Nethserver/System/User&Groups/Details
So now I am able to query my ad users, and assign them a token. Furthermore, I could test the token and and it reports successfull when entering the otp generated with freeotp app on my android phone.
So all good, as soon as the credential provider installer is successfully compiled, the solution will work.
I don’t know though, how and where the privacyIDEA server installation could be implemented in nethserver. Maybe someone else is willing to integrate this feature? The need of a separate vm for the privacyIDEA server would then become obsolete, as installatin in centos7 is supported and documented. Like this we could have a nice opensource and beautifully working solution within nethserver.
As it turns out, our boss now is not sure anymore if 2fa on local logins are really mandatory. I will nevertheless inform in this thread if I get any informations on the last remaining issue regarding the compilation of the credentialprovider needed to be installed on windows 10 clients.
But I must implement 2fa for vpn connections, so the question on that is,
Do we have something implemented for this within nethserver?
privacyIDEA aparently supports pam and radius for openVPN - could those be used and does it make sense? (I don’t know much about radius frankly, so I am open to any suggestions)
Last but not least - having an opnsense router securing my network (thanks Andy ) I will also have a look what can be done on that layer.
Right now, I am trying to establish an ldap connection from opnSense to nethserver ldap as I did with privacyIDEA, but I did not succeed yet.
One is pending tests if you want to have a go, all users are forced to otp, a user needs to give only the otp_pin instead of his password
The otherPR related is to increase security, in short to explain, now you can login with a good login/password and with the certificate of another user, this issue solves it
I tested another way to add otp with googleauthenticators, for now it is just a PR not merged, the advantages of GA are
all users are not forced to otp
users must give their password + otp_pin in the same input
cons, the recovery code displayed in the UI are not valid