Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:58 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Wed Jan 11, 2012 11:54 pm 
Offline

Joined: Wed Jan 11, 2012 8:48 pm
Posts: 5
My goal is to have an LDAP server that I can bind to using a two-factor password (regular and OTP concatenated), and to have the password and yubikey ID stored in that LDAP server. Also, some users should have regular passwords only.

So far I've managed single-factor authentication like so:
  • Simple bind to OpenLDAP
  • OpenLDAP looks in the userPassword attribute. If it's a regular password ({CRYPT} or {SSHA}), authentication stops here. For Yubikey, it contains "{SASL}username".
  • username and password are passed to saslauthd, which invokes PAM
  • PAM calls pam_yubico, which checks the OTP against the validation server
  • pam_yubico connects back to the LDAP server, retrieves the yubikeyID attribute for the user, and checks that it matches the validated OTP.

The only way I can think of to real two-factor auth is to set up a proxy LDAP server in front of the main one, where the main one contains a real password in userPassword, and the proxy replaces userPassword with {SASL}username if there's a yubikeyId attribute. PAM would then call pam_ldap to bind to the backend server using the real password, after pam_yubico has stripped the OTP off the end of the password string.

This seems like it's getting way too complicated, plus it would be a headache to keep the proxy in sync with the backend. Am I missing some easier way to do this? I'd think this would be a pretty common use case, but I can't find any documentation on this setup.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Mar 06, 2012 11:25 am 
I might misunderstand what you mean, but wouldn't this work?

1) use pam_yubico to validate OTP, and look in LDAP for an attribute (available using anonymous bind) containing the public_id to username mapping
2) if step 1 was successful, the pam_yubico module would have stripped the OTP from the authtoken and pam_ldap can be used to do an authenticated bind to the LDAP server to verify the password

/Fredrik


Top
  
Reply with quote  
PostPosted: Tue Mar 06, 2012 8:15 pm 
Offline

Joined: Wed Jan 11, 2012 8:48 pm
Posts: 5
Not quite; that would generate a loop:
  1. OTP+pass bind to LDAP server
  2. call to saslauthd
  3. OTP+pass handed to pam_yubico
  4. pass only handed to pam_ldap
  5. pass only bind to LDAP server
  6. call to saslauthd
  7. pass only handed to pam_yubico
  8. failure

I ended up solving the problem by writing my own replacement for saslauthd that does exactly what I need:
  1. OTP+pass bind to LDAP server
  2. call to custom saslauthd
  3. saslauthd splits OTP and password
  4. validates OTP directly
  5. queries LDAP (without binding as the user) for yubikey ID and hashed password
  6. validates yubikey and password

I'm hoping to publish it as open-source, but I need to get an OK from my company first. I'll post a link here if/when it's available.


Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 30, 2012 8:58 pm 
Offline

Joined: Fri Mar 30, 2012 8:56 pm
Posts: 1
bjencks wrote:
I ended up solving the problem by writing my own replacement for saslauthd that does exactly what I need:
  1. OTP+pass bind to LDAP server
  2. call to custom saslauthd
  3. saslauthd splits OTP and password
  4. validates OTP directly
  5. queries LDAP (without binding as the user) for yubikey ID and hashed password
  6. validates yubikey and password

I'm hoping to publish it as open-source, but I need to get an OK from my company first. I'll post a link here if/when it's available.


Assuming you can't get permission, any hints/tips on modifying saslauthd, looking to do a similar thing here.


Top
 Profile  
Reply with quote  
PostPosted: Tue Apr 03, 2012 6:48 pm 
Offline

Joined: Wed Jan 11, 2012 8:48 pm
Posts: 5
Here it is: https://github.com/meddius/yubisaslauthd

It's pretty short and simple code; I recommend reading it to make sure it does what you expect.


Top
 Profile  
Reply with quote  
PostPosted: Tue Jun 17, 2014 3:49 pm 
Offline

Joined: Thu Jun 05, 2014 7:43 pm
Posts: 3
I understand that this is an old thread but if anyone could provide me with a few pointers on getting this running, I would be very grateful.

I'm running OpenLDAP on Ubuntu.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group