chain two authentication modules together

Sat Jun 18 12:10:27 CEST 2011

madmatrix <hailumeng at gmail.com> wrote:
> 
> Thanks a lot Alexander. I'm familiar with python. So rlm_python might 
> a good choice for me. The main thing I want to do is to give remote 
> vpn client a two-factor authentication.
>
Depending on how your VPN works and what the clients can support, you 
could use the OTP to create the tunnel, and then EAP on the inside to 
authenticate (and VLAN assign) the user.  It would complement any 
wireless/wired 802.1X solution you have on site perfectly too.

Although a good plan, as the OTP being the first hop means your user 
credentials cannot be brute forced, your might find it complicated to 
pull off; at a first glance I am not sure how something like IPsec could 
be OTPised...maybe you will get more luck with OpenVPN.

> Since freeradius, pam and all opensource otp solution are available, I 
> think free two-factor authentication is doable instead the expensive 
> RSA solution. 
>
Always bear in mind, as long as the man hours you put in are less or 
roughly equal to the RSA solution (over a three year period), then 
that's a worthwhile approach.  Also gives you something to present as a 
talk to other organisations. :)

> So the first authentication is against our AD. If successful, the 
> system should generate one time password and send it to user through 
> SMS or the other ways. The user then put otp into the 2nd challenge 
> prompt. Freeradius authenticate this otp against otp server.
> 
> I already tried using pam to authenticate against AD or OTP. I was 
> trying to use PAM stack to make this happen. But it's hard to put some 
> scripts to send password to user between the two PAM modules. So I 
> turned to FreeRadius to see if it can have some ways to do this.
> 
For your initial version, I recommend when the user is prompted for a 
password, you get them to type "<otp> <password>" (RSA style).  Check 
the OTP *first* and then validate the password.  You RADIUS 
configuration will look like:
----
authorize {
	....

	your_python_otp_script

	ldap

	....
}
----

'your_python_otp_script' will *rewrite* User-Password so that when it 
gets to the ldap module it's as if the user just sent their password 
without the OTP.  Of course if the OTP is incorrect, 
your_python_otp_script can return instantly reject giving you your two 
factor authentication.

> So if I use rlm_python, I can utilize some existing executable files 
> (like ldapsearch, ldapcompare, otp_auth) to directly authenticate 
> against LDAP and OTP. To send OTP to user is much easier to do in 
> python too. Am I correct?
> 
rlm_python will let you change how your OTP system functions quickly 
which is helpful as:
 * newer flexibility technologies come along you want to use
 * users fix the initial approach too complicated.  As the brains is 
	really all in a python script, you should find it trivial to 
	change to meet their needs

One word of warning, do *not* use system()/exec() or whatever python 
uses.  Use a native LDAP module.  Same with the OTP/SMS approach if 
possible.  Calling OS commands like that, especially when there are 
native libraries, is generally a Bad Idea(tm) and the coding gods *will* 
smite you for your crimes.

Cheers

-- 
Alexander Clouter
.sigmonster says: Time as he grows old teaches all things.
                  		-- Aeschylus