On ma, 04 maalis 2019, Edward Valley via FreeIPA-users wrote:
Thanks Rob. Squid has a digest LDAP authentication helper. Adapting this guide (https://wiki.squid-cache.org/KnowledgeBase/LdapBackedDigestAuthentication) to FreeIPA, squid digest authentication works fine. I'm just looking for a way to automate the process of generating digests every time users change their passwords. Thanks again.
I'd recommend you to switch to https://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap instead.
This has a benefit that a password check is done by binding to LDAP instead of trying to fetch hashes and compare. In other words, it moves actual authentication check to the LDAP server and makes the whole problem to disappear.
Ed.
08:26, March 4, 2019, "Rob Crittenden via FreeIPA-users" <[0;34;47m[1]freeipa-users@lists.fedorahosted.org[0;30;47m>:
Edward Valley via FreeIPA-users wrote:
Hello there. I'm trying to setup squid proxy to use FreeIPA as LDAP backend for user authentication. Everything works fine while using basic authentication. In order to use digest authentication I need users to have an specific password storage scheme (MD5 of user:realm:password combination). Can someone point me in the right direction on how to accomplish it? Coding a new plugin? Extending an already existing one? Configuring something? I've made some research and it seems everybody integrating squid with FreeIPA is using kerberos, but that's something I'll be doing lather. Thank you very much.
Digest auth generally requires the password to be available in the clear (or reversible), try to avoid it. I think you'd have a hard time trying to configure IPA to allow it and you'd be climbing far out on a limb if you manage to succeed.
rob _______________________________________________ FreeIPA-users mailing list -- [0;34;47m[2]freeipa-users@lists.fedorahosted.org [0;30;47m To unsubscribe send an email to [0;34;47m[3]freeipa-users-leave@lists.fedorahosted.org [0;30;47m Fedora Code of Conduct: [0;34;47m[4]https://getfedora.org/code-of-conduct.html [0;30;47m List Guidelines: [0;34;47m[5]https://fedoraproject.org/wiki/Mailing_list_guidelines [0;30;47m List Archives: [0;34;47m[6]https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
References
Visible links
- mailto:freeipa-users@lists.fedorahosted.org
- mailto:freeipa-users@lists.fedorahosted.org
- mailto:freeipa-users-leave@lists.fedorahosted.org
- https://getfedora.org/code-of-conduct.html
- https://fedoraproject.org/wiki/Mailing_list_guidelines
- https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On ma, 04 maalis 2019, Edward Valley via FreeIPA-users wrote:
Thanks for your answer. Doing it the way you propose, squid uses basic authentication, which exposes user names and passwords in the network because of the simple base64 encoding.
Just set up your clients to use HTTPS proxy connection in the browser.
https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connecti... talks about it. Both Chrome-based browsers and Firefox do work just fine with HTTPS connection to the proxy for years now.
Alexander Bokovoy wrote:
On ma, 04 maalis 2019, Edward Valley via FreeIPA-users wrote:
Thanks for your answer. Doing it the way you propose, squid uses basic authentication, which exposes user names and passwords in the network because of the simple base64 encoding.
Just set up your clients to use HTTPS proxy connection in the browser.
https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connecti...
talks about it. Both Chrome-based browsers and Firefox do work just fine with HTTPS connection to the proxy for years now.
Beyond the fact that the hash in the clear makes for possible replay attacks unless Squid properly enforces nonces.
rob
Edward Valley via FreeIPA-users wrote:
You're right, that's one of the options I've considered and tested, but going that way I need to setup several things, use a PAC file in order to Firefox and Chrome to work, take into account mobile versions too, configure browsers to trust the proxy's certificate, optionally install a client certificate in browsers (which firefox for Android can't do) and have the proxy to verify it, among other things that would require a PKI infrastructure that I'm not willing to deploy (for now). Trust me, I went through all of this, and it is secure enough, but it has a few pitfalls that right now (without coding) there is no way to solve. But, don't you think kerberos authentication is a simpler and secure enough approach? For now, I'm just trying to migrate to FreeIPA (because it fit my needs and I think it's a better and tightly integrated solution) an existing OpenLDAP backend, which already have the required hashes and the automated way for generating it every time users change their passwords. Thank you very much for your time.
To do this you'd need to write a 389-ds plugin to intercept the password change and write out the hash. You could probably extend the ipa-pwd-extop plugin to do this as we do something similar to keep the userPassword and kerberos credentials in sync.
You just need to be sensitive to security issues here. Passwords are available in the clear only in this plugin so any mistake could potentially expose them.
rob
09:48, March 4, 2019, "Alexander Bokovoy via FreeIPA-users" freeipa-users@lists.fedorahosted.org:
On ma, 04 maalis 2019, Edward Valley via FreeIPA-users wrote: Thanks for your answer. Doing it the way you propose, squid uses basic authentication, which exposes user names and passwords in the network because of the simple base64 encoding. Just set up your clients to use HTTPS proxy connection in the browser. https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection talks about it. Both Chrome-based browsers and Firefox do work just fine with HTTPS connection to the proxy for years now. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Edward Valley wrote:
Thank you Rob. By extending ipa-pwd-extop are you sugesting that I modify it (of course by submitting patches) or that I use it as the base for a new plugin? Is the later posible without interference? Sorry if it's a silly question, right now I really don't know nothing about 389-ds plugin architecture.
I would probably be far easier to update the existing plugin, you'd just want to do a lot of due diligence about memory handling, variable re-use, etc (coverity and clang can be very helpful).
rob
10:58, March 4, 2019, "Rob Crittenden via FreeIPA-users" freeipa-users@lists.fedorahosted.org:
Edward Valley via FreeIPA-users wrote: You're right, that's one of the options I've considered and tested, but going that way I need to setup several things, use a PAC file in order to Firefox and Chrome to work, take into account mobile versions too, configure browsers to trust the proxy's certificate, optionally install a client certificate in browsers (which firefox for Android can't do) and have the proxy to verify it, among other things that would require a PKI infrastructure that I'm not willing to deploy (for now). Trust me, I went through all of this, and it is secure enough, but it has a few pitfalls that right now (without coding) there is no way to solve. But, don't you think kerberos authentication is a simpler and secure enough approach? For now, I'm just trying to migrate to FreeIPA (because it fit my needs and I think it's a better and tightly integrated solution) an existing OpenLDAP backend, which already have the required hashes and the automated way for generating it every time users change their passwords. Thank you very much for your time. To do this you'd need to write a 389-ds plugin to intercept the password change and write out the hash. You could probably extend the ipa-pwd-extop plugin to do this as we do something similar to keep the userPassword and kerberos credentials in sync. You just need to be sensitive to security issues here. Passwords are available in the clear only in this plugin so any mistake could potentially expose them. rob 09:48, March 4, 2019, "Alexander Bokovoy via FreeIPA-users" <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>: On ma, 04 maalis 2019, Edward Valley via FreeIPA-users wrote: Thanks for your answer. Doing it the way you propose, squid uses basic authentication, which exposes user names and passwords in the network because of the simple base64 encoding. Just set up your clients to use HTTPS proxy connection in the browser. https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection talks about it. Both Chrome-based browsers and Firefox do work just fine with HTTPS connection to the proxy for years now. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Edward Valley via FreeIPA-users wrote:
So that's the way to go. Let me read some code and I'll be back with a proposal. Is that ok or should I take it to another place? Thanks for your time Rob.
Using this list is fine for now. If you file a PR the discussion will move there.
rob
11:29, March 4, 2019, "Rob Crittenden via FreeIPA-users" freeipa-users@lists.fedorahosted.org:
Edward Valley wrote: Thank you Rob. By extending ipa-pwd-extop are you sugesting that I modify it (of course by submitting patches) or that I use it as the base for a new plugin? Is the later posible without interference? Sorry if it's a silly question, right now I really don't know nothing about 389-ds plugin architecture. I would probably be far easier to update the existing plugin, you'd just want to do a lot of due diligence about memory handling, variable re-use, etc (coverity and clang can be very helpful). rob 10:58, March 4, 2019, "Rob Crittenden via FreeIPA-users" <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>: Edward Valley via FreeIPA-users wrote: You're right, that's one of the options I've considered and tested, but going that way I need to setup several things, use a PAC file in order to Firefox and Chrome to work, take into account mobile versions too, configure browsers to trust the proxy's certificate, optionally install a client certificate in browsers (which firefox for Android can't do) and have the proxy to verify it, among other things that would require a PKI infrastructure that I'm not willing to deploy (for now). Trust me, I went through all of this, and it is secure enough, but it has a few pitfalls that right now (without coding) there is no way to solve. But, don't you think kerberos authentication is a simpler and secure enough approach? For now, I'm just trying to migrate to FreeIPA (because it fit my needs and I think it's a better and tightly integrated solution) an existing OpenLDAP backend, which already have the required hashes and the automated way for generating it every time users change their passwords. Thank you very much for your time. To do this you'd need to write a 389-ds plugin to intercept the password change and write out the hash. You could probably extend the ipa-pwd-extop plugin to do this as we do something similar to keep the userPassword and kerberos credentials in sync. You just need to be sensitive to security issues here. Passwords are available in the clear only in this plugin so any mistake could potentially expose them. rob 09:48, March 4, 2019, "Alexander Bokovoy via FreeIPA-users" <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>>: On ma, 04 maalis 2019, Edward Valley via FreeIPA-users wrote: Thanks for your answer. Doing it the way you propose, squid uses basic authentication, which exposes user names and passwords in the network because of the simple base64 encoding. Just set up your clients to use HTTPS proxy connection in the browser. https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection talks about it. Both Chrome-based browsers and Firefox do work just fine with HTTPS connection to the proxy for years now. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org