Bug 39611 - Extend the UMC login with a multi factor authentication
Extend the UMC login with a multi factor authentication
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1
Assigned To: Florian Best
Stefan Gohmann
: interim-2
Depends on:
Blocks: 39612 39841
  Show dependency treegraph
 
Reported: 2015-10-22 07:00 CEST by Stefan Gohmann
Modified: 2019-08-27 16:57 CEST (History)
5 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Release Goal
Max CVSS v3 score:


Attachments
Screenshot of UMC overview with opened tab. (270.51 KB, image/png)
2015-11-05 19:37 CET, Alexander Kläser
Details
331 (deleted)
2019-08-27 14:27 CEST, martha simons
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2015-10-22 07:00:24 CEST
Currently, the UMC login is possible via username / password and via SAML.

It would be really nice if the login could be extended with a multi factor authentication App such as privacyIDEA. UMC uses PAM therefore the app should be able to extend the UMC PAM configuration. For example:

OLD:
auth     sufficient                         pam_unix.so
auth     sufficient                         pam_krb5.so use_first_pass
auth     required                           pam_ldap.so use_first_pass

NEW:
auth     sufficient                         pam_unix.so
auth [success=1 new_authtok_reqd=ok user_unknown=ignore service_err=ignore authinfo_unavail=ignore auth_err=die default=ignore]  pam_krb5.so use_first_pass
auth     [success=ok new_authtok_reqd=ok default=die] pam_ldap.so use_first_pass
auth     required          pam_multi_facctor use_first_pass

I guess we can't use pam_unix in this way because the password hashes of the LDAP users are available via 'getent shadow' at least as root and if the password hasn't been changed via Samba 4 (Kerberos).
Anyway, the pam_multi_factor module should be able to check if a the user must insert a token.

For example for a user without a token:
Username: test1
Password: XXXXXXX
→ Login suceedded if the password is correct

For example for a user with a token:
Username: test1
Password: XXXXXXX
One Time Password: XXXX
→ Login suceedded if the password and the one time password is correct

The UMC login has to check the PAM Dialog and display a second password prompt, for example:

1. Screen
<Username>
<Password>
→ Insert: Administrator \t univention \Enter
2. Screen
Administrator (grayed out)
*********** (grayed out)
<One Time Password>
→ Insert OTP \Enter

I'll split the PAM configuration into a separate issue.
Comment 1 Stefan Gohmann univentionstaff 2015-10-22 07:03:29 CEST
It is OK if features like the global App Center won't work in this scenario. They can be added later.
Comment 2 Dirk Wiesenthal univentionstaff 2015-10-22 09:45:52 CEST
(In reply to Stefan Gohmann from comment #1)
> It is OK if features like the global App Center won't work in this scenario.
> They can be added later.

If the global App Center does not work, DefaultPackagesMaster probably doesn't either. Should we add a App preinst test?
Comment 3 Florian Best univentionstaff 2015-11-04 15:34:25 CET
The backend side has been implemented:
curl -i http://master30.saml.dev/univention-management-console/auth -H 'X-Requested-With: XMLHttpRequest' -H 'Content-Type: application/json' -d '{"options":{"username":"Administrator","password":"univention", "OTP:: ":"12345"}}'
Comment 4 Alexander Kläser univentionstaff 2015-11-05 19:37:56 CET
Created attachment 7257 [details]
Screenshot of UMC overview with opened tab.

I guess this bug introduced some changes that cause a border above the UMC tab bar (cf., screenshot). If I move the iframe element in the DOM, the border disappears.
Comment 5 Florian Best univentionstaff 2015-11-06 09:32:42 CET
(In reply to Alexander Kläser from comment #4)
> Created attachment 7257 [details]
> Screenshot of UMC overview with opened tab.
> 
> I guess this bug introduced some changes that cause a border above the UMC
> tab bar (cf., screenshot). If I move the iframe element in the DOM, the
> border disappears.
Yes, the iframe is now placed with 'position: absolute'. I observed that it was removed from the DOM by firefox and chromium in that previous position so it has been moved outside.
Comment 6 Florian Best univentionstaff 2015-11-06 09:34:08 CET
The frontend implementation has been added as well. It works OOTB with the privacy idea PAM app.

use the test appcenter:
univention-app update
univention-app install privacyidea
univention-app install privacyidea-pam
ucr set auth/umc/addon/privacyidea=true
Comment 7 Stefan Gohmann univentionstaff 2015-11-08 20:52:18 CET
It works, very nice. Just one issue, I've enrolled a token for the Administrator but I have to insert a OTP for another user as weel. But I guess it is a bug in the PAM module.

Please add a changelog entry.
Comment 8 Florian Best univentionstaff 2015-11-09 14:50:32 CET
(In reply to Stefan Gohmann from comment #7)
> It works, very nice. Just one issue, I've enrolled a token for the
> Administrator but I have to insert a OTP for another user as weel. But I
> guess it is a bug in the PAM module.
Yes, the PAM module must return PAM_SUCCESS if the user doesn't need a one time password.
> Please add a changelog entry.
Done
Comment 9 Stefan Gohmann univentionstaff 2015-11-10 09:44:00 CET
OK, it works with privacyIDEA like here described:
 https://netknights.it/zwei-faktor-authentisierung-an-der-univention-management-console/

Some minor issues can be done later:
 Bug 39837 - No autofocus for OTP field 
 Bug 39836 - OTP Login message
Comment 10 Stefan Gohmann univentionstaff 2015-11-17 12:11:53 CET
UCS 4.1 has been released:
 https://docs.software-univention.de/release-notes-4.1-0-en.html
 https://docs.software-univention.de/release-notes-4.1-0-de.html

If this error occurs again, please use "Clone This Bug".
Comment 11 martha simons 2019-08-27 14:27:24 CEST
Created attachment 10165 [details]
331
Comment 12 Florian Best univentionstaff 2019-08-27 16:57:19 CEST
The content of attachment 10165 [details] has been deleted for the following reason:

Spam / Trojan