Univention Bugzilla – Bug 39611
Extend the UMC login with a multi factor authentication
Last modified: 2019-08-27 16:57:19 CEST
Currently, the UMC login is possible via username / password and via SAML. It would be really nice if the login could be extended with a multi factor authentication App such as privacyIDEA. UMC uses PAM therefore the app should be able to extend the UMC PAM configuration. For example: OLD: auth sufficient pam_unix.so auth sufficient pam_krb5.so use_first_pass auth required pam_ldap.so use_first_pass NEW: auth sufficient pam_unix.so auth [success=1 new_authtok_reqd=ok user_unknown=ignore service_err=ignore authinfo_unavail=ignore auth_err=die default=ignore] pam_krb5.so use_first_pass auth [success=ok new_authtok_reqd=ok default=die] pam_ldap.so use_first_pass auth required pam_multi_facctor use_first_pass I guess we can't use pam_unix in this way because the password hashes of the LDAP users are available via 'getent shadow' at least as root and if the password hasn't been changed via Samba 4 (Kerberos). Anyway, the pam_multi_factor module should be able to check if a the user must insert a token. For example for a user without a token: Username: test1 Password: XXXXXXX → Login suceedded if the password is correct For example for a user with a token: Username: test1 Password: XXXXXXX One Time Password: XXXX → Login suceedded if the password and the one time password is correct The UMC login has to check the PAM Dialog and display a second password prompt, for example: 1. Screen <Username> <Password> → Insert: Administrator \t univention \Enter 2. Screen Administrator (grayed out) *********** (grayed out) <One Time Password> → Insert OTP \Enter I'll split the PAM configuration into a separate issue.
It is OK if features like the global App Center won't work in this scenario. They can be added later.
(In reply to Stefan Gohmann from comment #1) > It is OK if features like the global App Center won't work in this scenario. > They can be added later. If the global App Center does not work, DefaultPackagesMaster probably doesn't either. Should we add a App preinst test?
The backend side has been implemented: curl -i http://master30.saml.dev/univention-management-console/auth -H 'X-Requested-With: XMLHttpRequest' -H 'Content-Type: application/json' -d '{"options":{"username":"Administrator","password":"univention", "OTP:: ":"12345"}}'
Created attachment 7257 [details] Screenshot of UMC overview with opened tab. I guess this bug introduced some changes that cause a border above the UMC tab bar (cf., screenshot). If I move the iframe element in the DOM, the border disappears.
(In reply to Alexander Kläser from comment #4) > Created attachment 7257 [details] > Screenshot of UMC overview with opened tab. > > I guess this bug introduced some changes that cause a border above the UMC > tab bar (cf., screenshot). If I move the iframe element in the DOM, the > border disappears. Yes, the iframe is now placed with 'position: absolute'. I observed that it was removed from the DOM by firefox and chromium in that previous position so it has been moved outside.
The frontend implementation has been added as well. It works OOTB with the privacy idea PAM app. use the test appcenter: univention-app update univention-app install privacyidea univention-app install privacyidea-pam ucr set auth/umc/addon/privacyidea=true
It works, very nice. Just one issue, I've enrolled a token for the Administrator but I have to insert a OTP for another user as weel. But I guess it is a bug in the PAM module. Please add a changelog entry.
(In reply to Stefan Gohmann from comment #7) > It works, very nice. Just one issue, I've enrolled a token for the > Administrator but I have to insert a OTP for another user as weel. But I > guess it is a bug in the PAM module. Yes, the PAM module must return PAM_SUCCESS if the user doesn't need a one time password. > Please add a changelog entry. Done
OK, it works with privacyIDEA like here described: https://netknights.it/zwei-faktor-authentisierung-an-der-univention-management-console/ Some minor issues can be done later: Bug 39837 - No autofocus for OTP field Bug 39836 - OTP Login message
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".
Created attachment 10165 [details] 331
The content of attachment 10165 [details] has been deleted for the following reason: Spam / Trojan