Using Yubico YubiKey with eDirectory for two-factor authentication
Since version 8.8.6 eDirectory has had support for a new NMAS login method, the NMAS HOTP method as it is called.
This login method is used to provide two-factor authentication using the widely deployed OATH HOTP standard.
HOTP is an algorithm for generating one-time passwords (OTP) that is described in RFC 4226. It's basically based on a shared secret key and a counter that is available both to eDirectory and the OTP generating device that the user has.
When a user is HOTP enabled he/she can no longer login by just using their password, they must also append a one-time password to their regular password.
For example, if my password is correcthorsebatterystaple and the OTP is 342132 I must enter correcthorsebatterystaple342132 when logging in.
You can read about the NMAS HOTP method here.
The HOTP standard is described here: http://tools.ietf.org/html/rfc4226
The goal of this article is to describe how you can use the NMAS HOTP login method together with the YubiKey hardware token from Yubico.
YubiKey is a small pad with a touch button that you plug into your USB port and it presents itself to the OS as a keyboard.
Pressing the button on the YubiKey generates a one-time password that we can utilize with eDirectory to improve the login security.
There are two parts to making this work, first you must have a YubiKey token.
Second, you must have the NMAS HOTP login method installed and configured on the server side.
In this article I will describe how to set up two-factor authentication with eDirectory version 8.8.7 running on SUSE Linux Enterprise Server 11.
As far as I can tell the HOTP login method and schema extension already come with eDirectory 8.8.7 so we only need to configure it.
Configuration is done using the "nmashotpconf" utility which can be downloaded here: http://download.novell.com/Download?buildid=BfnNcVX8U_I~
Download the file to your eDirectory server and unpack it.
You will get two ZIP files, unpack the one named "nmashotpconf.zip".
Make sure that your eDirectory servers have NMAS login enabled according to the prerequisites in the documentation.
Before we continue with the part where we configure the HOTP login method we will configure our YubiKey.
The YubiKey can be managed using the YubiKey personlization tool that you can download here: http://www.yubico.com/products/services-software/personalization-tools/
Insert the YubiKey into your computers USB port and start the tool.
Click on "OATH-HOTP" and then on "Advanced".
The YubiKey has two configuration "slots" for saving two configurations at once, one can for example be used for OTP and the other for challenge response for example. I use slot 2 together with the Password Safe utility.
In this example I will use "Configuration Slot 1".
Under "OATH-HOTP Parameters" I will make these changes:
Uncheck OATH Token Identifier
HOTP Length: 6 Digits
Moving Factor Seed: Fixed zero
Secret Key (20 bytes Hex): Click Generate, Select the secret key, copy and save it, we will need it later.
When you are done click on "Write Configuration" to save the changes to the YubiKey.
Now that we have configured the YubiKey we will continue configuring the NMAS login method.
For the purpose of this article we will HOTP enable just one user object in eDirectory.
According to the NMAS HOTP login method documentation we must perform these steps:
- Enable HOTP on the user/container/partition root/Login Policy object in the same order of precedence.
- Set the HOTP-shared secret key and counter on the user. These two settings together determine the HOTP value.
- Configure the number of digits in HOTP values on the user/ container/partition root/Login Policy object.The valid range of digits is from 6 to 9.
- Set the resynchronization windows as follows:
- Set the tree-wide resynchronization window at the Login Policy object.
- Set the user-specific resynchronization window at the user level. This is needed only when the client and server are out of sync.
We will accomplish these tasks with the nmashotpconf utility.
The utility connects to eDirectory using LDAPS and needs the trusted root certificate of the LDAP server certificate as a DER or B64 file to be able to connect.
Make sure you have it on the server where you are running the utility, if not export it from eDirectory using iManager and place it on the server.
By running the nmashotpconf utility you will get some basic help, for more information please read the documentation.
nmashotpconf -h <host_name> [-p <ssl_port>] -D <login_dn> [-w <password>]
-e <trusted_cert> -t <cert_type> [-r <resync_window>] [-y
<user_resync_window>] [-u <hotp_dn> [-o <hotp_options>] [-d digits] [-c
<counter>] [-s <secret> -f <secret_format>]]
In this example I will first set the look ahead window, in the examples we can see that 6 is set, you don't want the number to be too big or too small either.
How large it should be depends on your environment and how many one-time passwords you are planning on generating without actually logging in...
The look ahead window is set using:
./nmashotpconf -h 172.16.242.74 -p 636 -D cn=admin,ou=system,o=acme -w acmeadmin -e acme.b64 -t B64 -r 6
The first couple of the switches are easily understood so I won't explain them, -e is the path to the trusted root certificate and -t is the type of the certificate and -r is the look-ahead window.
The command above will update the cn=Login Policy,cn=Security object and set the value of the sasOTPLookAheadWindow attribute to 6.
Next we want to enable HOTP login on a user object. This can be done using this command:
./nmashotpconf -h 172.16.242.74 -p 636 -D cn=admin,ou=system,o=acme -w acmeadmin -e acme.b64 -t B64 -d 6 -c 0 -u cn=newadmin,o=acme -f RAW -s f058bf3e55473729ea7261c763d14bdf529948d3 -o ENABLE
This requires a bit of explanation.
-d 6 = Specifies the number of digits used as the HOTP value. Remember that we used 6 digits as the HOTP length when we configured the YubiKey? We want the same length here. This switch will set the sasOTPDigits attribute.
-c 0 = The value of the counter, it's the same as on the YubiKey, in this case we'll go with 0. This switch will set the sasOTPCounter attribute.
-u cn=newadmin,o=acme = The target of this operation, in this case the user we want to enable HOTP for.
-f RAW = Tells the utility which format the secret key that is specified after the -s switch is in. RAW is the hexadecimal value from our YubiKey personalization tool that we copied and saved.
-s f058bf3e55473729ea7261c763d14bdf529948d3 = Remember the Secret Key value from the personalization tool that we copied? This is it, without the spaces. The attributes sASLoginSecret and sASLoginSecretKey are updated.
-o ENABLE = Enables HOTP for the user, sets the sasOTPEnabled attribute to TRUE.
If everything is configured correctly we should now be able to login using NCP or LDAP using our YubiKey. The good thing here is that nothing on the client side changes, the user still has the same UI experience as without HOTP.
I will test the NCP login directly on the eDirectory server using ndslogin. You can also test the NCP login using iMonitor or iManager but check the documentation on iManager first, it requires an updated libnmasclnt.so file.
First I SSH into the server and then execute the ndslogin command.
ndslogin newadmin.acme -h 172.16.242.74 -p MyPassword
The login fails as it should: failed, failed authentication (-669)
Before pressing enter after entering the ndslogin command I need to touch the button on the YubiKey so it generates a one-time password, so after touching the YubiKey the commandline looks like this:
ndslogin newadmin.acme -h 172.16.242.74 -p MyPassword199879
eDirectory Login: logged in as .CN=newadmin.O=ACME.ACME.
By default YubiKey will also send enter directly after the OTP value.
Testing LDAP login is just a matter of using your favorite LDAP browser and touching the YubiKey after entering your password so it can append the OTP value.
By using HOTP we can easily increase the security of our accounts, especially our administrative accounts.