Discussion:
[horde] multi-factor authentication
Mike Poznecki
2018-03-26 12:26:08 UTC
Permalink
Hi, how can I implement multi-factor authentication with an RSA key?  I have searched long and wide and can not find any help.  Thanks.
--
Horde mailing list
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, m
Ralf Lang
2018-03-26 14:37:32 UTC
Permalink
Post by Mike Poznecki
Hi, how can I implement multi-factor authentication with an RSA key?  I have searched long and wide and can not find any help.  Thanks.
You can use the PAM authentication driver if your RSA SecurId solution
provides a PAM backend. Then, setup your server's pam to work with RSA
and configure Horde to use your server's PAM.
--
Horde mailing list
Frequently Asked Questions: http://horde.org/faq/
To unsu
Bjoern Voigt
2018-03-28 12:42:18 UTC
Permalink
Post by Mike Poznecki
Hi, how can I implement multi-factor authentication with an RSA key?  I have searched long and wide and can not find any help.
Unfortunately, Two Factor authentication is not implemented in Horde
right now. I am also interested in this topic.

[#14051] Two Factor Authentication
https://bugs.horde.org/ticket/14051

Greetings,
Björn
--
Horde mailing list
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: hor
Mike Poznecki
2018-03-28 13:23:54 UTC
Permalink
Post by Mike Poznecki
Hi, how can I implement multi-factor authentication with an RSA key?  I have searched long and wide and can not find any help.
Unfortunately, Two Factor authentication is not implemented in Horde
right now. I am also interested in this topic.

[#14051] Two Factor Authentication
https://bugs.horde.org/ticket/14051

Greetings,
Björn
--
Horde mailing list
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: horde-***@lists.horde.org


That is very sad as it is a very basic and mandatory form of authentication these days.
--
Horde mailing list
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: horde-***@lists.hor
P.V.Anthony
2018-03-28 15:53:48 UTC
Permalink
Post by Bjoern Voigt
Post by Mike Poznecki
Hi, how can I implement multi-factor authentication with an RSA key?  I have searched long and wide and can not find any help.
Unfortunately, Two Factor authentication is not implemented in Horde
right now. I am also interested in this topic.
[#14051] Two Factor Authentication
https://bugs.horde.org/ticket/14051
Would using the following make it easier to do multi-factor auth?

https://www.vaultproject.io/

Saw a demo and was impressed. Please note I am not a programmer.

P.V.Anthony
--
Horde mailing list
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: horde-***@l
Ralf Lang
2018-03-28 18:15:09 UTC
Permalink
Post by P.V.Anthony
Post by Bjoern Voigt
Post by Mike Poznecki
Hi, how can I implement multi-factor authentication with an RSA key?
 I have searched long and wide and can not find any help.
Unfortunately, Two Factor authentication is not implemented in Horde
right now. I am also interested in this topic.
[#14051] Two Factor Authentication
https://bugs.horde.org/ticket/14051
Would using the following make it easier to do multi-factor auth?
https://www.vaultproject.io/
Saw a demo and was impressed. Please note I am not a programmer.
P.V.Anthony
Vault doesn't really address what is needed here.
There are two options here:

- Delegate authentication to an auth provider (shibboleth, saml, openid
connect, etc) and let them worry about 2-factor implementation
- Build a 2-factor driver for horde

Both are somehow on my list, but no specific timeline can be given.
However, I am more interested in open solutions like TOTP/HOTP.
Though I use commercial RSA SecurId tokens in my daily work, I have
absolutely no interest in building a direct interface to the server
component.

Regards

Ralf
--
Ralf Lang
Linux Consultant / Developer
Tel.: +49-170-6381563
Mail: ***@b1-systems.de
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
--
Horde mailing list
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: horde-unsubscribe@
Diego D'Angelo
2018-03-28 18:24:42 UTC
Permalink
Post by Ralf Lang
Vault doesn't really address what is needed here.
- Delegate authentication to an auth provider (shibboleth, saml, openid
connect, etc) and let them worry about 2-factor implementation
- Build a 2-factor driver for horde
Both are somehow on my list, but no specific timeline can be given.
However, I am more interested in open solutions like TOTP/HOTP.
Though I use commercial RSA SecurId tokens in my daily work, I have
absolutely no interest in building a direct interface to the server
component.
You can test linotp.org
With a mod (compiled
https://github.com/lsexperts/mod_authn_linotp/zipball/master) in
apache in the vhost horde, with TOTP work like a charm:

First login (apache basic linotp) —> user and totp key
Second login —> horde login
Post by Ralf Lang
Regards
Ralf
--
Ralf Lang
Linux Consultant / Developer
Tel.: +49-170-6381563
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
----- Terminar mensaje de Ralf Lang <***@b1-systems.de> -----
--
---------------------------------
Diego D'Angelo
Técnico Área Servicios
Dirección General de Informática
Municipalidad de Rosario
Te: +54 341 4802704
----------------------------------
--
Horde mailing list
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: horde-***@lists.horde.or
Rick Romero
2018-03-28 18:33:21 UTC
Permalink
Post by Ralf Lang
Post by P.V.Anthony
Post by Bjoern Voigt
Post by Mike Poznecki
Hi, how can I implement multi-factor authentication with an RSA key?
 I have searched long and wide and can not find any help.
Unfortunately, Two Factor authentication is not implemented in Horde
right now. I am also interested in this topic.
[#14051] Two Factor Authentication
https://bugs.horde.org/ticket/14051
Would using the following make it easier to do multi-factor auth?
https://www.vaultproject.io/
Saw a demo and was impressed. Please note I am not a programmer.
P.V.Anthony
Vault doesn't really address what is needed here.
- Delegate authentication to an auth provider (shibboleth, saml, openid
connect, etc) and let them worry about 2-factor implementation
- Build a 2-factor driver for horde
Both are somehow on my list, but no specific timeline can be given.
However, I am more interested in open solutions like TOTP/HOTP.
Though I use commercial RSA SecurId tokens in my daily work, I have
absolutely no interest in building a direct interface to the server
component.
I like PrivacyIdea and have implemented it in the past.  What I had
planned with Horde sort of worked, but there were some missing parts.

I believe what I did was configure Horde to use Radius (via
PrivacyIdea). What that did was allow use of TOTP/HOTP to log into the
web interface. Then I hardcoded a long complex password into the imp
config to login to the backend IMAP server.  The backend IMAP Server
accepted that single password for any user that came from my test web
server (Dovecot uses SQL for Auth, so easy query change).

It worked about 99% - I think gollem was the only place I couldn't get
things to work reliably.

Rick
--
Horde mailing list
Frequently Asked Questions: http://horde.org/faq/
To unsubs
Bjoern Voigt
2018-03-28 21:10:02 UTC
Permalink
Post by Ralf Lang
- Delegate authentication to an auth provider (shibboleth, saml, openid
connect, etc) and let them worry about 2-factor implementation
- Build a 2-factor driver for horde
Both are somehow on my list, but no specific timeline can be given.
However, I am more interested in open solutions like TOTP/HOTP.
Though I use commercial RSA SecurId tokens in my daily work, I have
absolutely no interest in building a direct interface to the server
component.
I think, Nextcloud can be seen as a good example for implementing
2-factor authentication into a modularized PHP application.

The Nextcloud team built some 2-factor base functionality into the
Nextcloud core. For instance they implemented base classes, some
management commands (e.g. administrators can enable/disable 2-factor for
specific users) and management functions for app-passwords (Horde/IMP
may need them too e.g. for Activesync devices). A specific 2-factor
solution can be found in the Nextcloud apps/add-ons. Currently there are
some 2-factor apps available: https://apps.nextcloud.com/categories/security

Greetings,
Björn
--
Horde mailing list
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: hor
Ralf Lang
2018-03-29 05:03:06 UTC
Permalink
Post by Bjoern Voigt
Post by Ralf Lang
- Delegate authentication to an auth provider (shibboleth, saml, openid
connect, etc) and let them worry about 2-factor implementation
- Build a 2-factor driver for horde
Both are somehow on my list, but no specific timeline can be given.
However, I am more interested in open solutions like TOTP/HOTP.
Though I use commercial RSA SecurId tokens in my daily work, I have
absolutely no interest in building a direct interface to the server
component.
I think, Nextcloud can be seen as a good example for implementing
2-factor authentication into a modularized PHP application.
The Nextcloud team built some 2-factor base functionality into the
Nextcloud core. For instance they implemented base classes, some
management commands (e.g. administrators can enable/disable 2-factor for
specific users) and management functions for app-passwords (Horde/IMP
may need them too e.g. for Activesync devices). A specific 2-factor
solution can be found in the Nextcloud apps/add-ons. Currently there are
some 2-factor apps available: https://apps.nextcloud.com/categories/security
Greetings,
Björn
Hi Björn,

there is already a plan to redesign the Horde Authentication
architecture for support of 2-factor services, separate credentials for
APIs, external interfaces etc. I will add nextcloud to my list of
references/resources. However, this is a fairly large-scale project. I
don't know the schedule of horde, inc.

However, as you see, there is no Owncloud/Nextcloud plugin for RSA
SecurId which is what Mike really wants. Given the cost of RSA, I have
the feeling he needs to integrate with an existing landscape and cannot
easily change over to TOTP, YubiKey or other solutions.
--
Horde mailing list
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: horde-unsubs
Bjoern Voigt
2018-03-30 16:02:33 UTC
Permalink
Post by Ralf Lang
Vault doesn't really address what is needed here.
- Delegate authentication to an auth provider (shibboleth, saml, openid
connect, etc) and let them worry about 2-factor implementation
- Build a 2-factor driver for horde
Both are somehow on my list, but no specific timeline can be given.
However, I am more interested in open solutions like TOTP/HOTP.
Though I use commercial RSA SecurId tokens in my daily work, I have
absolutely no interest in building a direct interface to the server
component.
Ralf, you seem to know the Horde authentication code very good.

I think, some users need a quick (but not dirty) solution for Horde/IMP.

I think, Yubikeys and TOTP/HOTP solutions can be easily used in Horde.
The basic idea for services without an integrated 2FA module is to enter
a combined password <user password><2FA password>. Second factor
passwords have a fixed length. So the combined password can be splitted
with simple rules.

There is a hook "preauthenticate" in horde/config/hooks.php, which can
be used here. My idea is:

1. Check the username, if 2FA is enabled for the user
2. Consistency check, if there is a combined password
3. Split the combined password
4. Do the verification for the second factor password
5. Return false, if the second factor password is wrong
6. Return the first factor password within the "entry" array, if the
second factor password is right

I haven't implemented this yet. But it should work.

I think the drawbacks would be:

* Passwords can not be saved comfortable anymore, because you need a
new combined password for each login
* Activesync clients will fail for the same reason

Greetings,
Björn
--
Horde mailing list
Frequently Asked Questions: http://horde.org/faq/
To unsubscri
Ralf Lang
2018-03-30 18:58:05 UTC
Permalink
Post by Bjoern Voigt
Post by Ralf Lang
Vault doesn't really address what is needed here.
- Delegate authentication to an auth provider (shibboleth, saml, openid
connect, etc) and let them worry about 2-factor implementation
- Build a 2-factor driver for horde
Both are somehow on my list, but no specific timeline can be given.
However, I am more interested in open solutions like TOTP/HOTP.
Though I use commercial RSA SecurId tokens in my daily work, I have
absolutely no interest in building a direct interface to the server
component.
Ralf, you seem to know the Horde authentication code very good.
I think, some users need a quick (but not dirty) solution for Horde/IMP.
I think, Yubikeys and TOTP/HOTP solutions can be easily used in Horde.
The basic idea for services without an integrated 2FA module is to enter
a combined password <user password><2FA password>. Second factor
passwords have a fixed length. So the combined password can be splitted
with simple rules.
There is a hook "preauthenticate" in horde/config/hooks.php, which can
1. Check the username, if 2FA is enabled for the user
2. Consistency check, if there is a combined password
3. Split the combined password
4. Do the verification for the second factor password
5. Return false, if the second factor password is wrong
6. Return the first factor password within the "entry" array, if the
second factor password is right
I haven't implemented this yet. But it should work.
* Passwords can not be saved comfortable anymore, because you need a
new combined password for each login
* Activesync clients will fail for the same reason
Greetings,
Björn
Hi Björn,

it should work, however it would break a little more stuff if done this way

* remote APIs (caldav, xml-rpc, json-rpc)
* Most likely passwd (the password management module)

Suggestion:
* implement as a driver (Horde_Auth_Base descendant) wrapping the actual
driver rather than hook
* extract the original password for use in backends (imap, sieve,
ftp/gollem, ...) as you suggest

Jan Schneider has written a 2-part blog on details of horde
authentication. It's a good read.
--
Ralf Lang
Linux Consultant / Developer
Tel.: +49-170-6381563
Mail: ***@b1-systems.de
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
--
Horde mailing list
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail:
Loading...