privacyidea / privacyidea Goto Github PK

:closed_lock_with_key: multi factor authentication system (2FA, MFA, OTP Server)

License: GNU Affero General Public License v3.0

Perl 0.08% Python 80.44% Shell 0.32% Makefile 0.14% Mako 0.01% JavaScript 12.04% HTML 6.50% CSS 0.20% PHP 0.16% Roff 0.12% Procfile 0.01%

python two-factor authentication identityserver idm 2fa mfa otp certificates ca

privacyidea's Introduction

privacyIDEA

privacyIDEA is an open solution for strong two-factor authentication like OTP tokens, SMS, smartphones or SSH keys. Using privacyIDEA you can enhance your existing applications like local login (PAM, Windows Credential Provider), VPN, remote access, SSH connections, access to web sites or web portals with a second factor during authentication. Thus boosting the security of your existing applications.

Overview

privacyIDEA runs as an additional service in your network and you can connect different applications to privacyIDEA.

privacyIDEA does not bind you to any decision of the authentication protocol, nor does it dictate you where your user information should be stored. This is achieved by its totally modular architecture. privacyIDEA is not only open as far as its modular architecture is concerned. But privacyIDEA is completely licensed under the AGPLv3.

It supports a wide variety of authentication devices like OTP tokens (HMAC, HOTP, TOTP, OCRA, mOTP), Yubikey (HOTP, TOTP, AES), FIDO U2F, as well as FIDO2 WebAuthn devices like Yubikey and Plug-Up, smartphone Apps like Google Authenticator, FreeOTP, Token2 or TiQR, SMS, Email, SSH keys, x509 certificates and Registration Codes for easy deployment.

privacyIDEA is based on Flask and SQLAlchemy as the python backend. The web UI is based on angularJS and bootstrap. A MachineToken design lets you assign tokens to machines. Thus you can use your Yubikey to unlock LUKS, assign SSH keys to SSH servers or use Offline OTP with PAM.

You may join the discourse discussion forum to give feedback, help other users, discuss questions and ideas: https://community.privacyidea.org

Setup

For setting up the system to run it, please read install instructions at privacyidea.readthedocs.io <http://privacyidea.readthedocs.io/en/latest/installation/index .html>.

If you want to setup a development environment start like this:

git clone https://github.com/privacyidea/privacyidea.git
cd privacyidea
virtualenv venv
source venv/bin/activate
pip install -r requirements.txt

You may additionally want to set up your environment for testing, by adding the additional dependencies:

pip install -r tests/requirements.txt

You may also want to read the blog post about development and debugging at https://www.privacyidea.org/privacyidea-development-howto/

Getting and updating submodules

The client-side library for the registering and signing of WebAuthn-Credentials resides in a submodule.

To fetch all submodules for this repository, run:

git submodule update --init --recursive

When pulling changes from upstream later, you can automatically update any outdated submodules, by running:

git pull --recurse-submodules

Running it

First You need to create a config-file <https://privacyidea.readthedocs .io/en/latest/installation/system/inifile.html>.

Then create the database tables and the encryption key:

./pi-manage create_tables
./pi-manage create_enckey

If You want to keep the development database upgradable, You should stamp it to simplify updates:

./pi-manage db stamp head -d migrations/

Create the key for the audit log:

./pi-manage create_audit_keys

Create the first administrator:

./pi-manage admin add <username>

Run it:

./pi-manage run

Now you can connect to http://localhost:5000 with your browser and login as administrator.

Run tests

If you have followed the steps above to set up your environment for testing, running the test suite should be as easy as running pytest with the following options:

python -m pytest -v --cov=privacyidea --cov-report=html tests/

Contributing

There are a lot of different ways to contribute to privacyIDEA, even if you are not a developer.

If you found a security vulnerability please report it to [email protected].

You can find detailed information about contributing here: https://github.com/privacyidea/privacyidea/blob/master/CONTRIBUTING.md

Code structure

The database models are defined in models.py and tested in tests/test_db_model.py.

Based on the database models there are the libraries lib/config.py which is responsible for basic configuration in the database table config. And the library lib/resolver.py which provides functions for the database table resolver. This is tested in tests/test_lib_resolver.py.

Based on the resolver there is the library lib/realm.py which provides functions for the database table realm. Several resolvers are combined into a realm.

Based on the realm there is the library lib/user.py which provides functions for users. There is no database table user, since users are dynamically read from the user sources like SQL, LDAP, SCIM or flat files.

Subscriptions and limitations of community edition

Using privacyIDEA Server and the privacyIDEA FreeRADIUS plugin there is technically no limitation of the community edition or the code in this repository. Admins will receive a welcome message about possible support, if more than 50 users are enrolled.

Plugins

The privacyIDEA project also provides several plugins for 3rd party applications like SSO Identity Providers or Windows Login.

Plugins can be limited in the number of users. I.e. the plugin will complain, if the total number of users in privacyIDEA with an active token exceeds a certain limit. There is a certain base number of users, with which the plugin will work. To enhance this number, you will need a subscription. In some cases an additional demo subscription can be found in the release list of the corresponding github plugin repository, you can get a subscription from the company NetKnights or if you have a very good understanding of this Open Source code, you could create a subscription on your own.

Plugin	Number of users
Name	contained in demo subscription
====================	============== ========================
Keycloak	10000 N/A
SimpleSAMLphp	10000 N/A
Shibboleth	10000 N/A
ADFS	50 50
privacyIDEA PAM	10000 N/A
Credential Provider	50 50
ownCloud	50 N/A
LDAP proxy	50 N/A

Versioning

privacyIDEA adheres to Semantic Versioning.

privacyidea's People

Contributors

Stargazers

Watchers

Forkers

asifiqbal itd strml cyclefusion loveshell ukris tcole-cbso reality9 fabiancernota tceydeliler woddx xcage15 r00tak dhoffend rockmansyz ask0n awesome-security jscaltreto kbendl salvorapi minhchuduc xiaolei-it wheldom01 runt18 tuxmartin hrz-unimr mihailcondratov mrphishxxx thespooler ozzy81 jalr phenixh craiginches olivierfarges andrew8305 dinkin flaviod isbarton masindeandrew splattner aimtsou cloudxtreme r0b3rdv mwelp axiadids allanice001 splashx jackguoo s270987763 rnbconsulting johnolavselland digideskio fredreichbier reuventw fsfindravi lidfgab chrmorais hoaivan netravnen ignitediris odit avd26 gabrielmacedo libertad-904483782 cleverit chrber playtim727 jh23453 foot3print helaibai cartenca balc3r lavesh-axiadids charles08 pan-net-security e0kra xiaoleishiwo quynhnhatnguyen dergraf ruedigerp yurlov-alexander nomennesc-io hmilyfe poobalan-arumugam digitalerharz p53 taylorattempus bluszcz klinux noecorp harryadel maxbeth nlpguyz mrmstn cyon laichis stojmir lulzzz yangboyd mjbecker

privacyidea's Issues

sipgate SMS

Support sipgate SMS with xmlrpc

Create a new sms provider, either a sipgateProvider or a common xmlrpcProvider.

Purpose of check_session in BaseController method

Hello,

during evaluation of calling the /selfservice/... routes in a somewhat RESTful way (i. e. outside of the regular web UI), I noticed that before_identity_check in BaseController performs a "double" identity check:

by reading request.environ.get('repoze.who.identity')
by calling check_session in privacyidea/lib/util

The second one explicitly checks for the presence of a cookie, a session param and their equality. Since I'd like to avoid using a session mechanism for calling the routes (e. g. by using HTTP Basic Auth), I am wondering about the reason for not relying only on the first check (i. e. the one in repoze.who stack) – especially of course regarding potential security implications.

Thanks in advance for looking into this.

make help accessable from login dialog

The login dialog should contain a help button, which points to the online help.

The help button should be configurable to be disabled.

run directory is removed

On ubuntu the var/run/privacyidea directory is removed after reboot.

getUserFromRequest

The getUserFromRequest should probably also try to get the username (administrator) from the repoze.who parameters.

add ldap test with mock

try to add a basic ldap test with python-mock
http://pythonhosted.org//mockldap/overview.html#example

Fix pylons version conflict

Tests are not running with pylons 1.0.1
Maybe this can be fixed by reworking middleware.py and anvironment.py.

...or by migrating the framework to pyramid.

Install 1.3 on CentOS 7: Download error

Not sure if it's supported yet, but when trying to install on CentOS 7, I get the following trace:

pip install privacyidea
Downloading/unpacking privacyidea
  Using download cache from /web/python/pip_cache/https%3A%2F%2Fpypi.python.org%2Fpackages%2Fsource%2Fp%2FprivacyIDEA%2FprivacyIDEA-1.3.tar.gz
  Running setup.py egg_info for package privacyidea
    Traceback (most recent call last):
      File "<string>", line 16, in <module>
      File "/opt/privacyidea/build/privacyidea/setup.py", line 131, in <module>
        long_description=get_file_contents('README.md')
      File "/usr/lib64/python2.7/distutils/core.py", line 112, in setup
        _setup_distribution = dist = klass(attrs)
      File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/dist.py", line 265, in __init__
        self.fetch_build_eggs(attrs.pop('setup_requires'))
      File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/dist.py", line 289, in fetch_build_eggs
        parse_requirements(requires), installer=self.fetch_build_egg
      File "/opt/privacyidea/lib/python2.7/site-packages/pkg_resources.py", line 618, in resolve
        dist = best[req.key] = env.best_match(req, self, installer)
      File "/opt/privacyidea/lib/python2.7/site-packages/pkg_resources.py", line 862, in best_match
        return self.obtain(req, installer) # try and download/install
      File "/opt/privacyidea/lib/python2.7/site-packages/pkg_resources.py", line 874, in obtain
        return installer(requirement)
      File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/dist.py", line 339, in fetch_build_egg
        return cmd.easy_install(req)
      File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 611, in easy_install
        self.local_index
      File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 583, in fetch_distribution
        self.prescan()
      File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 481, in prescan
        list(map(self.scan_url, self.to_scan))
      File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 765, in scan_url
        self.process_url(url, True)
      File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 303, in process_url
        f = self.open_url(url, "Download error on %s: %%s -- Some packages may not be found!" % url)
      File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 699, in open_url
        return open_with_auth(url, self.opener)
      File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 898, in _socket_timeout
        return func(*args, **kwargs)
      File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 945, in open_with_auth
        fp = opener(request)
      File "/usr/lib64/python2.7/urllib2.py", line 404, in open
        response = self._open(req, data)
      File "/usr/lib64/python2.7/urllib2.py", line 422, in _open
        '_open', req)
      File "/usr/lib64/python2.7/urllib2.py", line 382, in _call_chain
        result = func(*args)
      File "/usr/lib64/python2.7/urllib2.py", line 1216, in http_open
        return self.do_open(httplib.HTTPConnection, req)
      File "/usr/lib64/python2.7/urllib2.py", line 1189, in do_open
        r = h.getresponse(buffering=True)
      File "/usr/lib64/python2.7/httplib.py", line 1045, in getresponse
        response.begin()
      File "/usr/lib64/python2.7/httplib.py", line 409, in begin
        version, status, reason = self._read_status()
      File "/usr/lib64/python2.7/httplib.py", line 365, in _read_status
        line = self.fp.readline(_MAXLINE + 1)
      File "/usr/lib64/python2.7/socket.py", line 476, in readline
        data = self._sock.recv(self._rbufsize)
    socket.timeout: timed out
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):

  File "<string>", line 16, in <module>

  File "/opt/privacyidea/build/privacyidea/setup.py", line 131, in <module>

    long_description=get_file_contents('README.md')

  File "/usr/lib64/python2.7/distutils/core.py", line 112, in setup

    _setup_distribution = dist = klass(attrs)

  File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/dist.py", line 265, in __init__

    self.fetch_build_eggs(attrs.pop('setup_requires'))

  File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/dist.py", line 289, in fetch_build_eggs

    parse_requirements(requires), installer=self.fetch_build_egg

  File "/opt/privacyidea/lib/python2.7/site-packages/pkg_resources.py", line 618, in resolve

    dist = best[req.key] = env.best_match(req, self, installer)

  File "/opt/privacyidea/lib/python2.7/site-packages/pkg_resources.py", line 862, in best_match

    return self.obtain(req, installer) # try and download/install

  File "/opt/privacyidea/lib/python2.7/site-packages/pkg_resources.py", line 874, in obtain

    return installer(requirement)

  File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/dist.py", line 339, in fetch_build_egg

    return cmd.easy_install(req)

  File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 611, in easy_install

    self.local_index

  File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 583, in fetch_distribution

    self.prescan()

  File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 481, in prescan

    list(map(self.scan_url, self.to_scan))

  File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 765, in scan_url

    self.process_url(url, True)

  File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 303, in process_url

    f = self.open_url(url, "Download error on %s: %%s -- Some packages may not be found!" % url)

  File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 699, in open_url

    return open_with_auth(url, self.opener)

  File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 898, in _socket_timeout

    return func(*args, **kwargs)

  File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 945, in open_with_auth

    fp = opener(request)

  File "/usr/lib64/python2.7/urllib2.py", line 404, in open

    response = self._open(req, data)

  File "/usr/lib64/python2.7/urllib2.py", line 422, in _open

    '_open', req)

  File "/usr/lib64/python2.7/urllib2.py", line 382, in _call_chain

    result = func(*args)

  File "/usr/lib64/python2.7/urllib2.py", line 1216, in http_open

    return self.do_open(httplib.HTTPConnection, req)

  File "/usr/lib64/python2.7/urllib2.py", line 1189, in do_open

    r = h.getresponse(buffering=True)

  File "/usr/lib64/python2.7/httplib.py", line 1045, in getresponse

    response.begin()

  File "/usr/lib64/python2.7/httplib.py", line 409, in begin

    version, status, reason = self._read_status()

  File "/usr/lib64/python2.7/httplib.py", line 365, in _read_status

    line = self.fp.readline(_MAXLINE + 1)

  File "/usr/lib64/python2.7/socket.py", line 476, in readline

    data = self._sock.recv(self._rbufsize)

socket.timeout: timed out

----------------------------------------
Cleaning up...
Command python setup.py egg_info failed with error code 1 in /opt/privacyidea/build/privacyidea

Glad to try anything you might consider.
Best,
KurtB

passwdresolver: wrong error message

If you create a passwdresolver with a filename that does not exist and then add this resolver to a realm, you get an error message about a missing module.
THis is VERY misleading! :-)

You should get the error message, that the file does not exist...

load tokens PSKC

The load tokens functionality needs to be enhanced with PSKC and the loadtokens test in test_admin.py needs to be written.

We could use beautifulsoup:

from BeautifulSoup import BeautifulSoup

x="""<foo>
   <bar>
      <type foobar="1"/>
      <type foobar="2"/>
   </bar>
</foo>"""

y=BeautifulSoup(x)

>>> y.foo.bar.type["foobar"]
u'1'
>>> y.foo.bar.findAll("type")
[<type foobar="1"></type>, <type foobar="2"></type>]
>>> y.foo.bar.findAll("type")[0]["foobar"]
u'1'
>>> y.foo.bar.findAll("type")[1]["foobar"]
u'2'

base-path

It should be possible to run privacyIDEA not only at root (like
/manage/
/admin/show/

but also on an additional base path like
/base/manage
/base/admin/show

improve the SMSProvider UI

The UI of the sms provider should be improved.
Either via a better UI, a direct online help or presets.

nginx config

provide an nginx config or/and provide a file
/etc/default/privacyidea, which may contain information about which user runs privacyidea.

In the case of nginx, we might run uwsgi as user "privacyidea". But nginx (running as www-data) also needs to access the uwsgi socket...

memory leak

The sqlaudit module has a memory leak.

monitoring the process with htop
start paster with mysql database
run 10000 requests with a passwd user with an SPASS token: $ ab -n 10000 -c 2 http://127.0.0.1:5001/validate/check?user=corny\&pass=test

With the sqlaudit module active the consumed memory will increase from 100MB to 1200MB. The memory will not be freed.
Owner
privacyidea commented on 16. Mai

This Problems does not seem to be connected to the sqlaudit module. Even when deactivating the audit and the policies in the validate controller, the memory is leaked.
privacyidea referenced this issue on 16. Mai
Closed
remove dictionaries and del #5
Owner
privacyidea commented on 18. Mai

We change this to be a known issue.
With closing #5, a setup with Apache and MySQL only eats up 23MB when doing 10.000 authentication requests.

We assume this to be tolerable at the moment, especially due to the fact, that the apache will be reloaded once a day for log rotation.

ubuntu packages required to run the freeradius auth module

libwww-perl
libconfig-inifiles-perl
libdata-dump-perl
libtry-tiny-perl

these and freeradius could be packed into an additional package

"privacyidea-radius"

Add issuing client certificates

Somehow we might also issue client certificates.

As we have a self sevice portal, this might be ideal to enroll certificates in the client.
Either by creating the keypair in the browser or by uploading pkcs10 requests.

http://serverfault.com/questions/617901/solution-for-ssl-client-certificates-with-user-self-service/

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen

A module system should be able to define, WHAT signs the certificate request.
Thus we could provide modules that use a simple openssl CA to sign a certificate request or a module could connect to some other enterprise CA to sign the certificate.
Several different modules/CAs should be usable at the same time...

See the wiki: https://github.com/privacyidea/privacyidea/wiki/concept%3A-certificates

need to implement the managing of CA connectors with an CA entpoint. REST API (see https://github.com/privacyidea/privacyidea/wiki/concept:-certificates-rest-api) and WebUI
need to implement the tokenclass certificatetoken with the additional token/init parameter handling.
The certificate token can be created via token/init. See https://github.com/privacyidea/privacyidea/wiki/concept:-certificates-enroll
WebUI to enroll certificate
need to implement the authentication in the tokenclass.
The certificate token can authenticate via validate/check.See https://github.com/privacyidea/privacyidea/wiki/concept:-certificates:-authentication

Journal and rollback

A journal that allows the rollback or undo of administrator actions.

Each admin audit log entry could save the modified token row, before it is modified.
Thus it could be possible to search the audit log for an administrator event, select this audit entry and click the "undo" button.
This would be the start with the token table.

Thinking of Config or Realm table would be more complicated.
Database snapshots or copy on write might not simply allow an undo of one special event last week. What would happen with actions in between?

Backup and Restore

Create a backup and restore for the appliance setup tui.
The backup should be created in cronjobs.

provide setup script to configure privacyidea installation

We should provide a setup script, that can be used to configure:

privacyidea.ini
the database setup
the webserver configuration (either apache or nginx)
and the freeradius config.

Provide a yum repo for CentOS 7

(depents on #30)

There is an easy howto for setting it up...
https://www.digitalocean.com/community/tutorials/how-to-set-up-and-use-yum-repositories-on-a-centos-6-vps

not optimal session timeout

The repoze.who reissue_time is not configured optimal.
The cookie timeout is set to 600sec, the reissue to 540. I.e. if a user works for 8 minutes he works with the old cookie. Then he pauses for 2 minutes and comes back at 601 sec.
The timeout is over and the cookie was not reissued.

We change this to timeout=600 and reissue=timeout/2.

The timeout can be configured via:

privacyIDEASessionTimout

Create an RPM package for CentOS 7

We should provide an RPM package for CentOS.

This is not that easy, since many dependencies are not even contained in epel for CentOS 6.
...maybe with CentOS 7.

A possibility would be to provide an RPM package with the complete virtualenv setup in /opt.

sms preset button does not work

The preset buttons for sipgate and clickatel do not work

importlib not available in python 2.6

importlib is not availbale in python 2.6, so we need to dynamically import the application modules in another way!

support daplug dongle

We need to be able to validate OTP values from the daplug dongle, that look like this:

efekeiebekeh

b -> 0
c -> 1
d -> 2
e -> 3
f -> 4
g -> 5
h -> 6
i -> 7
j -> 8
k -> 9

Maybe it is easier to inherit a daplug type from hmac.

A 6 digit OTP value will produce a 12 character string.
A 8 digit OTP value will produce a 16 character string.

Support the enrollment of yubikey to encrypt harddisk

The yubikey can be used to unlock an LUKS slort for harddisk encryption.
https://github.com/cornelinux/yubikey-luks
Together with privacyIDEA the yubikeys can be enrolled and managed.

documentation

Add online documentation.
This should be available on the website and from within the management.

It should also be possible to access the documentation from certain dialogs and jump from those dialogs directly to the corresponding topic in the documentation.

TiQR token

support for enrollment of TiQR token, which could be inherited from the OCRA token.

SQL-Resolver with presets enhancement

The SQL-Resolver create dialog in the web-UI could contain presettings for certain SQL based web applications like:

wordpress (done)
tine 2.0 (done)
kolab... The mapping and the table name could be presetted.

finish validate/check_url

The controller method check_url needs to be finished to work with pam_url.

Add policies for /machine controller

We need to define policies for the new machine controller.

new token: nitrokey

Add crypto stick support. https://www.crypto-stick.com/de
Add support for the OTP part of the crypto stick. Enable the smooth enrollment and OTP
authentication against privacyIDEA.

(smartcard support? How...?)

reassign a token

This is related to #45.

If a token is already assigned to some user, the assign this token should not be possible right away to a second/other user.
Possibilities:

avoid reassign at all. If assigning a serial number, we might check, if this serial number is already assigned. (this could be configurable)
Define a policy scope=admin,action=reassign, that needs to be set if an admin is allowed to reassign a token.

Implementation could also be done in to steps, first 1 and then 2.

If a reassign is done, the OTP counter should not get resetted.

cronjob as audit janitor

The privacyidea.deb should set up a daily cron job to rotate the audit log.

wizard to setup the first realm.

All howtos show, that setting up the first realm and enrolling the first token is a bit complicated! ;-)

we could have a wizard
we could preconfigure the local users
we could have a meta package that configures the local users, if no other realm is defined

Add Token2 support

Token2 is a smartphone app that can enroll motp token with a QRcode and protect TOTP token with a PIN.
Add the QRCode enrollment of motp token.

client list is not refreshed

privacyidea-setup-tui

When creating or deleting a RADIUS client the list is not refreshed.

WebUI: multiple token selections

Selecting multiple tokens in the WebUI can lead to problems, if multiple tokens are selected accidentially and those tokens are assigned to a user.
Then all tokens will be assigned, even if the tokens are assigned to other users at the moment.

What can be done?

A setting could define: Only allow one token to be selected.
Each time several tokens are selected, we could add a security questions: "You want to operate on many tokens... proceed? Are you sure? Did you ask bill?"

In the left column were the selected tokens are displayed, we could add a button "unselect all tokens".

add RADIUS support

Add the perl module to forward the radius request to privacyIDEA.

This radius module should run without manually installing modules from CPAN.

The session timeout does allow the last action

The admin webui provides a session timeout.
When waiting for a while, the session times out. When e.g. enabling or disabling a token, the web ui response, that the session timed out. But nevertheless the action is performed!
When re-login you can see, that the token is deactivated.

The session timeout needs to be checked before doing the action. Or the action has to be avoided to be done, if the session timed out.

Take a look at lib.base:before_identity_check.

sqlsoup is not contained in sqlalchemy anymore!

We need to change the import in the sqlresolver of sqlsoup.

The resolver fails and will not be contained in the list of available resolvers.

login with command line client

When the realm box is active, you can not login with the command line client.
This is because the command line client sends the username "user@realm".
And the server adds to this "@defaultrealm". This user of course does not exist.

THe server should not add the @defaultrealm, if a username with "@realm" is given (of course only if we do "splitAtSign")

Default values in Token config dialog

The Token Config dialog complains about missing values of RADIUS token and REMOTE token... even if you did not configure those tokens.

Either choose some sensible default values of deactivate this config, so the dialog does not need to complain.

Use AuthorizedKeysCommand in sshd

The sshd_conf provides "AuthorizedKeysCommand".

We could provide a controller, that returns the necessary authorized keys and we could enhance the command line client to fecht these. Then the AuthorizedKeysCommand could be configure to fetch the ssh authorized keys online from privacyIDEA.

Create the controller-method and
create the CLI

end to display encryption

We need to provide an API for the end to display encryption.

New Token Type
Know the encryption key
/validate/check: generate a challenge and calculate the encrypted image and return the encrypted image with a keypad in it
/validate/check: receive the clicked coordinates as response. The coordinates could be transferred as the pass parameter to keep the interface intact. The tokentype might then split the pass into the coordinates and check with the challenge, if the coordinates match the challenged code/keypad.

More information are to be gathered at wiki page.

remove long database column name from tokeninfo

In the tokeninfo you see very long column names like
privacyIDEA.TokenSerialnumber.
These should be shortened. If name begins with a "privacyIDEA." it should be stripped.

SQLAudit highwatermark, lowwatermark

Use highwatermark and lowwatermark to clean up the SQL audit log.

SSH token

Add an SSH token, which includes the public key and provides this public key to the client machine so that this public key can be merged into the authorized keys.

Why not use salt:
http://docs.saltstack.com/en/latest/ref/states/all/salt.states.ssh_auth.html

Additional salt modules could also write the LUKS slot...
or the authorized keys.
Thus only the salt master would communicate to privacyIDEA and salt would distribute the authentication items to the machines.

...see the salt wiki page.

disabled SSH tokens

disabled SSH tokens will be removed from the authorized_keys.
(done)

The reading of the public keys and the pushing to salt will be performed in the package privacyideaadm.

fix some config logic

splitAtSign does split if it is not set in the config database.
But if it is not set in the DB; the CB is not checked in the UI - also it splits!

the login.help button should be on by default. (same as splitAtSign)

Delete application fails

Deleting Application fails in the WebUI.
Deleting application with the command line client works fine.

This is the error log from the webUI:

2014/08/20 - 15:30:20 ERROR {140522189699008} [privacyidea.controllers.machine][deltoken #455] Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/privacyidea/controllers/machine.py", line 442, in deltoken
res = deltoken(machine_name, serial, application)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line 95, in wrapper
f_result = func(args, *kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/machine.py", line 240, in deltoken
MachineToken.application == application)).delete()
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/query.py", line 2603, in delete
delete_op.exec()
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/persistence.py", line 816, in exec
self._do_exec()
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/persistence.py", line 942, in _do_exec
params=self.query._params)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 934, in execute
clause, params or {})
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 662, in execute
params)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 761, in _execute_clauseelement
compiled_sql, distilled_params
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 874, in _execute_context
context)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 1024, in _handle_dbapi_exception
exc_info
File "/usr/lib/python2.7/dist-packages/sqlalchemy/util/compat.py", line 196, in raise_from_cause
reraise(type(exception), exception, tb=exc_tb)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 867, in _execute_context
context)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/default.py", line 324, in do_execute
cursor.execute(statement, parameters)
File "/usr/lib/python2.7/dist-packages/MySQLdb/cursors.py", line 174, in execute
self.errorhandler(self, exc, value)
File "/usr/lib/python2.7/dist-packages/MySQLdb/connections.py", line 36, in defaulterrorhandler
raise errorclass, errorvalue
IntegrityError: (IntegrityError) (1451, 'Cannot delete or update a parent row: a foreign key constraint fails (privacyidea.MachineTokenOptions, CONSTRAINT MachineTokenOptions_ibfk_1 FOREIGN KEY (machinetoken_id) REFERENCES MachineToken (id))') 'DELETE FROM MachineToken WHERE MachineToken.token_id = %s AND MachineToken.machine_id = %s AND MachineToken.application = %s' (43L, 2L, 'ssh')