privacyidea / privacyidea Goto Github PK
View Code? Open in Web Editor NEW:closed_lock_with_key: multi factor authentication system (2FA, MFA, OTP Server)
Home Page: http://www.privacyidea.org
License: GNU Affero General Public License v3.0
:closed_lock_with_key: multi factor authentication system (2FA, MFA, OTP Server)
Home Page: http://www.privacyidea.org
License: GNU Affero General Public License v3.0
We should provide an RPM package for CentOS.
This is not that easy, since many dependencies are not even contained in epel for CentOS 6.
...maybe with CentOS 7.
A possibility would be to provide an RPM package with the complete virtualenv setup in /opt.
The SQL-Resolver create dialog in the web-UI could contain presettings for certain SQL based web applications like:
wordpress (done)
tine 2.0 (done)
kolab... The mapping and the table name could be presetted.
The sshd_conf provides "AuthorizedKeysCommand".
We could provide a controller, that returns the necessary authorized keys and we could enhance the command line client to fecht these. Then the AuthorizedKeysCommand could be configure to fetch the ssh authorized keys online from privacyIDEA.
The controller method check_url needs to be finished to work with pam_url.
provide an nginx config or/and provide a file
/etc/default/privacyidea, which may contain information about which user runs privacyidea.
In the case of nginx, we might run uwsgi as user "privacyidea". But nginx (running as www-data) also needs to access the uwsgi socket...
All howtos show, that setting up the first realm and enrolling the first token is a bit complicated! ;-)
Add crypto stick support. https://www.crypto-stick.com/de
Add support for the OTP part of the crypto stick. Enable the smooth enrollment and OTP
authentication against privacyIDEA.
(smartcard support? How...?)
If you create a passwdresolver with a filename that does not exist and then add this resolver to a realm, you get an error message about a missing module.
THis is VERY misleading! :-)
You should get the error message, that the file does not exist...
We need to be able to validate OTP values from the daplug dongle, that look like this:
efekeiebekeh
b -> 0
c -> 1
d -> 2
e -> 3
f -> 4
g -> 5
h -> 6
i -> 7
j -> 8
k -> 9
Maybe it is easier to inherit a daplug type from hmac.
A 6 digit OTP value will produce a 12 character string.
A 8 digit OTP value will produce a 16 character string.
(depents on #30)
There is an easy howto for setting it up...
https://www.digitalocean.com/community/tutorials/how-to-set-up-and-use-yum-repositories-on-a-centos-6-vps
Tests are not running with pylons 1.0.1
Maybe this can be fixed by reworking middleware.py and anvironment.py.
...or by migrating the framework to pyramid.
Hello,
during evaluation of calling the /selfservice/...
routes in a somewhat RESTful way (i. e. outside of the regular web UI), I noticed that before_identity_check
in BaseController performs a "double" identity check:
request.environ.get('repoze.who.identity')
check_session
in privacyidea/lib/util
The second one explicitly checks for the presence of a cookie, a session param and their equality. Since I'd like to avoid using a session mechanism for calling the routes (e. g. by using HTTP Basic Auth), I am wondering about the reason for not relying only on the first check (i. e. the one in repoze.who
stack) โ especially of course regarding potential security implications.
Thanks in advance for looking into this.
The load tokens functionality needs to be enhanced with PSKC and the loadtokens test in test_admin.py needs to be written.
We could use beautifulsoup:
from BeautifulSoup import BeautifulSoup
x="""<foo>
<bar>
<type foobar="1"/>
<type foobar="2"/>
</bar>
</foo>"""
y=BeautifulSoup(x)
>>> y.foo.bar.type["foobar"]
u'1'
>>> y.foo.bar.findAll("type")
[<type foobar="1"></type>, <type foobar="2"></type>]
>>> y.foo.bar.findAll("type")[0]["foobar"]
u'1'
>>> y.foo.bar.findAll("type")[1]["foobar"]
u'2'
We need to define policies for the new machine controller.
The repoze.who reissue_time is not configured optimal.
The cookie timeout is set to 600sec, the reissue to 540. I.e. if a user works for 8 minutes he works with the old cookie. Then he pauses for 2 minutes and comes back at 601 sec.
The timeout is over and the cookie was not reissued.
We change this to timeout=600 and reissue=timeout/2.
The timeout can be configured via:
privacyIDEASessionTimout
try to add a basic ldap test with python-mock
http://pythonhosted.org//mockldap/overview.html#example
Deleting Application fails in the WebUI.
Deleting application with the command line client works fine.
This is the error log from the webUI:
2014/08/20 - 15:30:20 ERROR {140522189699008} [privacyidea.controllers.machine][deltoken #455] Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/privacyidea/controllers/machine.py", line 442, in deltoken
res = deltoken(machine_name, serial, application)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line 95, in wrapper
f_result = func(args, *kwds)
File "/usr/lib/python2.7/dist-packages/privacyidea/lib/machine.py", line 240, in deltoken
MachineToken.application == application)).delete()
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/query.py", line 2603, in delete
delete_op.exec()
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/persistence.py", line 816, in exec
self._do_exec()
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/persistence.py", line 942, in _do_exec
params=self.query._params)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 934, in execute
clause, params or {})
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 662, in execute
params)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 761, in _execute_clauseelement
compiled_sql, distilled_params
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 874, in _execute_context
context)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 1024, in _handle_dbapi_exception
exc_info
File "/usr/lib/python2.7/dist-packages/sqlalchemy/util/compat.py", line 196, in raise_from_cause
reraise(type(exception), exception, tb=exc_tb)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 867, in _execute_context
context)
File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/default.py", line 324, in do_execute
cursor.execute(statement, parameters)
File "/usr/lib/python2.7/dist-packages/MySQLdb/cursors.py", line 174, in execute
self.errorhandler(self, exc, value)
File "/usr/lib/python2.7/dist-packages/MySQLdb/connections.py", line 36, in defaulterrorhandler
raise errorclass, errorvalue
IntegrityError: (IntegrityError) (1451, 'Cannot delete or update a parent row: a foreign key constraint fails (privacyidea
.MachineTokenOptions
, CONSTRAINT MachineTokenOptions_ibfk_1
FOREIGN KEY (machinetoken_id
) REFERENCES MachineToken
(id
))') 'DELETE FROM MachineToken
WHERE MachineToken
.token_id = %s AND MachineToken
.machine_id = %s AND MachineToken
.application = %s' (43L, 2L, 'ssh')
Support sipgate SMS with xmlrpc
Create a new sms provider, either a sipgateProvider or a common xmlrpcProvider.
Add online documentation.
This should be available on the website and from within the management.
It should also be possible to access the documentation from certain dialogs and jump from those dialogs directly to the corresponding topic in the documentation.
Selecting multiple tokens in the WebUI can lead to problems, if multiple tokens are selected accidentially and those tokens are assigned to a user.
Then all tokens will be assigned, even if the tokens are assigned to other users at the moment.
What can be done?
In the left column were the selected tokens are displayed, we could add a button "unselect all tokens".
The admin webui provides a session timeout.
When waiting for a while, the session times out. When e.g. enabling or disabling a token, the web ui response, that the session timed out. But nevertheless the action is performed!
When re-login you can see, that the token is deactivated.
The session timeout needs to be checked before doing the action. Or the action has to be avoided to be done, if the session timed out.
Take a look at lib.base:before_identity_check.
importlib is not availbale in python 2.6, so we need to dynamically import the application modules in another way!
Not sure if it's supported yet, but when trying to install on CentOS 7, I get the following trace:
pip install privacyidea
Downloading/unpacking privacyidea
Using download cache from /web/python/pip_cache/https%3A%2F%2Fpypi.python.org%2Fpackages%2Fsource%2Fp%2FprivacyIDEA%2FprivacyIDEA-1.3.tar.gz
Running setup.py egg_info for package privacyidea
Traceback (most recent call last):
File "<string>", line 16, in <module>
File "/opt/privacyidea/build/privacyidea/setup.py", line 131, in <module>
long_description=get_file_contents('README.md')
File "/usr/lib64/python2.7/distutils/core.py", line 112, in setup
_setup_distribution = dist = klass(attrs)
File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/dist.py", line 265, in __init__
self.fetch_build_eggs(attrs.pop('setup_requires'))
File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/dist.py", line 289, in fetch_build_eggs
parse_requirements(requires), installer=self.fetch_build_egg
File "/opt/privacyidea/lib/python2.7/site-packages/pkg_resources.py", line 618, in resolve
dist = best[req.key] = env.best_match(req, self, installer)
File "/opt/privacyidea/lib/python2.7/site-packages/pkg_resources.py", line 862, in best_match
return self.obtain(req, installer) # try and download/install
File "/opt/privacyidea/lib/python2.7/site-packages/pkg_resources.py", line 874, in obtain
return installer(requirement)
File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/dist.py", line 339, in fetch_build_egg
return cmd.easy_install(req)
File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 611, in easy_install
self.local_index
File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 583, in fetch_distribution
self.prescan()
File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 481, in prescan
list(map(self.scan_url, self.to_scan))
File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 765, in scan_url
self.process_url(url, True)
File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 303, in process_url
f = self.open_url(url, "Download error on %s: %%s -- Some packages may not be found!" % url)
File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 699, in open_url
return open_with_auth(url, self.opener)
File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 898, in _socket_timeout
return func(*args, **kwargs)
File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 945, in open_with_auth
fp = opener(request)
File "/usr/lib64/python2.7/urllib2.py", line 404, in open
response = self._open(req, data)
File "/usr/lib64/python2.7/urllib2.py", line 422, in _open
'_open', req)
File "/usr/lib64/python2.7/urllib2.py", line 382, in _call_chain
result = func(*args)
File "/usr/lib64/python2.7/urllib2.py", line 1216, in http_open
return self.do_open(httplib.HTTPConnection, req)
File "/usr/lib64/python2.7/urllib2.py", line 1189, in do_open
r = h.getresponse(buffering=True)
File "/usr/lib64/python2.7/httplib.py", line 1045, in getresponse
response.begin()
File "/usr/lib64/python2.7/httplib.py", line 409, in begin
version, status, reason = self._read_status()
File "/usr/lib64/python2.7/httplib.py", line 365, in _read_status
line = self.fp.readline(_MAXLINE + 1)
File "/usr/lib64/python2.7/socket.py", line 476, in readline
data = self._sock.recv(self._rbufsize)
socket.timeout: timed out
Complete output from command python setup.py egg_info:
Traceback (most recent call last):
File "<string>", line 16, in <module>
File "/opt/privacyidea/build/privacyidea/setup.py", line 131, in <module>
long_description=get_file_contents('README.md')
File "/usr/lib64/python2.7/distutils/core.py", line 112, in setup
_setup_distribution = dist = klass(attrs)
File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/dist.py", line 265, in __init__
self.fetch_build_eggs(attrs.pop('setup_requires'))
File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/dist.py", line 289, in fetch_build_eggs
parse_requirements(requires), installer=self.fetch_build_egg
File "/opt/privacyidea/lib/python2.7/site-packages/pkg_resources.py", line 618, in resolve
dist = best[req.key] = env.best_match(req, self, installer)
File "/opt/privacyidea/lib/python2.7/site-packages/pkg_resources.py", line 862, in best_match
return self.obtain(req, installer) # try and download/install
File "/opt/privacyidea/lib/python2.7/site-packages/pkg_resources.py", line 874, in obtain
return installer(requirement)
File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/dist.py", line 339, in fetch_build_egg
return cmd.easy_install(req)
File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 611, in easy_install
self.local_index
File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 583, in fetch_distribution
self.prescan()
File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 481, in prescan
list(map(self.scan_url, self.to_scan))
File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 765, in scan_url
self.process_url(url, True)
File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 303, in process_url
f = self.open_url(url, "Download error on %s: %%s -- Some packages may not be found!" % url)
File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 699, in open_url
return open_with_auth(url, self.opener)
File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 898, in _socket_timeout
return func(*args, **kwargs)
File "/opt/privacyidea/lib/python2.7/site-packages/setuptools/package_index.py", line 945, in open_with_auth
fp = opener(request)
File "/usr/lib64/python2.7/urllib2.py", line 404, in open
response = self._open(req, data)
File "/usr/lib64/python2.7/urllib2.py", line 422, in _open
'_open', req)
File "/usr/lib64/python2.7/urllib2.py", line 382, in _call_chain
result = func(*args)
File "/usr/lib64/python2.7/urllib2.py", line 1216, in http_open
return self.do_open(httplib.HTTPConnection, req)
File "/usr/lib64/python2.7/urllib2.py", line 1189, in do_open
r = h.getresponse(buffering=True)
File "/usr/lib64/python2.7/httplib.py", line 1045, in getresponse
response.begin()
File "/usr/lib64/python2.7/httplib.py", line 409, in begin
version, status, reason = self._read_status()
File "/usr/lib64/python2.7/httplib.py", line 365, in _read_status
line = self.fp.readline(_MAXLINE + 1)
File "/usr/lib64/python2.7/socket.py", line 476, in readline
data = self._sock.recv(self._rbufsize)
socket.timeout: timed out
----------------------------------------
Cleaning up...
Command python setup.py egg_info failed with error code 1 in /opt/privacyidea/build/privacyidea
Glad to try anything you might consider.
Best,
KurtB
A journal that allows the rollback or undo of administrator actions.
Each admin audit log entry could save the modified token row, before it is modified.
Thus it could be possible to search the audit log for an administrator event, select this audit entry and click the "undo" button.
This would be the start with the token table.
Thinking of Config or Realm table would be more complicated.
Database snapshots or copy on write might not simply allow an undo of one special event last week. What would happen with actions in between?
privacyidea-setup-tui
When creating or deleting a RADIUS client the list is not refreshed.
The Token Config dialog complains about missing values of RADIUS token and REMOTE token... even if you did not configure those tokens.
Either choose some sensible default values of deactivate this config, so the dialog does not need to complain.
Create a backup and restore for the appliance setup tui.
The backup should be created in cronjobs.
It should be possible to run privacyIDEA not only at root (like
/manage/
/admin/show/
but also on an additional base path like
/base/manage
/base/admin/show
Use highwatermark and lowwatermark to clean up the SQL audit log.
When the realm box is active, you can not login with the command line client.
This is because the command line client sends the username "user@realm".
And the server adds to this "@defaultrealm". This user of course does not exist.
THe server should not add the @defaultrealm, if a username with "@realm" is given (of course only if we do "splitAtSign")
We need to change the import in the sqlresolver of sqlsoup.
The resolver fails and will not be contained in the list of available resolvers.
support for enrollment of TiQR token, which could be inherited from the OCRA token.
Somehow we might also issue client certificates.
As we have a self sevice portal, this might be ideal to enroll certificates in the client.
Either by creating the keypair in the browser or by uploading pkcs10 requests.
http://serverfault.com/questions/617901/solution-for-ssl-client-certificates-with-user-self-service/
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen
A module system should be able to define, WHAT signs the certificate request.
Thus we could provide modules that use a simple openssl CA to sign a certificate request or a module could connect to some other enterprise CA to sign the certificate.
Several different modules/CAs should be usable at the same time...
See the wiki: https://github.com/privacyidea/privacyidea/wiki/concept%3A-certificates
splitAtSign does split if it is not set in the config database.
But if it is not set in the DB; the CB is not checked in the UI - also it splits!
the login.help button should be on by default. (same as splitAtSign)
Add an SSH token, which includes the public key and provides this public key to the client machine so that this public key can be merged into the authorized keys.
Why not use salt:
http://docs.saltstack.com/en/latest/ref/states/all/salt.states.ssh_auth.html
Additional salt modules could also write the LUKS slot...
or the authorized keys.
Thus only the salt master would communicate to privacyIDEA and salt would distribute the authentication items to the machines.
...see the salt wiki page.
disabled SSH tokens will be removed from the authorized_keys.
(done)
The reading of the public keys and the pushing to salt will be performed in the package privacyideaadm.
Add the perl module to forward the radius request to privacyIDEA.
This radius module should run without manually installing modules from CPAN.
The privacyidea.deb should set up a daily cron job to rotate the audit log.
In the tokeninfo you see very long column names like
privacyIDEA.TokenSerialnumber
.
These should be shortened. If name begins with a "privacyIDEA." it should be stripped.
The sqlaudit module has a memory leak.
monitoring the process with htop
start paster with mysql database
run 10000 requests with a passwd user with an SPASS token: $ ab -n 10000 -c 2 http://127.0.0.1:5001/validate/check?user=corny\&pass=test
With the sqlaudit module active the consumed memory will increase from 100MB to 1200MB. The memory will not be freed.
Owner
privacyidea commented on 16. Mai
This Problems does not seem to be connected to the sqlaudit module. Even when deactivating the audit and the policies in the validate controller, the memory is leaked.
privacyidea referenced this issue on 16. Mai
Closed
remove dictionaries and del #5
Owner
privacyidea commented on 18. Mai
We change this to be a known issue.
With closing #5, a setup with Apache and MySQL only eats up 23MB when doing 10.000 authentication requests.
We assume this to be tolerable at the moment, especially due to the fact, that the apache will be reloaded once a day for log rotation.
The UI of the sms provider should be improved.
Either via a better UI, a direct online help or presets.
On ubuntu the var/run/privacyidea directory is removed after reboot.
libwww-perl
libconfig-inifiles-perl
libdata-dump-perl
libtry-tiny-perl
these and freeradius could be packed into an additional package
"privacyidea-radius"
The login dialog should contain a help button, which points to the online help.
The help button should be configurable to be disabled.
The getUserFromRequest should probably also try to get the username (administrator) from the repoze.who parameters.
This is related to #45.
If a token is already assigned to some user, the assign this token should not be possible right away to a second/other user.
Possibilities:
scope=admin,action=reassign
, that needs to be set if an admin is allowed to reassign a token.Implementation could also be done in to steps, first 1 and then 2.
If a reassign is done, the OTP counter should not get resetted.
The yubikey can be used to unlock an LUKS slort for harddisk encryption.
https://github.com/cornelinux/yubikey-luks
Together with privacyIDEA the yubikeys can be enrolled and managed.
Token2 is a smartphone app that can enroll motp token with a QRcode and protect TOTP token with a PIN.
Add the QRCode enrollment of motp token.
We need to provide an API for the end to display encryption.
More information are to be gathered at wiki page.
The preset buttons for sipgate and clickatel do not work
We should provide a setup script, that can be used to configure:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.