Features/FreeIPA Two Factor Authentication

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(Documentation)
(Current status)
 
(11 intermediate revisions by 3 users not shown)
Line 9: Line 9:
 
== Current status ==
 
== Current status ==
 
* Targeted release: [[Releases/19 | Fedora 19 ]]  
 
* Targeted release: [[Releases/19 | Fedora 19 ]]  
* Last updated: 2013-01-29
+
* Last updated: 2013-05-14
* Percentage of completion: 60%
+
* Percentage of completion: 100%
 +
* Patches are currently in review in corresponding projects: sssd, FreeIPA, MIT Kerberos
 +
* The core functionality (krb5, FreeIPA) is testable in F19 now.
 +
* Remaining functionality will be delivered in SSSD 1.10 and FreeIPA 3.2.1.
 +
* We will organize a test day in June.
 +
 
 +
{| class="wikitable"
 +
|-
 +
!
 +
! scope="col"| Code
 +
! scope="col"| Submitted
 +
! scope="col"| Merged Upstream
 +
! scope="col"| In F19
 +
|-
 +
! scope="row"| sssd
 +
| [http://github.com/npmccallum/sssd/commit/b7e70d1da977f6b08a9590cdbfdb85683e52ccbe github.com]
 +
| [http://lists.fedorahosted.org/pipermail/sssd-devel/2013-March/013944.html YES]
 +
| [http://git.fedorahosted.org/cgit/sssd.git/commit/?id=b40583c6d52b72e41bf01106534535e54b4fba4f YES]
 +
| [http://koji.fedoraproject.org/koji/buildinfo?buildID=416093 YES]
 +
|-
 +
! scope="row"| krb5
 +
| [http://github.com/npmccallum/krb5/commits/otp github.com]
 +
| YES
 +
| In Process
 +
| [http://koji.fedoraproject.org/koji/buildinfo?buildID=401767 YES]
 +
|-
 +
! scope="row"| freeipa-devel
 +
| [http://github.com/npmccallum/freeipa/commits/otp github.com]
 +
| [http://www.redhat.com/archives/freeipa-devel/2013-March/msg00125.html YES]
 +
| YES
 +
| [http://koji.fedoraproject.org/koji/buildinfo?buildID=419083 YES]
 +
|}
  
 
== Detailed Description ==
 
== Detailed Description ==
Line 44: Line 75:
  
 
== Release Notes ==
 
== Release Notes ==
None needed.
+
Two Factor Authentication is now available for FreeIPA. For instructions, please see your FreeIPA administrator.
  
 
== Comments and Discussion ==
 
== Comments and Discussion ==
Line 50: Line 81:
  
  
[[Category:FeaturePageIncomplete]]
+
[[Category:FeatureAcceptedF19]]
<!-- When your feature page is completed and ready for review -->
+
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
+
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
+
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
+

Latest revision as of 12:48, 28 May 2013

Contents

[edit] FreeIPA Two Factor Authentication

[edit] Summary

Provide Kerberos enabled, LDAP replicated, two-factor authentication for FreeIPA.

[edit] Owner

[edit] Current status

  • Targeted release: Fedora 19
  • Last updated: 2013-05-14
  • Percentage of completion: 100%
  • Patches are currently in review in corresponding projects: sssd, FreeIPA, MIT Kerberos
  • The core functionality (krb5, FreeIPA) is testable in F19 now.
  • Remaining functionality will be delivered in SSSD 1.10 and FreeIPA 3.2.1.
  • We will organize a test day in June.
Code Submitted Merged Upstream In F19
sssd github.com YES YES YES
krb5 github.com YES In Process YES
freeipa-devel github.com YES YES YES

[edit] Detailed Description

Until recently, no two-factor authentication was possible with Kerberos. However, the standardization of RFC 6560 combined with recent work in the MIT krb5 code makes it possible to now offer support for two-factor authentication in Kerberos.

Fedora 18 already supports most of the client side of this proposal. FreeIPA will be landing support for the server side in Fedora 19.

[edit] Benefit to Fedora

Users of FreeIPA will be able to deploy two-factor authentication across the replicated user directory.

[edit] Scope

  • sssd will need to merge a patch for client side integration with OTP (already written).
  • krb5 will need to backport a self-contained plugin for the server-side support (upstream work in process).
  • FreeIPA will gain a dependency on libverto (already packaged and already a dependency of krb5).

[edit] How To Test

Each component will have unit tests.

To test the feature as a whole, you will need a TOTP (RFC 6238) client, such as Google Authenticator. You will then add a token to a user and confirm that authentication succeeds.

[edit] User Experience

No change will be made by default. When an admin configures a user for two-factor authentication, the authenticating user will need to use a TOTP client.

[edit] Dependencies

MIT needs to merge the OTPOverRADIUS proposal upstream. However, since we are backporting this feature anyway, this risk is minimal.

[edit] Contingency Plan

None necessary, FreeIPA will work exactly like it currently does.

[edit] Documentation

[edit] Release Notes

Two Factor Authentication is now available for FreeIPA. For instructions, please see your FreeIPA administrator.

[edit] Comments and Discussion