2FA in everything


#1

When it comes to authentication, not all services are born equal; for some services, the user needs to authenticate once and he then can work for an unlimited amount of time, while with other services, authentication is needed for each transaction.

In the first category, there is SSH, VPN, databases, most of the web systems, login to Windows (Samba), Linux or Mac OS X…

In the second category, there is mostly the services related to email: IMAP, POP3 and SMTP (each of them, native or over SSL). When using IMAP client, the client authenticates with the server to retrieve the list of new messages, then it authenticates for each message the user wants to read, then every 10 minutes to find new messages. Same thing with POP. When sending a message via SMTP, authentication is made with each new message. It is not realistic to ask the user for a new token each time. So these services need to be proxied, to keep the connection with the server opened all the time, even if the client disconnects. I have found up-imapproxy that does the proxy for IMAP (without SSL), but not solution yet for POP3 or SMTP (a quick test shows that even SMTP could send several different messages, to several different recipients, inside one single authentication/connection).

Good security should be applied everywhere it is relevant. There is no point in using 2FA in one place and not the other, as long as the services in the second category cannot be included, 2FA will not offer the completely fool proof solution we can expect.

Any idea on that?

Best regards,

Olivier


#2

One solution is implemented in FreeIPA. The user athenticates against
FreeIPA and receives a Kerberos ticket and uses that to athenticate
against the services.

I use that for IMAP and SMTP via GSSAPI, so I have a single-sign-on
solution for my users - as long as the kerberos ticket is valid.

You can either use internal 2FA in FreeIPA or proxy through RADIUS into
privacyidea (which is what I do).

The ticket has an authentication indicator, so you can require tickets
with 2FA for certain services (or require 2FA for all authentication).

Jochen


#3

Hi Olivier,

the problem with these services like IMAP or SMTP is that they have no knowledge of session.
When it comes to IMAP, you can still use dovecot. I think when you configure dovecot to authenticate via PAM, you can use privacyidea-pam to authenticate the user and this will last for a while.

But lets take one step back: Why are you doing 2FA?

Because it is fun and en vogue? No you probalby do it to protect your data. And speaking of emails I guess this data is not protected at all if you are not doing PGP or SMIME. So you could also argue, that protecting email with 2FA is not that important like protecting you file share, your customer database or any other private data with 2FA.

In this case you could also go for a poor man’s solution and use a static password, which is specific to SMTP or IMAP.
Think of this “password” as some kind of “authentication token”.

There is also another approach: We could cache the one time password specific for this IP address or the Application. Meaning: privacyIDEA can remember the OTP that was presented from the IP address of the SMTP server and accept this OTP for the next four hours. I think this is rather evil, but sometimes desperate situations (like no session in SMTP) require desperate means. In fact this thing with those applications is so annoying, that we alread created a issue at github for this.

I am curious what you all think of this!
Kind regards
Cornelius


#4

privacyIDEA caching the OTP for some application would be great, of course. But most probably, privacyIDEA will have no knowledge of the client that initiated the connection, it will only know the server that requested to check authentication. A proxy to the server will know the client and will be able to cache the OTP for that client and that user only.

Best regards,

Olivier


#5

In this case you need an extra proxy for all your applications.