Tag Archives: Kerberos

FreeIPA Two Factor Authentication Test Day

Welcome testdayers! Today’s test day will feature FreeIPA’s new Kerberos OTP support.

FreeIPA’s OTP support is a new feature and we are not yet providing a comprehensive management UI. But with a little tweaking of LDAP via some provided helper scripts, we should be able to test upstream plumbing work that makes OTP possible on MIT krb5.

Please check out the test day page where you will find live CDs and instructions on how to test. In particular, we are actively looking for people to test OTP against your own third party 2FA services. This will help us establish a list of known good solutions and give us targets for improving our compatibility.

Wether you join us on IRC or via email, we look forward to hearing from you!


Announcing… webSSO

webSSO is a new cloud-centric, federated authentication system developed to solve the problems of deploying authentication across heterogeneous infrastructures. It is a thin policy layer on top of widely deployed and trusted protocols such as HTTPS and TLS client certificate authentication. It provides:

  • Single sign-on across local, Internet and cloud infrastructures
  • Globally unique identities via existing certificate authorities
  • Decentralized authentication
  • Credential delegation
  • Depoyment on existing HTTPS stacks
  • Multi-protocol support (i.e. not restricted to HTTP)
  • Cryptographic trust validation of all parties

It is true, there are lots of authentication protocols available. Kerberos, for instance, is a widely deployed, mature protocol for local infrastructure. However, it has almost no Internet presence, mostly because identity providers are not willing to expose their Kerberos servers to the Internet. Kerberos also competes in the encryption space with SSL/TLS, the hands down winner in the web-enabled world. Lastly, Kerberos has difficulty scaling in large, flat topologies.

Outside of the enterprise context, OpenID has a large presence on the Internet. As one of the first attempts at creating a federated identity system in the Internet, it has accomplished remarkable things. However, OpenID doesn’t do single sign-on. Nor does it validate all parties in the authentication transaction, leading to problems with security/phishing. When combined with OAuth, OpenID can perform credential delegation. But implementing these protocols is quite complex, leading to bugs that compromise security. OpenID is also tightly tied with the web-based world and has gained no traction outside this environment.

The true problem arises when the local infrastructure and Internet worlds meet. If you want to use your enterprise identity on the Internet or in a cloud service, you’re pretty much out of luck. The same is mostly true with using your Internet identity in the enterprise. Thus, webSSO came about as we began to envision a world where there was no division between local, Internet and cloud infrastructures.

For more information about webSSO, check out our website where you can find the Internet Draft, a full description of the protocol and my presentation for the Cloud Identity Summit. If you happen to be at the Summit, check out the New Technology Panel in the Cascade Ballroom at 12pm Mountain Time today or look me up!

Arrived at FUDCon Blacksburg

I arrived at FUDCon this evening at about 5pm after picking up tdfischer and codeblocker from the airport. We went out to dinner with Colin Walters and John Palmieri and a bunch of others. It was a lot of fun. It was also great to meet up with Dan Walsh again and to meet Dave Jones and Josh Boyer.

I’m looking forward to the workshop tomorrow on Fedora multi-factor authentication and I’ll be proposing BarCamp-style talks on my Kerberos OTP work and libql. If you’re on your way to Blacksburg, see you there!