Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

AE - Dir - Authorized Entities Directory by Michael Ströder

11 Aufrufe

Veröffentlicht am

This talk will present a real-world implementation of a privileged identity and access management system (IAM/PAM) based on OpenLDAP used together with OATH-LDAP for secure two-factor authentication. Æ-DIR and OATH-LDAP are both free software projects. The main goal of Æ-DIR is to follow the delegation, need-to-know and least-privilege principles as strictly as possible. The visibility of users, groups, sudoers, etc. is limited by OpenLDAP’s ACLs. All systems and services, no exception(!), have to individually authenticate to be authorized to access Æ-DIR. Especially the consequent delegation allows to almost completely abandon slow approval workflows which nicely fits the need for agile system management processes. Furthermore OATH-LDAP is presented, a two-factor authentication system, which directly uses the OpenLDAP server as a backend. It is built into Æ-DIR but can also be used separately. A highly secure enrollment process (no QR code displayed!) for two-factor HOTP authentication with yubikey tokens is shown. Finally the architecture of a SSH gateway is explained which uses the very same access control data to authorize SSH connections passing through the gateway.

Veröffentlicht in: Software
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

AE - Dir - Authorized Entities Directory by Michael Ströder

  1. 1. STROEDER.COM OSDC 2018-06-13- 1 - Æ-DIR - Authorized Entities Directory - The paranoid and agile IAM for DevOps - Open Source Datacenter Conference 2018
  2. 2. STROEDER.COM OSDC 2018-06-13- 2 - Michael Ströder <michael@stroeder.com>  Freelancer  Topics the last 20 years  Identity & Access Management, Directory Services (LDAP)  Single Sign-On, Multi-Factor Authentication  PKI (X.509, SSH), Applied Crypto  Open Source / Free Software: Æ-DIR, OATH-LDAP, web2ldap
  3. 3. STROEDER.COM OSDC 2018-06-13- 3 - Goals  Principles  Need-to-know  Least Privilege  Separation of Duties  Delegated administration of manageable small areas  Meaningful audit trails  Compliance checks
  4. 4. STROEDER.COM OSDC 2018-06-13- 4 - Paradigms  Explicit is better than implicit  Secure authorization requires secure authentication  Avoid all-mighty proxy roles and workflows  Do not assume hierarchical structure  A person is not an user account  Multiple user accounts per person  Persistent IDs (never re-used) for reliable audit trails
  5. 5. STROEDER.COM OSDC 2018-06-13- 5 - 2-tier architecture admin workstation Æ-DIR provider slapd mdb admin UI (web2ldap) password self service LDAPS, LDAPI LDAPI web browser Æ-DIR consumer slapd mdb LDAPS (syncrepl) custom tool LDAPS Unixoid server sudo-ldapsssd SSH client SSH HTTPS maintenance tools maintenance tools maintenance tools LDAPI DB server postgresql web server Apache httpd LDAPS pgadmin
  6. 6. STROEDER.COM OSDC 2018-06-13- 6 - Directory Information Tree (DIT) ou=ae-dir aeRoot cn=ae aeZone cn=example aeZone cn=example-zone-admins aeGroup cn=example-grp-1 aeGroup cn=example-zone-auditors aeGroup uid=foo1 aeUser cn=example-sudo aeSudoRule cn=example-srvgrp aeSrvGroup host=example-srv aeHost uid=system_example1 aeService cn=pub aeZone cn=ae-users aeGroup cn=sudo-defaults aeSudoRule cn=people aeZone departmentNumber=d42 aeDept uniqueIdentifier=p23 aePerson cn=eth0 aeNwDevice cn=bond0 aeNwDevice
  7. 7. STROEDER.COM OSDC 2018-06-13- 7 - Full EER diagram aeSrvGroup aeProxyFor aeGroup aeSetupGroups aeLogStoreGroups aeLoginGroups aeVisibleGroups aeDisplayNameGroups aeSudoRule aeVisibleSudoers aeMailGroup aeVisibleGroups aeDisplayNameGroups aeDept aeDept aeLocation aeLocation aeService member aeUser member sudoUser aeHost (child of) aeSrvGroup aeLocation pwdPolicy pwdPolicySubentry aeNwDevice (child of) aeNwDevice aePerson aeDept aeLocation aeZone aeZoneAdmins aeZoneAuditors aePasswordAdmins aeDept aeLocation (child of) aeSrvGroup memberOf aeHost memberOf pwdPolicySubentry memberOf aePerson aeAuthcTokenoathHOTPToken oathTOTPTokenmemberOf pwdPolicySubentry aePerson pwdPolicySubentry oathParamsoathHOTPParams aeContact memberOf aeDept member member member
  8. 8. STROEDER.COM OSDC 2018-06-13- 8 - EER for access control aeHost aeSrvGroupaeGroup aeSudoRule aeUser aePerson member sudoUser aeSetupGroups aeLogStoreGroups aeLoginGroups aeVisibleGroups aeDisplayNameGroups (child of) or aeSrvGroup aeVisibleSudoers aePerson aeService aeZone aeProxyFor aeZoneAdmins aeZoneAuditors aePasswordAdmins aeService aeNwDevice (child of)
  9. 9. STROEDER.COM OSDC 2018-06-13- 9 - Installation Æ-DIR server  ansible role installs replicas and all services  base configuration to be done separately  site-specific ansible variablen  Read the comments! ansible/roles/ae-dir-server/defaults/main.yml  Create site directory, see ansible/example/  If things went wrong ansible role corrects it
  10. 10. STROEDER.COM OSDC 2018-06-13- 10 - Defense in Depth  Secure defaults  Self-contained (zone ae)  Service separated, Unix domain sockets (Peer Credentials)  systemd-Options for hardening (mount points etc.)  Strict AppArmor profiles for all services (optional, targeted and only for SUSE and Debian)  2-faktor-authc: yubikey based on OATH-LDAP  Soon coming: Rule set for mod_security
  11. 11. STROEDER.COM OSDC 2018-06-13- 11 - Customer scenario #1  Æ-DIR is separate IAM for privileged admin accounts  15000 hosts  Person objects pulled from other LDAP server  Separate accounts for ops and dev people  Delegated administration of different stages  Two-factor authc with yubikey  SSH proxy
  12. 12. STROEDER.COM OSDC 2018-06-13- 12 - SSH proxy authz admin workstation Æ-DIR consumer slapd mdb ssh <legacy-uid>@<target> ProxyCommand looked up for <target> in local config SSH proxy sudo-ldap sssd LDAPS SSH <ae-dir-uid>@<gateway-host> ae_checkd sshd full shell for GW admins nss_sss pam_sss wrapper script (ForceCommand) nc <target>:22 Authz Check <ae-uid@target> SSH key query by ae-uid target system ssh TCP (SSH tunnel)
  13. 13. STROEDER.COM OSDC 2018-06-13- 13 - Customer scenario #2  Æ-DIR is the central IAM  HR data pulled from NetSuite  MacOS integration (synced pw change with File Vault)  “base accounts” get synced to AD/Exchange with pw  separate DevOps accounts synced to Azure without pw  Login to Azure portal via SAMLv2 IdP  two-factor authc with yubikey  Future: SAMLv2 login to Office 365
  14. 14. STROEDER.COM OSDC 2018-06-13- 14 - SOHO scenario  Eat you own dog food!  7 W, libvirt/KVM  postfix/dovecot  Apache  FreeRADIUS (WIFI)  see client-examples/  sshd & sssd or nslcd: roles/ae-dir-linux-client/ Image: thomas-krenn.com
  15. 15. STROEDER.COM OSDC 2018-06-13- 15 - 2-tier architecture with OATH-LDAP OpenLDAP provider OpenLDAP consumer slapd mdb syncrepl (LDAPS) LDAPS web browser LDAP client bind proxy LDAPI back-sock as overlay IPC slapd mdb OTP validator LDAPI back-sock as overlay IPC forward password/OTP bind (LDAPS) LDAPS enrollment web appHTTPS LDAPI enrollment client
  16. 16. STROEDER.COM OSDC 2018-06-13- 17 - Conclusion  Security by design is possible  Yes, it’s painful sometimes  Admins need help in the beginning  Backing of management helps (budget!)  Don’t break former security promises later! → think twice or more before changing something
  17. 17. STROEDER.COM OSDC 2018-06-13- 18 - Links  Docs: https://ae-dir.com  Play with it! https://ae-dir.com/demo.html  OATH-LDAP: https://oath-ldap.stroeder.com
  18. 18. STROEDER.COM OSDC 2018-06-13- 19 - :-/ ? … !
  19. 19. STROEDER.COM OSDC 2018-06-13- 20 - Work in progress: aehostd  Simple custom host demon knows schema  Even less client configuration  Optimized search for users and groups (safe CPU cycles)  Virtual groups (primary GID, role groups)  LDAP session tracking control f. better logging  hosts map  sudoers files via cvtsudoers (sudo 1.8.23+)  less code, less dependencies, mainly stripped pynslcd(8)