I have a usb yubikey which I use for ssh and to log in on some websites.
Can I configure my jenkins server to allow for and force sign in using a yubikey too? I feel like that would be much more secure than a password.
We have implemented https://saaspass.com/.
It uses a SAML plugin in Jenkins and then we use our mobile phones as a hardware key but if you have a YubiKey with NFC / USB-C mobile compatible you could use that in addition, so it becomes MFA.
We disabled the SMS version but saaspass does allow you to configure which authentication options you want enabled.
Related
Can anyone tell me how my Yubikey 5NFC should be configured so that I can use it to set up an internet identity anchor on internet identity / https://identity.ic0.app
I downloaded yubikey software and configured it to be used with OTP FIDO2 and PIV applications but ICP login page will not read my yubikey and allow me create an identity anchor.
Do I need to set up my yubikey using the SDK desktop download or do I need an entirely different key?
Is Password-less linux to windows pywinrm connection possible.
Something similar to ssh-copy-id in linux to linux
While I haven't done this myself, as far as I can tell, this should be possible. If the Windows machine you are attempting to access is on a domain.
I HAVE set up smartcard/certificate authentication on domains before. If you add your public key to your account in AD, you can authenticate to your domain account using a smartcard or pki cert.
https://technet.microsoft.com/en-us/library/cc754866(v=ws.11).aspx
I have also used kinit (which is what pywinrm uses for kerberos/domain authentication) to authenticate to Windows servers using domain credentials. Although I did not use a certificate/smartcard to authenticate, from what I have read, I believe kinit (pkinit) will support smart cards and possibly plain old certificate files.
https://k5wiki.kerberos.org/wiki/Pkinit_configuration#Client_identity_on_the_command_line
http://honk.sigxcpu.org/con/PKINIT__Kerberos_v5_with_Smart_Cards.html
Before you can authenticate with kinit, you would need to set up your domains and realms. This blog post is about setting up Ansible to administer Windows machines but, since Ansible uses PyWinrm to authenticate, there is a pretty good walkthrough for setting up kinit for domain authentication (and therefore he talks about how to set up your realms, etc.).
https://aseemkblog.wordpress.com/2016/06/01/configuring-ansible-to-manage-windows-system-over-powershell/
If you ever get this working, let me know. Would definitely be interested to see if someone gets this working. Just getting kinit auth working with Windows domain authentication is a bit of a maze but, once that part is done, you're about 75% of the way there.
Yes, it is possible!
There is a Windows version of ssh-copy-id I found on GitHub:
https://github.com/zhengyi-yang/ssh-copy-id/tree/master/dist
Make sure you have your public key generated already.
we have openAM set up with two-factor authentication using one time SMS code which worked fine up till now. Unfortunately the requirements from the client's side have changed and we would like to be able to disable/enable two-factor authentication (SMS/no-SMS) at runtime by parameter set/unset in another system (through openAM API).
Is there a way to do this ?
OpenAM offers Service Management API (which is also used by 'ssoadm') which you can use to change authentication chain etc. Not sure if this is what you are looking for.
I'm looking for most secure algorithm/protocol to safely authorize actions done via mobile app.
Let's say I'm developing a system that requires user authorisation of certain actions. You can think of it as "banking platform". Let's say there are two ways of accessing the platform: web via normal browser and mobile via app on a smartphone.
One-time tokens and SMS codes are good for the web frontend - when it's separated from the device generating tokens / receiving SMS. But how can I assure security the mobile that's almost certainly used to receive SMS or generates tokens? More secure would be to ask for password. How can I patch this obvious security hole?
Youre probably interested in the PCI guidelines for mobile payment. Read this:
https://www.pcisecuritystandards.org/documents/Mobile%20Payment%20Security%20Guidelines%20v1%200.pdf
If radius is Authuntication protocol why use kerberos,pap,chap,... ?
The Remote Authentication Dial-In User Service (RADIUS) protocol provides authentication, authorization, and accounting (AAA) for dial-in infrastructures, and it uses the same account and password to log into your company network through modem, WiFi, or a VPN tunnel. RADIUS has many carrier-grade features (the whole accounting part, for example) and is designed to operate in explicitly configured backbone networks.
But it is not well suited for PC and workstation networks and doesn't have the single-sign-on capability offered by Kerberos.
On the Other Hand, Kerberos provides an encrypted authentication service using shared secret keys. Kerberos can also support authentication via public key cryptography, but this is not covered by RFC 4120. Kerberos does not provide an authorization service, but Kerberos does support pass-through to other authorization services. Kerberos does not provide an accounting service.
For More Information about the PAP and CHAP, refer the following url
http://www.zeroshell.net/eng/kerberos/
and this url too you can refer
http://www.firewall.cx/ftopict-2679-.html
RADIUS (Remote Authentication Dial In User Service), defined in RFC 2865, is a protocol for remote user authentication and accounting.
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.
Suppose you have Vodafone or Orange Telecom operator's connectivity at your home for internet connectivity.so,you will be needing a particular user id and password to access that.
Here Radius Protocol is used.
Technically, if you see the network file(.pcap file) that Wireshark Tool uses.
You will see that it contains Attribute Value Pairs that contains user name, password fields.
Radius uses CHAP password.So, it is more secured in terms of middle attack.
I hope you got my point