![Page 1: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/1.jpg)
January 30th, 2016 FOSDEM’16
Enterprise desktop at home withFreeIPA and GNOME
Alexander Bokovoy ([email protected])
![Page 2: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/2.jpg)
Enterprise desktop at home with FreeIPA and GNOME 2
Enterprise?
![Page 3: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/3.jpg)
Enterprise desktop at home with FreeIPA and GNOME 3
* almost
local office network is not managed by a company’s IT department
![Page 4: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/4.jpg)
Enterprise desktop at home with FreeIPA and GNOME 4
* almost
company services’ hosting is cloudythere is no one cloud to rule them all
![Page 5: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/5.jpg)
Enterprise desktop at home with FreeIPA and GNOME 5
* almost
I have FEW identities:
▶ A corporate identity for services sign-on
▶ Home-bound identity to access local resources▶ Cloud-based (social networking) identities▶ Free Software hats to wear▶ Certificates and smart cards to present myself legally▶ Private data to protect and share
I want them to be usable at the same time
![Page 6: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/6.jpg)
Enterprise desktop at home with FreeIPA and GNOME 6
* almost
I have FEW identities:
▶ A corporate identity for services sign-on▶ Home-bound identity to access local resources
▶ Cloud-based (social networking) identities▶ Free Software hats to wear▶ Certificates and smart cards to present myself legally▶ Private data to protect and share
I want them to be usable at the same time
![Page 7: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/7.jpg)
Enterprise desktop at home with FreeIPA and GNOME 7
* almost
I have FEW identities:
▶ A corporate identity for services sign-on▶ Home-bound identity to access local resources▶ Cloud-based (social networking) identities
▶ Free Software hats to wear▶ Certificates and smart cards to present myself legally▶ Private data to protect and share
I want them to be usable at the same time
![Page 8: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/8.jpg)
Enterprise desktop at home with FreeIPA and GNOME 8
* almost
I have FEW identities:
▶ A corporate identity for services sign-on▶ Home-bound identity to access local resources▶ Cloud-based (social networking) identities▶ Free Software hats to wear
▶ Certificates and smart cards to present myself legally▶ Private data to protect and share
I want them to be usable at the same time
![Page 9: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/9.jpg)
Enterprise desktop at home with FreeIPA and GNOME 9
* almost
I have FEW identities:
▶ A corporate identity for services sign-on▶ Home-bound identity to access local resources▶ Cloud-based (social networking) identities▶ Free Software hats to wear▶ Certificates and smart cards to present myself legally
▶ Private data to protect and share
I want them to be usable at the same time
![Page 10: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/10.jpg)
Enterprise desktop at home with FreeIPA and GNOME 10
* almost
I have FEW identities:
▶ A corporate identity for services sign-on▶ Home-bound identity to access local resources▶ Cloud-based (social networking) identities▶ Free Software hats to wear▶ Certificates and smart cards to present myself legally▶ Private data to protect and share
I want them to be usable at the same time
![Page 11: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/11.jpg)
Enterprise desktop at home with FreeIPA and GNOME 11
I work on FreeIPA, https://www.freeipa.org
Management of identities and policies:
▶ stored centrally▶ applied locally
And it is available in:
▶ Fedora▶ Red Hat Enterprise Linux / CentOS▶ GNU/Linux Debian and Ubuntu▶ https://account.gnome.org/ runs FreeIPA since october
2014
![Page 12: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/12.jpg)
Enterprise desktop at home with FreeIPA and GNOME 12
How enterprisey are we?
![Page 13: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/13.jpg)
Enterprise desktop at home with FreeIPA and GNOME 13
Let’s score by a password
![Page 14: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/14.jpg)
Enterprise desktop at home with FreeIPA and GNOME 14
Let’s score by a password
A typical workflow for every laptop reboot
1. Sign into a local system account (enter a password)
2. Jump onto virtual private network (enter a password or more)3. Obtain initial Kerberos credentials (enter a password)4. Use corporate applications (enter a password?)
![Page 15: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/15.jpg)
Enterprise desktop at home with FreeIPA and GNOME 15
Let’s score by a password
A typical workflow for every laptop reboot
1. Sign into a local system account (enter a password)2. Jump onto virtual private network (enter a password or more)
3. Obtain initial Kerberos credentials (enter a password)4. Use corporate applications (enter a password?)
![Page 16: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/16.jpg)
Enterprise desktop at home with FreeIPA and GNOME 16
Let’s score by a password
A typical workflow for every laptop reboot
1. Sign into a local system account (enter a password)2. Jump onto virtual private network (enter a password or more)3. Obtain initial Kerberos credentials (enter a password)
4. Use corporate applications (enter a password?)
![Page 17: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/17.jpg)
Enterprise desktop at home with FreeIPA and GNOME 17
Let’s score by a password
A typical workflow for every laptop reboot
1. Sign into a local system account (enter a password)2. Jump onto virtual private network (enter a password or more)3. Obtain initial Kerberos credentials (enter a password)4. Use corporate applications (enter a password?)
![Page 18: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/18.jpg)
Enterprise desktop at home with FreeIPA and GNOME 18
Can we do better than this?
how far are we from
▶ Sign into a corporate environment▶ Use corporate applications
?
![Page 19: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/19.jpg)
Enterprise desktop at home with FreeIPA and GNOME 19
Let’s try to login!
Demo of interactive logon
![Page 20: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/20.jpg)
Enterprise desktop at home with FreeIPA and GNOME 20
What was that?
▶ The system is configured to be a client for FreeIPA
▶ SSSD handles login and Kerberos keys▶ Login to the system is verified over public network using a
proxy for Kerberos protocol▶ Established VPN connection based on Kerberos ticket▶ Credentials were entered only once
![Page 21: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/21.jpg)
Enterprise desktop at home with FreeIPA and GNOME 21
What was that?
▶ The system is configured to be a client for FreeIPA▶ SSSD handles login and Kerberos keys
▶ Login to the system is verified over public network using aproxy for Kerberos protocol
▶ Established VPN connection based on Kerberos ticket▶ Credentials were entered only once
![Page 22: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/22.jpg)
Enterprise desktop at home with FreeIPA and GNOME 22
What was that?
▶ The system is configured to be a client for FreeIPA▶ SSSD handles login and Kerberos keys▶ Login to the system is verified over public network using a
proxy for Kerberos protocol
▶ Established VPN connection based on Kerberos ticket▶ Credentials were entered only once
![Page 23: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/23.jpg)
Enterprise desktop at home with FreeIPA and GNOME 23
What was that?
▶ The system is configured to be a client for FreeIPA▶ SSSD handles login and Kerberos keys▶ Login to the system is verified over public network using a
proxy for Kerberos protocol▶ Established VPN connection based on Kerberos ticket
▶ Credentials were entered only once
![Page 24: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/24.jpg)
Enterprise desktop at home with FreeIPA and GNOME 24
What was that?
▶ The system is configured to be a client for FreeIPA▶ SSSD handles login and Kerberos keys▶ Login to the system is verified over public network using a
proxy for Kerberos protocol▶ Established VPN connection based on Kerberos ticket▶ Credentials were entered only once
![Page 25: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/25.jpg)
Enterprise desktop at home with FreeIPA and GNOME 25
Kerberos proxyAvailable on the client side with Microsoft Active Directory andMIT Kerberos 1.13
▶ protocol is called MS-KKDCP▶ transparent for Kerberos library users
Kerberos proxy is implemented by FreeIPA 4.2, OpenConnectServer 7.05, and as a standalone server
▶ Requires HTTPS connection, set up by default in FreeIPA 4.2,very easy to use (one line change on the client)
▶ Allows to obtain tickets from anywhere▶ SSSD 1.12+▶ GNOME project has enabled KDC proxy support in
https://account.gnome.org to allow use of Kerberoscredentials for SSH accounts for GNOME developers
![Page 26: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/26.jpg)
Enterprise desktop at home with FreeIPA and GNOME 26
VPN and Kerberos
OpenConnect client supports GSSAPI negotiation
▶ Fedora 22+ works out of the box
OpenVPN does not support GSSAPI negotiation
▶ to do since 2005
Could we enforce stronger authentication at a VPN edge?
▶ yes, we are be able to do so with Kerberos 1.14▶ no practical implementation in FreeIPA yet
![Page 27: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/27.jpg)
Enterprise desktop at home with FreeIPA and GNOME 27
Two-factor authentication
FreeIPA 4.x supports 2FA natively
▶ Yubikey, FreeOTP client for Android and iOS, anyHOTP/TOTP compatible software and hardware
▶ Two-factor authentication is enforced on Kerberos level▶ Performs pre-authentication before issuing a ticket▶ Authentication Indicators are in Kerberos 1.14▶ Pre-authentication modules can say how tickets were issued
![Page 28: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/28.jpg)
Enterprise desktop at home with FreeIPA and GNOME 28
FreeOTP client for Android and iOS
Figure 1:
![Page 29: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/29.jpg)
Enterprise desktop at home with FreeIPA and GNOME 29
Demo of interactive logon with 2FA
Let’s create a token for a user and logon with 2FA via Yubikey
![Page 30: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/30.jpg)
Enterprise desktop at home with FreeIPA and GNOME 30
What was that?
1. One time password token was programmed to Yubikey andadded for the user in FreeIPA
2. SSSD handles login and notices OTP pre-authenticationsupport in Kerberos conversation
3. Login to the system is verified over public network using aproxy for Kerberos protocol
4. Kerberos ticket is obtained, first factor is provided by SSSD toGDM for unlocking GNOME passwords and keys storage(SeaHorse)
5. Credentials were entered only once
![Page 31: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/31.jpg)
Enterprise desktop at home with FreeIPA and GNOME 31
What was that?
1. One time password token was programmed to Yubikey andadded for the user in FreeIPA
2. SSSD handles login and notices OTP pre-authenticationsupport in Kerberos conversation
3. Login to the system is verified over public network using aproxy for Kerberos protocol
4. Kerberos ticket is obtained, first factor is provided by SSSD toGDM for unlocking GNOME passwords and keys storage(SeaHorse)
5. Credentials were entered only once
![Page 32: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/32.jpg)
Enterprise desktop at home with FreeIPA and GNOME 32
What was that?
1. One time password token was programmed to Yubikey andadded for the user in FreeIPA
2. SSSD handles login and notices OTP pre-authenticationsupport in Kerberos conversation
3. Login to the system is verified over public network using aproxy for Kerberos protocol
4. Kerberos ticket is obtained, first factor is provided by SSSD toGDM for unlocking GNOME passwords and keys storage(SeaHorse)
5. Credentials were entered only once
![Page 33: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/33.jpg)
Enterprise desktop at home with FreeIPA and GNOME 33
What was that?
1. One time password token was programmed to Yubikey andadded for the user in FreeIPA
2. SSSD handles login and notices OTP pre-authenticationsupport in Kerberos conversation
3. Login to the system is verified over public network using aproxy for Kerberos protocol
4. Kerberos ticket is obtained, first factor is provided by SSSD toGDM for unlocking GNOME passwords and keys storage(SeaHorse)
5. Credentials were entered only once
![Page 34: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/34.jpg)
Enterprise desktop at home with FreeIPA and GNOME 34
What was that?
1. One time password token was programmed to Yubikey andadded for the user in FreeIPA
2. SSSD handles login and notices OTP pre-authenticationsupport in Kerberos conversation
3. Login to the system is verified over public network using aproxy for Kerberos protocol
4. Kerberos ticket is obtained, first factor is provided by SSSD toGDM for unlocking GNOME passwords and keys storage(SeaHorse)
5. Credentials were entered only once
![Page 35: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/35.jpg)
Enterprise desktop at home with FreeIPA and GNOME 35
If Kerberos credentials are available, what can we do withthem?
▶ Authenticate with GSSAPI against almost anything
▶ Obtain SAML assertion for other web services (and more)▶ Use to access networking file systems▶ Display properties of the available tickets▶ Renew the ticket granting ticket (TGT)▶ Choose which Kerberos principal is in use
![Page 36: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/36.jpg)
Enterprise desktop at home with FreeIPA and GNOME 36
If Kerberos credentials are available, what can we do withthem?
▶ Authenticate with GSSAPI against almost anything▶ Obtain SAML assertion for other web services (and more)
▶ Use to access networking file systems▶ Display properties of the available tickets▶ Renew the ticket granting ticket (TGT)▶ Choose which Kerberos principal is in use
![Page 37: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/37.jpg)
Enterprise desktop at home with FreeIPA and GNOME 37
If Kerberos credentials are available, what can we do withthem?
▶ Authenticate with GSSAPI against almost anything▶ Obtain SAML assertion for other web services (and more)▶ Use to access networking file systems
▶ Display properties of the available tickets▶ Renew the ticket granting ticket (TGT)▶ Choose which Kerberos principal is in use
![Page 38: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/38.jpg)
Enterprise desktop at home with FreeIPA and GNOME 38
If Kerberos credentials are available, what can we do withthem?
▶ Authenticate with GSSAPI against almost anything▶ Obtain SAML assertion for other web services (and more)▶ Use to access networking file systems▶ Display properties of the available tickets
▶ Renew the ticket granting ticket (TGT)▶ Choose which Kerberos principal is in use
![Page 39: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/39.jpg)
Enterprise desktop at home with FreeIPA and GNOME 39
If Kerberos credentials are available, what can we do withthem?
▶ Authenticate with GSSAPI against almost anything▶ Obtain SAML assertion for other web services (and more)▶ Use to access networking file systems▶ Display properties of the available tickets▶ Renew the ticket granting ticket (TGT)
▶ Choose which Kerberos principal is in use
![Page 40: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/40.jpg)
Enterprise desktop at home with FreeIPA and GNOME 40
If Kerberos credentials are available, what can we do withthem?
▶ Authenticate with GSSAPI against almost anything▶ Obtain SAML assertion for other web services (and more)▶ Use to access networking file systems▶ Display properties of the available tickets▶ Renew the ticket granting ticket (TGT)▶ Choose which Kerberos principal is in use
![Page 41: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/41.jpg)
Enterprise desktop at home with FreeIPA and GNOME 41
Authenticate with GSSAPI
Epiphany, the GNOME Web Browser, in GNOME 18:
▶ GSSAPI support is no more, depends on libsoup support
▶ libsoup has been dragging since 2009, bug #587145▶ WebkitGtk is unusable for SAML/OAuth2 interactions
involving Kerberos▶ One cannot use Google apps with GSSAPI in Gnome Online
Accounts▶ No single sign-on with GSSAPI from GNOME applications
using WebkitGtk to authenticate
![Page 42: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/42.jpg)
Enterprise desktop at home with FreeIPA and GNOME 42
Authenticate with GSSAPI
Epiphany, the GNOME Web Browser, in GNOME 18:
▶ GSSAPI support is no more, depends on libsoup support▶ libsoup has been dragging since 2009, bug #587145
▶ WebkitGtk is unusable for SAML/OAuth2 interactionsinvolving Kerberos
▶ One cannot use Google apps with GSSAPI in Gnome OnlineAccounts
▶ No single sign-on with GSSAPI from GNOME applicationsusing WebkitGtk to authenticate
![Page 43: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/43.jpg)
Enterprise desktop at home with FreeIPA and GNOME 43
Authenticate with GSSAPI
Epiphany, the GNOME Web Browser, in GNOME 18:
▶ GSSAPI support is no more, depends on libsoup support▶ libsoup has been dragging since 2009, bug #587145▶ WebkitGtk is unusable for SAML/OAuth2 interactions
involving Kerberos
▶ One cannot use Google apps with GSSAPI in Gnome OnlineAccounts
▶ No single sign-on with GSSAPI from GNOME applicationsusing WebkitGtk to authenticate
![Page 44: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/44.jpg)
Enterprise desktop at home with FreeIPA and GNOME 44
Authenticate with GSSAPI
Epiphany, the GNOME Web Browser, in GNOME 18:
▶ GSSAPI support is no more, depends on libsoup support▶ libsoup has been dragging since 2009, bug #587145▶ WebkitGtk is unusable for SAML/OAuth2 interactions
involving Kerberos▶ One cannot use Google apps with GSSAPI in Gnome Online
Accounts
▶ No single sign-on with GSSAPI from GNOME applicationsusing WebkitGtk to authenticate
![Page 45: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/45.jpg)
Enterprise desktop at home with FreeIPA and GNOME 45
Authenticate with GSSAPI
Epiphany, the GNOME Web Browser, in GNOME 18:
▶ GSSAPI support is no more, depends on libsoup support▶ libsoup has been dragging since 2009, bug #587145▶ WebkitGtk is unusable for SAML/OAuth2 interactions
involving Kerberos▶ One cannot use Google apps with GSSAPI in Gnome Online
Accounts▶ No single sign-on with GSSAPI from GNOME applications
using WebkitGtk to authenticate
![Page 46: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/46.jpg)
Enterprise desktop at home with FreeIPA and GNOME 46
Can we do better than this?
![Page 47: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/47.jpg)
Enterprise desktop at home with FreeIPA and GNOME 47
What was that?
Tomáš Popela (Red Hat) and David Woodhouse (Intel) worked tofix libsoup and WebkitGtk
This laptop is running an experimental build of themWe logged into my FreeIPA server’s Web UIHopefully, the code will be in the next GNOME release
![Page 48: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/48.jpg)
Enterprise desktop at home with FreeIPA and GNOME 48
What does GSSAPI support open for use in GNOMEOnline Accounts?
▶ Single sign-on is the primary feature
▶ Automated credentials renewal▶ Automated token/assertion renewal for SAML/OpenID▶ No need to store passwords locally (secure kiosks?)
![Page 49: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/49.jpg)
Enterprise desktop at home with FreeIPA and GNOME 49
What does GSSAPI support open for use in GNOMEOnline Accounts?
▶ Single sign-on is the primary feature▶ Automated credentials renewal
▶ Automated token/assertion renewal for SAML/OpenID▶ No need to store passwords locally (secure kiosks?)
![Page 50: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/50.jpg)
Enterprise desktop at home with FreeIPA and GNOME 50
What does GSSAPI support open for use in GNOMEOnline Accounts?
▶ Single sign-on is the primary feature▶ Automated credentials renewal▶ Automated token/assertion renewal for SAML/OpenID
▶ No need to store passwords locally (secure kiosks?)
![Page 51: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/51.jpg)
Enterprise desktop at home with FreeIPA and GNOME 51
What does GSSAPI support open for use in GNOMEOnline Accounts?
▶ Single sign-on is the primary feature▶ Automated credentials renewal▶ Automated token/assertion renewal for SAML/OpenID▶ No need to store passwords locally (secure kiosks?)
![Page 52: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/52.jpg)
Enterprise desktop at home with FreeIPA and GNOME 52
Visualize
GNOME Online Accounts could show Kerberos ticket properties
▶ Ticket time validity, flags (forward, renewal)▶ Authentication indicators▶ Existing service tickets in the credentials cache and allow to
remove them selectively▶ Allow automatic ticket renewal if KDC permits it
![Page 53: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/53.jpg)
Enterprise desktop at home with FreeIPA and GNOME 53
Visualize
And choose between different Kerberos principals
▶ MIT Kerberos supports kernel keyring (1.12+) anddirectory-based (1.11+) storage of credentials
▶ Multiple Kerberos principals can be stored and used at thesame time
▶ Only a single principal can be defined as “primary” for eachKerberos realm in the collection of credentials
![Page 54: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/54.jpg)
Enterprise desktop at home with FreeIPA and GNOME 54
Kerberos ticket renewal
▶ SSSD supports automatic Kerberos ticket renewal for singlefactor cases
▶ Renewing 2FA tickets requires UI interaction triggered byexpiry time
▶ Automatic ticket renewal requires permission from KDC,visible as a ticket flag
▶ GNOME Online Accounts could integrate with SSSD inprompting for credentials (multiple factors) in 2FA caseneeded information could be provided via SSSDInfoPipe/AuthPipe
![Page 55: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/55.jpg)
Enterprise desktop at home with FreeIPA and GNOME 55
Better Kerberos in browsers
▶ Firefox Kerberos setup isn’t nice▶ needs about:config manipulation▶ DNS domains associated with Kerberos realm could be
discovered via DNS SRV records, prompted for confirmationonce
▶ FreeIPA used to provide an extension to automate Firefoxsetup
▶ Extension was generated locally for for each FreeIPAdeployment to provide configuration details
▶ not anymore: Firefox removed ability to provide non-publiclyavailable extensions since version 43
![Page 56: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/56.jpg)
Enterprise desktop at home with FreeIPA and GNOME 56
Better Kerberos in browsers
▶ Chromium/Chrome▶ Have bugs for processing of WWW-Authenticate: Negotiate
when Kerberos credentials are not available▶ On Linux only allows to configure Kerberos use through
command line, poor user experience
▶ A fixed libsoup/WebkitGtk allows to always use GSSAPI ifserver advertises WWW-Authenticate: Negotiate overHTTPS
▶ no need to configure anything in Epiphany▶ could be further confined with a user confirmation similar to
how passwords are managed on first use
![Page 57: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/57.jpg)
Enterprise desktop at home with FreeIPA and GNOME 57
Better Kerberos in browsers
▶ GSSAPI flow is synchronous, needs better UI interaction toavoid hogging down other tabs
▶ still major issue for many browsers
![Page 58: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/58.jpg)
Enterprise desktop at home with FreeIPA and GNOME 58
Any practical use of it?
![Page 59: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/59.jpg)
Enterprise desktop at home with FreeIPA and GNOME 59
What was that?
Ipsilon is an Identity provider that supports GSSAPI, SAML,OpenID, and other methods of authentication
▶ I set up Ipsilon to authenticate against my FreeIPA server
▶ I set up Owncloud instance and created a simple applicationto do login via Ipsilon SAML
▶ Successfully logged-in users get created in Owncloud if theybelong to a certain group in FreeIPA
▶ No need to enter password if Kerberos credentials are available▶ Credentials were entered only once
![Page 60: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/60.jpg)
Enterprise desktop at home with FreeIPA and GNOME 60
What was that?
Ipsilon is an Identity provider that supports GSSAPI, SAML,OpenID, and other methods of authentication
▶ I set up Ipsilon to authenticate against my FreeIPA server▶ I set up Owncloud instance and created a simple application
to do login via Ipsilon SAML
▶ Successfully logged-in users get created in Owncloud if theybelong to a certain group in FreeIPA
▶ No need to enter password if Kerberos credentials are available▶ Credentials were entered only once
![Page 61: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/61.jpg)
Enterprise desktop at home with FreeIPA and GNOME 61
What was that?
Ipsilon is an Identity provider that supports GSSAPI, SAML,OpenID, and other methods of authentication
▶ I set up Ipsilon to authenticate against my FreeIPA server▶ I set up Owncloud instance and created a simple application
to do login via Ipsilon SAML▶ Successfully logged-in users get created in Owncloud if they
belong to a certain group in FreeIPA
▶ No need to enter password if Kerberos credentials are available▶ Credentials were entered only once
![Page 62: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/62.jpg)
Enterprise desktop at home with FreeIPA and GNOME 62
What was that?
Ipsilon is an Identity provider that supports GSSAPI, SAML,OpenID, and other methods of authentication
▶ I set up Ipsilon to authenticate against my FreeIPA server▶ I set up Owncloud instance and created a simple application
to do login via Ipsilon SAML▶ Successfully logged-in users get created in Owncloud if they
belong to a certain group in FreeIPA▶ No need to enter password if Kerberos credentials are available
▶ Credentials were entered only once
![Page 63: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/63.jpg)
Enterprise desktop at home with FreeIPA and GNOME 63
What was that?
Ipsilon is an Identity provider that supports GSSAPI, SAML,OpenID, and other methods of authentication
▶ I set up Ipsilon to authenticate against my FreeIPA server▶ I set up Owncloud instance and created a simple application
to do login via Ipsilon SAML▶ Successfully logged-in users get created in Owncloud if they
belong to a certain group in FreeIPA▶ No need to enter password if Kerberos credentials are available▶ Credentials were entered only once
![Page 64: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/64.jpg)
Enterprise desktop at home with FreeIPA and GNOME 64
Oops, I “invented” Owncloud Enteprise Edition?
![Page 65: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/65.jpg)
Enterprise desktop at home with FreeIPA and GNOME 65
Better support for SAML in GNOME Online Accounts
GNOME Online Accounts doesn’t support SAML for arbitraryprovider
▶ One cannot setup own Owncloud account in GNOME withoutentering passwords
▶ Have to use separate Owncloud end-point for non-SAMLlogon
![Page 66: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/66.jpg)
Enterprise desktop at home with FreeIPA and GNOME 66
Certificates
FreeIPA 4.2 supports issuing x.509 certificates to usersFreeIPA 4.2 adds per-user vault to store keys and credentialswrapped into an encrypted blob
▶ authentication to password vaults is GSSAPI-based▶ multiple clients can use unique public/private key pairs to
derive their access to user’s vault▶ SSSD 1.13 allows to authenticate with certificates▶ Certificates can come from any OpenSC and coolkey
compatible devices
![Page 67: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/67.jpg)
Enterprise desktop at home with FreeIPA and GNOME 67
How enterprisey our home could become?
![Page 68: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/68.jpg)
Enterprise desktop at home with FreeIPA and GNOME 68
What benefits do we get by becoming enterprisey withFreeIPA and GNOME?
1. Control your own infrastructure
2. Improve user experience by reducing number ofpassword/logon interactions
3. Profit?
![Page 69: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/69.jpg)
Enterprise desktop at home with FreeIPA and GNOME 69
What benefits do we get by becoming enterprisey withFreeIPA and GNOME?
1. Control your own infrastructure2. Improve user experience by reducing number of
password/logon interactions
3. Profit?
![Page 70: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/70.jpg)
Enterprise desktop at home with FreeIPA and GNOME 70
What benefits do we get by becoming enterprisey withFreeIPA and GNOME?
1. Control your own infrastructure2. Improve user experience by reducing number of
password/logon interactions3. Profit?
![Page 71: Enterprise desktop at home with FreeIPA and GNOME · Enterprise desktop at home with FreeIPA and GNOME 25 Kerberosproxy Available on the client side with Microsoft Active Directory](https://reader030.vdocuments.us/reader030/viewer/2022041108/5e34f5623e129e796f693106/html5/thumbnails/71.jpg)
Enterprise desktop at home with FreeIPA and GNOME 71
Questions?