openauth — administering google-authenticator two-factor authentication
Openauth is a recipe for system administrators looking to roll out google-authenticator TOTP-based two-factor authentication for their organization.
- Users self-provision their own secret keys using the web, requiring a username, password, and working email address (the code for this is also called openauth).
- Secrets sit in a network filesystem share. Ideally this should be highly-available, but if not, we provide a mechanism for simple failover-to-cache redundancy (hadir).
- A highly-available pair of RADIUS servers uses these secrets to handle second factor authentication for all SSH access nodes, VPN concentrators, and other protected services. We provide a recipe for setting these up.
- In addition to the standard mobile apps (which can be configured with a QR code that the self-provisioning site displays), users have the option of using a desktop client we provide (JAuth).
Self-Provisioning:
- user contacts web server, authenticates with username + password
- web server authenticates user, looks up email address
- web server sends mail to user with unique link to continue (it expires a short time in the future)
- user gets email link
- user returns to the web server
- web server writes to the filesystem a new secret key for the user, and presents client configuration options to the user
Usage:
- user connects to cluster resource (e.g. ssh head node, vpn concentrator, ...)
- first factor auth — authenticate username + password
- second factor auth — ask RADIUS servers to authenticate username + verification code
- using the secret key on file, one of the RADIUS servers authenticates the user