Two-factor authentication (also known as two-step verification or 2FA) is essentially a must-have these days for critical infrastructure. The benefits and reasons why are well documented on our recent blog posts and elsewhere around the internet. Here at Evernote Operations, we have been using it to protect our production back-end for well over a year now. Recently, we were tasked with further hardening some of our internal non-production infrastructure. Part of this hardening included requiring 2FA to access certain systems to which many of our non-operations staff would need access. To accomplish this, we evaluated a number of systems and methods, commercial and Free Open Source Software (FOSS), for a secure solution that would provide a true second factor of authentication and support the devices and software needed by our internal users. It also needed to be easy to manage, monitor, maintain, and provision. We felt the solution we selected should be shared with the community. It is fairly easy to setup, uses all FOSS, and performs the authentication using a protocol that almost any system or device can use.
We selected a solution based on TOTP (RFC-6238). This method uses time-based codes generated by a hardware or software token to provide the 2nd factor of auth, and is the same RFC already used by many large web companies. In fact, it is the same RFC followed for our own customer facing two-step verification solution. To get a little more detailed in how this method works: it takes the Unix epoch timestamp (time in seconds from January 1, 1970) and divides by the time interval the code will be good for (typically 30 or 60 seconds). This is then used as the increment counter for HOTP (RFC-4226). HOTP uses a shared secret seed (unique to each account) and the counter as input to some hashing algorithms that output a short 6-digit code. The employee enters the code as part of their password during login, which the authenticating server strips out and compares it to its own calculation of what it should be. The password is then sent on to other authentication sources for verification. Since the code changes at the end of each time interval, it is impossible to login to an employee’s account simply by knowing one code.
Our solution uses FreeRADIUS as the authentication server and OpenLDAP as the storage backend. FreeRADIUS has a modular setup allowing various authentication, authorization, and accounting modules to be plugged in for different authenticating hosts. This allows for setting up a single server that can do complex WiFi auth (e.g. incantations of PEAP/EAP) for some devices and simple PAP auth for others. It has modules to tie it directly into LDAP, and can even do XLAT, where it runs LDAP queries to fill out configuration items. OpenLDAP is generally the de facto LDAP server on Linux, though any LDAP server should work.
The key to this system is FreeRADIUS’s modularity, specifically the Perl module it comes with. This allows writing any authorization, authentication, accounting, and auditing (AAAA) rules into a Perl script. We took the example Perl script from the rlm_perl documentation and added in a TOTP verification function, using LDAP to pull some critical data (employee’s TOTP secret) and voilà: instant 2-factor. In all honesty it isn’t quite that simple. There are a good handful more steps and configuration changes and tweaks to get it working correctly and securely, but for standing up your own 2-factor system it was quick and almost as painless as a commercial system we use (but beats it hands down for flexibility). More details to come!