:closed_lock_with_key: multi factor authentication system (2FA, MFA, OTP Server)

Overview

privacyIDEA

Build Status https://codecov.io/gh/privacyidea/privacyidea/coverage.svg?branch=master Latest Version PyPI - Python Version License Documentation Codacy Badge

privacyIDEA on twitter

privacyIDEA is an open solution for strong two-factor authentication like OTP tokens, SMS, smartphones or SSH keys. Using privacyIDEA you can enhance your existing applications like local login (PAM, Windows Credential Provider), VPN, remote access, SSH connections, access to web sites or web portals with a second factor during authentication. Thus boosting the security of your existing applications.

Overview

privacyIDEA runs as an additional service in your network and you can connect different applications to privacyIDEA.

privacyIDEA Integration

privacyIDEA does not bind you to any decision of the authentication protocol or it does not dictate you where your user information should be stored. This is achieved by its totally modular architecture. privacyIDEA is not only open as far as its modular architecture is concerned. But privacyIDEA is completely licensed under the AGPLv3.

It supports a wide variety of authentication devices like OTP tokens (HMAC, HOTP, TOTP, OCRA, mOTP), Yubikey (HOTP, TOTP, AES), FIDO U2F, as well as FIDO2 WebAuthn devices like Yubikey and Plug-Up, smartphone Apps like Google Authenticator, FreeOTP, Token2 or TiQR, SMS, Email, SSH keys, x509 certificates and Registration Codes for easy deployment.

privacyIDEA is based on Flask and SQLAlchemy as the python backend. The web UI is based on angularJS and bootstrap. A MachineToken design lets you assign tokens to machines. Thus you can use your Yubikey to unlock LUKS, assign SSH keys to SSH servers or use Offline OTP with PAM.

You may join the discourse discussion forum to give feedback, help other users, discuss questions and ideas: https://community.privacyidea.org

Setup

For setting up the system to run it, please read install instructions at privacyidea.readthedocs.io.

If you want to setup a development environment start like this:

git clone https://github.com/privacyidea/privacyidea.git
cd privacyidea
virtualenv venv
source venv/bin/activate
pip install -r requirements.txt

You may additionally want to set up your environment for testing, by adding the additional dependencies:

pip install -r tests/requirements.txt

You may also want to read the blog post about development and debugging at https://www.privacyidea.org/privacyidea-development-howto/

Getting and updating submodules

The client-side library for the registering and signing of WebAuthn-Credentials resides in a submodule.

To fetch all submodules for this repository, run:

git submodule update --init --recursive

When pulling changes from upstream later, you can automatically update any outdated submodules, by running:

git pull --recurse-submodules

Running it

First You need to create a config-file.

Then create the database and encryption key:

./pi-manage createdb
./pi-manage create_enckey

If You want to keep the development database upgradable, You should stamp it to simplify updates:

./pi-manage db stamp head -d migrations/

Create the key for the audit log:

./pi-manage create_audit_keys

Create the first administrator:

./pi-manage admin add <username>

Run it:

./pi-manage runserver

Now you can connect to http://localhost:5000 with your browser and login as administrator.

Run tests

If you have followed the steps above to set up your environment for testing, running the test suite should be as easy as running pytest with the following options:

python -m pytest -v --cov=privacyidea --cov-report=html tests/

Contributing

There are a lot of different ways to contribute to privacyIDEA, even if you are not a developer.

If you found a security vulnerability please report it to [email protected].

You can find detailed information about contributing here: https://github.com/privacyidea/privacyidea/blob/master/CONTRIBUTING.md

Code structure

The database models are defined in models.py and tested in tests/test_db_model.py.

Based on the database models there are the libraries lib/config.py which is responsible for basic configuration in the database table config. And the library lib/resolver.py which provides functions for the database table resolver. This is tested in tests/test_lib_resolver.py.

Based on the resolver there is the library lib/realm.py which provides functions for the database table realm. Several resolvers are combined into a realm.

Based on the realm there is the library lib/user.py which provides functions for users. There is no database table user, since users are dynamically read from the user sources like SQL, LDAP, SCIM or flat files.

Versioning

privacyIDEA adheres to Semantic Versioning.

Comments
  • Validity Format

    Validity Format

    Versions

    privacyIDEA: 2.17

    Installation method:

    • from source / github

    more details:

    OS: AmazonLinux

    Webserver: nginx

    Tokendatabase: PostgreSQL

    ======

    Hi Cornelinux,

    We are seeing some issue with the Validity Period settings:

    1. WebUI format mismatch with database If you try to select a date from the calendar only, the date format string shown in the UI as a result is DD/MM/YY, and is recorded fine as DD/MM/YY in the token info (database)

    However, if you try to select a date from the calendar and then insert a time string after, the date/time format shown in the UI is DD/MM/YY hh:mm, yet is recorded as MM/DD/YY hh:mm in the token info (database)

    This is very confusing for user experience. The calendar selection format should agree with the string entering format.

    2. Timezone The time enter in the webUI is likely local time zone for the user (for example PST), but it is always converted to GMT when saved in the database. And when the user authenticate, it is matched with local time zone against the literal-saved validity time in the token info.

    For example: If the validity is entered as 08/03/17 04:43 (PST), it will be saved as 03/08/17 11:43 in the token info, and displayed in token details as so. (date and month is switched, and time is converted to GMT)

    Provided that I manually fix the date so that the token info now is 08/03/17 11:43 (GMT). When a user authenticates at 11:00 PST it is failed due to out side of validity window because it is matching against the literal 11:43 GMT in the token info.

    Because there is no timezone is shown, it is further confusing, especially for organization that has users across multiple timezones.

    I am not sure if I may be missing some configuration to adjust this issue. I am looking forward to your input!

    Thank you.

    Type: Known issue 
    opened by quynh-axiadids 23
  • Cron runner

    Cron runner

    We need to be able to define recurring tasks every minute, 5 minutes, hour...

    This can be used to

    • process statistics counters (#990)
    • rotate audit
    • clean-up user cache
    • measure other counters based on sql statements (Like count all not assigned hardware tokens #986

    Such cron definitions would consist of

    • time to repeat the task
    • condition
    • module to handle the task

    This could be implemented in a similar modular way like the event handler.

    Type: Enhancement Topic: Monitoring 
    opened by cornelinux 22
  • adding activated policies to the audit log

    adding activated policies to the audit log

    Split from #829

    I think this is also a good idea! If we do not want to change the audit table schema, we could also add a DEBUG logging output that sums up the activated policies for each request in a first step.

    On the technical side, I think we have to differentiate between pre- and postpolicies:

    I noticed that the prepolicies all return True in any case, but the return value doesn't seem to be processed. Couldn't we use the return value to indicate whether the policy was activated? The prepolicy decorator could then construct a list of activated policies in the request context (e.g. g.activated_prepolicies), i.e. a list of all policy functions that returned True. For postpolicies, it seems to be a bit harder because they return the new response. Maybe the postpolicy decorator could check whether the response was modified by the postpolicy? (e.g. if new_response != old_response or new_response.data != old_data: ...). Or we make this explicit and add a function announce_policy_activation() or something like that. We would just need to insert calls to that function at the right places.

    Type: Enhancement Topic: Audit Topic: Policy 
    opened by cornelinux 22
  • NoneType object has no attribute 'split' error while viewing user details

    NoneType object has no attribute 'split' error while viewing user details

    Since last update to version 2.15 we have seen the following notification when viewing user information:

    image

    This occurs now and then and only occurred since last update. Closing the browser and logging back on seems to resolve the issue temporary.

    opened by MaRRiK74 22
  • Add Audit Module, that does SQL Audit _and_ Audit to file

    Add Audit Module, that does SQL Audit _and_ Audit to file

    We need the possiblitiy to run audit logs to sql audit and to a file.

    We either could

    • create a new audit module, that does both, inherited from SQLAudit
    • enhance the SQLAudit module
    • or allow the audit framework to write to multiple audit modules in parallel (sqlaudit and fileaudit)
    Prio: High Type: Main feature 
    opened by cornelinux 21
  • HTTP UserId Resolver support

    HTTP UserId Resolver support

    Is your feature request related to a problem? Please describe. What are you trying to achieve?

    Currenlty, pi supports sql, ldap, passwd and scim user's resolvers. A useful case for microservices is retrieving users from an external API. For example, http://domain.com/users/<userId>

    Describe the solution you'd like A clear and concise description of what you want to happen.

    • What is the purpose of the resolver

    Use third party HTTP API for retrieving user data without follows the SCIM specs.

    • How it works

    Since PI does not store users, it uses resolvers like LDAP, SCIM, SQL, etc. Today, there is no way to resolve user information through an API but SCIM. SCIM uses an authorization server to authenticate the request, HTTP resolver will not. HTTP resolver could authenticate users via Authorization headers instead.

    • How it is configured

    The user would create an HTTP resolver only adding an HTTP endpoint under Add httpresolver UI. The endpoint must contain the '%s' symbol inside, symbol where pi will replace with their userId.

    Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

    Add inversion control in order to be the user able to create custom resolvers instead of modifying pi code directly.

    Additional context Add any other context or screenshots, that might help us to better understand your idea, your need and your circumstances.

    image

    Topic: Resolver 
    opened by brunocascio 20
  • 2step enrollment with privacyidea authenticator

    2step enrollment with privacyidea authenticator

    The two step enrollment has to work with the privacyIDEA authenticator.

    See

    • https://github.com/privacyidea/privacyidea-authenticator/issues/4
    • https://github.com/privacyidea/privacyidea-authenticator/issues/5

    These things have to be done on the server side:

    1. Implement the better key generation function based of pbkdf2
    2. Create testvectors for the key generation, so that we can have tests on server side and on app side
    3. Allow to choose 2step enrolment in enrollment ui. In case of 2step enrollment the enrollment ui needs to display an entry field (for the nonce) in addition to the QR code.
    4. Add configuration option for
      • information to be put into the QR code (?pin=true, ?2step=true)
      • if at all/how and when to use 2step. So that not the admin or use can choose to enroll 2step but a policy will define this. The config options are probably best defined in an enrollment policy.
    Type: Enhancement Topic: Token Type: Main feature 
    opened by cornelinux 20
  • After upgrade there are LDAPresolver errors

    After upgrade there are LDAPresolver errors

    What did you try to do?

    I wanted to upgrade privacyIDEA from version 2.11.3 to newest 2.19 or 2.18.1 version. I did everything as written in this website: http://privacyidea.readthedocs.io/en/latest/installation/upgrade.html but after upgrading I discovered problems with ldapresolver

    What outcome did you expect?

    What do you think, how the system should have worked?

    Update should work without any problem.

    What did acutally happen?

    Users from Active directory are not able to log via VPN because of errors. The second issue is that privacyIDEA is running after update in debug mode, but in config file is still set to INFO.

    Configuration

    • privacyIDEA Version: 2.11.3 -> 2.19

    • Installation method: pip install in virtualenv

    more details:

    • OS: CentOS 7

    • Webserver: HTTPD 2.4.6-31.el7

    • Tokendatabase: 5.5.44-MariaDB

    Log file

    Update LOG update.txt Database update LOG update_db.txt privacyidea.log [2017-06-26 11:30:14,202][3303][139998652352256][ERROR][privacyidea.lib.token:424] User information can not be retrieved: 'ascii' codec can't encode character u'\u0144' in position 27: ordinal not in range(128) [2017-06-26 11:30:14,202][3303][139998652352256][ERROR][privacyidea.lib.token:424] User information can not be retrieved: 'ascii' codec can't encode character u'\u0144' in position 27: ordinal not in range(128) [2017-06-26 11:30:14,793][3303][139998652352256][ERROR][privacyidea.lib.token:424] User information can not be retrieved: 'ascii' codec can't encode character u'\u0144' in position 14: ordinal not in range(128) [2017-06-26 11:30:14,793][3303][139998652352256][ERROR][privacyidea.lib.token:424] User information can not be retrieved: 'ascii' codec can't encode character u'\u0144' in position 14: ordinal not in range(128)

    Topic: LDAP Status: Waiting for feedback 
    opened by ghost 20
  • Deterministic installations with pinned dependencies

    Deterministic installations with pinned dependencies

    Currently, this is just an idea and I would be interested in your opinions :-)

    There are currently three ways to install privacyIDEA (please correct me if I'm wrong):

    • via native distribution packages, currently only Ubuntu
    • via distribution packages using virtualenv (e.g. centos and debian-virtualenv)
    • manually in a virtualenv via pip install privacyidea

    In the past, we often had problems when there were new versions of dependencies which were incompatible with our codebase (e.g. ldap3/pyasn #912).

    This can still happen, e.g. assume there is a dependency X which releases a new version 1.1 today that is incompatible with privacyIDEA 2.22. Then, all users who use pip install privacyidea today to install privacyIDEA 2.22 will get the newest version 1.1 of dependency X, which will cause problems, and will need to manually downgrade X to get a working installation. We can react by putting X<1.1 in our setup.py, but this requires us to make a new release.

    In case of Ubuntu packages, the package repositories don't get updated too often, so the risk of incompatible new versions is pretty low here. The risk is higher for virtualenv packages and pip installations, because privacyidea-pip-update will upgrade all installed dependencies to their latest versions by default (though we can still explicitly exclude versions in setup.py).

    So it might be nice to have "deterministic" installations in the sense that all versions of dependencies installed on user's machines are pinned and known to work with our current stable version.

    Currently, I'm not sure how to do that nicely: Putting pinned dependencies in setup.py is discouraged. requirements.txt contains pinned versions, but pip install privacyidea installs dependencies from setup.py, not requirement.txt.

    What do you think? :)

    Type: Idea! 
    opened by fredreichbier 19
  • Policies could be dependent on any user attribute

    Policies could be dependent on any user attribute

    The conditions for a policy and event handler to apply could depend on any arbitrary user attribute (like a group membership)

    See https://community.privacyidea.org/t/resolver-and-user-token-relation/941

    Type: Idea! Prio: High Topic: Policy Type: Main feature 
    opened by cornelinux 18
  • Statistics and dashboard

    Statistics and dashboard

    Use RRDTool for data in time series.

    https://oss.oetiker.ch/rrdtool/prog/rrdpython.en.html

    We can do timeseries over:

    • successfull authentications (all or per user, serial, resolver, realm)
    • failed authentications (all or per user, serial, resolver, realm)
    • API calls (all or per user)
    • users, who issued calls
    • ...
    Layer: UI Topic: Monitoring 
    opened by cornelinux 17
  • Update to 3.8 fails with `relation

    Update to 3.8 fails with `relation "customuserattribute_seq" already exists`

    Top-level intent

    I tried to upgrade my PI instance from 3.7.4 to 3.8.

    Steps to reproduce

    1. Install PI at version 3.7.4
    2. Update to 3.8
    3. Run pi-manage db upgrade

    Expected outcome

    Upgrade working fine without any issues.

    Actual outcome

    DB migration failed like this:

    (psycopg2.errors.DuplicateTable) relation "customuserattribute_seq" already exists
    

    Context

    This was probably introduced by #3384 which also creates the db sequence customuserattribute_seq even though the corresponding data-structures seem to exist since 3.6 which seems questionable on its own already.

    I just installed another instance of PrivacyIDEA at version 3.7.4 and on that instance the sequence customuserattribute_seq also existed already, so updating this test instance to 3.8 would cause the same problem.

    Configuration

    • privacyIDEA version: 3.7.4, issue occurred while upgrading to 3.8
    • Installation method: NixOS module (services.privacyidea
    • Python version: 3.9.16
    • Operating system: NixOS
    • Webserver: nginx
    • Token database: PostgreSQL 13.9

    Log file

    n/a

    Type: Possible bug 
    opened by Ma27 0
  • 2 possible image fields in the challenge

    2 possible image fields in the challenge

    Hi,

    as I see, the server response has 2 image fields. One is called image (new, to show the QR Code) and another called img, which can contain any image assigned to the given challenge.

    Can you consider using only one field for both of these? That will make our work easier and cleaner. And though, by token enrollment, we don't need to show any other image than this QR Code. E.g.: if "qrcode" is not empty -> replace the "img"

    Or maybe I miss something?

    Type: Possible bug 
    opened by lukasmatusiewicz 0
  • Do not require second factor when unlocking system for certain amount of time after having used it last

    Do not require second factor when unlocking system for certain amount of time after having used it last

    We'd like to introduce PrivacyIdea in our environment, mainly to secure local Windows logins, but during brainstorming people quickly raised the issue that they'd get very annoyed with it if they had to enter their second factor every time they unlock their computer.

    We've got a system policy set that locks a computer after X number of minutes of inactivity, and because of that a bunch of people would be forced to enter not only their password, but also their second factor multiple times per day. We do not want to disable the second factor for unlocking the system entirely though. We just want it to not be required every time the system is unlocked.

    Our idea to combat this was to basically set things up in a way that will make the second factor absolutely mandatory if the system has been (these rules beat any others):

    • just booted
    • woken from standby (suspend to ram)
    • woken from hibernation (suspend to disk)

    However, if the system was only locked then the client should NOT require the second factor if the following condition is met:

    • the user is just unlocking the system within XX minutes after having last used the second factor for login (or unlocking if XX had already expired before; we considered a value of something like 4 hours for XX; though obviously that should be configurable)

    Further, the system should fall back to requiring the second factor under certain circumstances even if XX has not expired yet:

    • If the system has been locked more than XY times in the last XZ minutes (our default was 10 times in 1 hour; both values should be configurable)
    • If the user has entered a wrong password YY times while trying to unlock the system with the second factor disabled (our default value here was 3; again should be configurable)

    I've got the whole ruleset written down as a Powershell script that gets executed by a scheduled tasks triggered on a number of eventlog IDs from the system and security eventlogs. Following the rules outlined above the script then modifies the "cpus_logon" and "cpus_unlock" registry keys to either enable or disable the second factor requirement. It also keeps track (in the registry) of when the second factor was last used (to calculate when XX has expired), when it was locked (MultiString with a list of timestamps) and number of unlocks to calculate when XY in XZ is exceeded, and obviously number of failed unlocks to reenable the second factor again after YY is exceeded.

    The whole thing works but it adds an additional level of complexity I'd rather avoid if possible. However, we feel it is necessary to add such a feature to get not only our users but also management and VIPs on board with introducing PrivacyIDEA in our environment.

    Instead of having a custom Powershell script trigger on eventlog entries I'd much rather have the client natively support all these features and pull the configured values (XX, XY, XZ and YY) from a central configuration point allowing us to easily change and adjust values.

    Is this something you could/would consider to implement? Would be very much appreciated and surely very useful not only to us but others as well. On top of that it would add a nice feature to the list that other competitors in this field might not have and set PrivacyIDEA apart in that regard.

    Type: Feature request 
    opened by kheldorn 1
  • Send correct QR-code image to client

    Send correct QR-code image to client

    The QR-code sent to the client after enrollment during validate/check was incorrect, it just contained the token secret without the necessary HOTP/TOTP parameter.

    opened by plettich 1
Releases(v3.8)
A dynamic multi-STL, multi-process OpenSCAD build system with autoplating support

scad-build This is a multi-STL OpenSCAD build system based around GNU make. It supports dynamic build targets, intelligent previews with user-defined

Jordan Mulcahey 1 Dec 21, 2021
Add a Web Server based on Rogue Mysql Server to allow remote user get

介绍 对于需要使用 Rogue Mysql Server 的漏洞来说,若想批量检测这种漏洞的话需要自备一个服务器。并且我常用的Rogue Mysql Server 脚本 不支持动态更改读取文件名、不支持远程用户访问读取结果、不支持批量化检测网站。于是乎萌生了这个小脚本的想法 Rogue-MySql-

null 6 May 17, 2022
Suricata Language Server is an implementation of the Language Server Protocol for Suricata signatures

Suricata Language Server is an implementation of the Language Server Protocol for Suricata signatures. It adds syntax check, hints and auto-completion to your preferred editor once it is configured.

Stamus Networks 39 Nov 28, 2022
PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager)

PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager) This script allows to check and exploit missing authentication checks in

chipik 82 Nov 9, 2022
Coerce authentication from Windows hosts via MS-FSRVP (Requires FS-VSS-AGENT service running on host)

VSSTrigger Coerce authentication from Windows hosts via MS-FSRVP (Requires FS-VS

Filip Dragovic 6 Jul 24, 2022
LdapRelayScan - Check for LDAP protections regarding the relay of NTLM authentication

LDAP Relay Scan A tool to check Domain Controllers for LDAP server protections r

null 315 Dec 18, 2022
Simple script to have LDAP authentication in Home Assistant Docker, using NGINX's ldap-auth container

Home Assistant LDAP Auth Simple script to have LDAP authentication in Home Assistant Docker, using NGINX's ldap-auth container. Usage Deploy NGINX's l

Erik 1 Sep 21, 2022
A local Socks5 server written in python, used for integrating Multi-hop

proxy-Zata proxy-Zata v1.0 This is a local Socks5 server written in python, used for integrating Multi-hop (Socks4/Socks5/HTTP) forward proxy then pro

null 4 Feb 24, 2022
An advanced multi-threaded, multi-client python reverse shell for hacking linux systems

PwnLnX An advanced multi-threaded, multi-client python reverse shell for hacking linux systems. There's still more work to do so feel free to help out

0xTRAW 212 Dec 24, 2022
Local server for IDA Lumina feature

About POC of an offline server for IDA Lumina feature.

Synacktiv 166 Dec 30, 2022
SonicWALL SSL-VPN Web Server Vulnerable Exploit

SonicWALL SSL-VPN Web Server Vulnerable Exploit

null 44 Nov 15, 2022
CVE-2021-26855 SSRF Exchange Server

CVE-2021-26855 Brute Force EMail Exchange Server Timeline: Monday, March 8, 2021: Update Dumping content...(I'm not done, can u guy help me done this

lulz 117 Nov 28, 2022
Microsoft Exchange Server SSRF漏洞(CVE-2021-26855)

Microsoft_Exchange_Server_SSRF_CVE-2021-26855 zoomeye dork:app:"Microsoft Exchange Server" 使用Seebug工具箱及pocsuite3编写的脚本Microsoft_Exchange_Server_SSRF_CV

conjojo 37 Nov 12, 2022
Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.

sshuttle: where transparent proxy meets VPN meets ssh As far as I know, sshuttle is the only program that solves the following common case: Your clien

null 9.4k Jan 4, 2023
ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF->GetWebShell)

ProxyLogon For Python3 ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF->GetWebShell) usage: python ProxyLogon.py --host=exchang

null 112 Dec 1, 2022
ProxyShell POC Exploit : Exchange Server RCE (ACL Bypass + EoP + Arbitrary File Write)

ProxyShell Install git clone https://github.com/ktecv2000/ProxyShell cd ProxyShell virtualenv -p $(which python3) venv source venv/bin/activate pip3 i

Poming huang 312 Dec 9, 2022
Small python script to look for common vulnerabilities on SMTP server.

BrokenSMTP BrokenSMTP is a python3 BugBounty/Pentesting tool to look for common vulnerabilities on SMTP server. Supported Vulnerability : Spoofing - T

null 39 Dec 16, 2022
the metasploit script(POC/EXP) about CVE-2021-22005 VMware vCenter Server contains an arbitrary file upload vulnerability

CVE-2021-22005-metasploit the metasploit script(POC/EXP) about CVE-2021-22005 VMware vCenter Server contains an arbitrary file upload vulnerability pr

Taroballz 25 Nov 15, 2022
A simple Outline Server Access Key Copy and Paste Web Interface

Outline Keychain A simple Outline Server Access Key Copy and Paste Web Interface Developed for key and password export and copy & paste for other Shad

Zhe 1 Dec 28, 2021