:closed_lock_with_key: multi factor authentication system (2FA, MFA, OTP Server)

Overview

privacyIDEA

Build Status https://codecov.io/gh/privacyidea/privacyidea/coverage.svg?branch=master Latest Version PyPI - Python Version License Documentation Codacy Badge

privacyIDEA on twitter

privacyIDEA is an open solution for strong two-factor authentication like OTP tokens, SMS, smartphones or SSH keys. Using privacyIDEA you can enhance your existing applications like local login (PAM, Windows Credential Provider), VPN, remote access, SSH connections, access to web sites or web portals with a second factor during authentication. Thus boosting the security of your existing applications.

Overview

privacyIDEA runs as an additional service in your network and you can connect different applications to privacyIDEA.

privacyIDEA Integration

privacyIDEA does not bind you to any decision of the authentication protocol or it does not dictate you where your user information should be stored. This is achieved by its totally modular architecture. privacyIDEA is not only open as far as its modular architecture is concerned. But privacyIDEA is completely licensed under the AGPLv3.

It supports a wide variety of authentication devices like OTP tokens (HMAC, HOTP, TOTP, OCRA, mOTP), Yubikey (HOTP, TOTP, AES), FIDO U2F, as well as FIDO2 WebAuthn devices like Yubikey and Plug-Up, smartphone Apps like Google Authenticator, FreeOTP, Token2 or TiQR, SMS, Email, SSH keys, x509 certificates and Registration Codes for easy deployment.

privacyIDEA is based on Flask and SQLAlchemy as the python backend. The web UI is based on angularJS and bootstrap. A MachineToken design lets you assign tokens to machines. Thus you can use your Yubikey to unlock LUKS, assign SSH keys to SSH servers or use Offline OTP with PAM.

You may join the discourse discussion forum to give feedback, help other users, discuss questions and ideas: https://community.privacyidea.org

Setup

For setting up the system to run it, please read install instructions at privacyidea.readthedocs.io.

If you want to setup a development environment start like this:

git clone https://github.com/privacyidea/privacyidea.git
cd privacyidea
virtualenv venv
source venv/bin/activate
pip install -r requirements.txt

You may additionally want to set up your environment for testing, by adding the additional dependencies:

pip install -r tests/requirements.txt

You may also want to read the blog post about development and debugging at https://www.privacyidea.org/privacyidea-development-howto/

Getting and updating submodules

The client-side library for the registering and signing of WebAuthn-Credentials resides in a submodule.

To fetch all submodules for this repository, run:

git submodule update --init --recursive

When pulling changes from upstream later, you can automatically update any outdated submodules, by running:

git pull --recurse-submodules

Running it

First You need to create a config-file.

Then create the database and encryption key:

./pi-manage createdb
./pi-manage create_enckey

If You want to keep the development database upgradable, You should stamp it to simplify updates:

./pi-manage db stamp head -d migrations/

Create the key for the audit log:

./pi-manage create_audit_keys

Create the first administrator:

./pi-manage admin add <username>

Run it:

./pi-manage runserver

Now you can connect to http://localhost:5000 with your browser and login as administrator.

Run tests

If you have followed the steps above to set up your environment for testing, running the test suite should be as easy as running pytest with the following options:

python -m pytest -v --cov=privacyidea --cov-report=html tests/

Contributing

There are a lot of different ways to contribute to privacyIDEA, even if you are not a developer.

If you found a security vulnerability please report it to [email protected].

You can find detailed information about contributing here: https://github.com/privacyidea/privacyidea/blob/master/CONTRIBUTING.md

Code structure

The database models are defined in models.py and tested in tests/test_db_model.py.

Based on the database models there are the libraries lib/config.py which is responsible for basic configuration in the database table config. And the library lib/resolver.py which provides functions for the database table resolver. This is tested in tests/test_lib_resolver.py.

Based on the resolver there is the library lib/realm.py which provides functions for the database table realm. Several resolvers are combined into a realm.

Based on the realm there is the library lib/user.py which provides functions for users. There is no database table user, since users are dynamically read from the user sources like SQL, LDAP, SCIM or flat files.

Versioning

privacyIDEA adheres to Semantic Versioning.

Comments
  • Validity Format

    Validity Format

    Versions

    privacyIDEA: 2.17

    Installation method:

    • from source / github

    more details:

    OS: AmazonLinux

    Webserver: nginx

    Tokendatabase: PostgreSQL

    ======

    Hi Cornelinux,

    We are seeing some issue with the Validity Period settings:

    1. WebUI format mismatch with database If you try to select a date from the calendar only, the date format string shown in the UI as a result is DD/MM/YY, and is recorded fine as DD/MM/YY in the token info (database)

    However, if you try to select a date from the calendar and then insert a time string after, the date/time format shown in the UI is DD/MM/YY hh:mm, yet is recorded as MM/DD/YY hh:mm in the token info (database)

    This is very confusing for user experience. The calendar selection format should agree with the string entering format.

    2. Timezone The time enter in the webUI is likely local time zone for the user (for example PST), but it is always converted to GMT when saved in the database. And when the user authenticate, it is matched with local time zone against the literal-saved validity time in the token info.

    For example: If the validity is entered as 08/03/17 04:43 (PST), it will be saved as 03/08/17 11:43 in the token info, and displayed in token details as so. (date and month is switched, and time is converted to GMT)

    Provided that I manually fix the date so that the token info now is 08/03/17 11:43 (GMT). When a user authenticates at 11:00 PST it is failed due to out side of validity window because it is matching against the literal 11:43 GMT in the token info.

    Because there is no timezone is shown, it is further confusing, especially for organization that has users across multiple timezones.

    I am not sure if I may be missing some configuration to adjust this issue. I am looking forward to your input!

    Thank you.

    Type: Known issue 
    opened by quynh-axiadids 23
  • Cron runner

    Cron runner

    We need to be able to define recurring tasks every minute, 5 minutes, hour...

    This can be used to

    • process statistics counters (#990)
    • rotate audit
    • clean-up user cache
    • measure other counters based on sql statements (Like count all not assigned hardware tokens #986

    Such cron definitions would consist of

    • time to repeat the task
    • condition
    • module to handle the task

    This could be implemented in a similar modular way like the event handler.

    Type: Enhancement Topic: Monitoring 
    opened by cornelinux 22
  • adding activated policies to the audit log

    adding activated policies to the audit log

    Split from #829

    I think this is also a good idea! If we do not want to change the audit table schema, we could also add a DEBUG logging output that sums up the activated policies for each request in a first step.

    On the technical side, I think we have to differentiate between pre- and postpolicies:

    I noticed that the prepolicies all return True in any case, but the return value doesn't seem to be processed. Couldn't we use the return value to indicate whether the policy was activated? The prepolicy decorator could then construct a list of activated policies in the request context (e.g. g.activated_prepolicies), i.e. a list of all policy functions that returned True. For postpolicies, it seems to be a bit harder because they return the new response. Maybe the postpolicy decorator could check whether the response was modified by the postpolicy? (e.g. if new_response != old_response or new_response.data != old_data: ...). Or we make this explicit and add a function announce_policy_activation() or something like that. We would just need to insert calls to that function at the right places.

    Type: Enhancement Topic: Audit Topic: Policy 
    opened by cornelinux 22
  • NoneType object has no attribute 'split' error while viewing user details

    NoneType object has no attribute 'split' error while viewing user details

    Since last update to version 2.15 we have seen the following notification when viewing user information:

    image

    This occurs now and then and only occurred since last update. Closing the browser and logging back on seems to resolve the issue temporary.

    opened by MaRRiK74 22
  • Add Audit Module, that does SQL Audit _and_ Audit to file

    Add Audit Module, that does SQL Audit _and_ Audit to file

    We need the possiblitiy to run audit logs to sql audit and to a file.

    We either could

    • create a new audit module, that does both, inherited from SQLAudit
    • enhance the SQLAudit module
    • or allow the audit framework to write to multiple audit modules in parallel (sqlaudit and fileaudit)
    Prio: High Type: Main feature 
    opened by cornelinux 21
  • HTTP UserId Resolver support

    HTTP UserId Resolver support

    Is your feature request related to a problem? Please describe. What are you trying to achieve?

    Currenlty, pi supports sql, ldap, passwd and scim user's resolvers. A useful case for microservices is retrieving users from an external API. For example, http://domain.com/users/<userId>

    Describe the solution you'd like A clear and concise description of what you want to happen.

    • What is the purpose of the resolver

    Use third party HTTP API for retrieving user data without follows the SCIM specs.

    • How it works

    Since PI does not store users, it uses resolvers like LDAP, SCIM, SQL, etc. Today, there is no way to resolve user information through an API but SCIM. SCIM uses an authorization server to authenticate the request, HTTP resolver will not. HTTP resolver could authenticate users via Authorization headers instead.

    • How it is configured

    The user would create an HTTP resolver only adding an HTTP endpoint under Add httpresolver UI. The endpoint must contain the '%s' symbol inside, symbol where pi will replace with their userId.

    Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

    Add inversion control in order to be the user able to create custom resolvers instead of modifying pi code directly.

    Additional context Add any other context or screenshots, that might help us to better understand your idea, your need and your circumstances.

    image

    Topic: Resolver 
    opened by brunocascio 20
  • 2step enrollment with privacyidea authenticator

    2step enrollment with privacyidea authenticator

    The two step enrollment has to work with the privacyIDEA authenticator.

    See

    • https://github.com/privacyidea/privacyidea-authenticator/issues/4
    • https://github.com/privacyidea/privacyidea-authenticator/issues/5

    These things have to be done on the server side:

    1. Implement the better key generation function based of pbkdf2
    2. Create testvectors for the key generation, so that we can have tests on server side and on app side
    3. Allow to choose 2step enrolment in enrollment ui. In case of 2step enrollment the enrollment ui needs to display an entry field (for the nonce) in addition to the QR code.
    4. Add configuration option for
      • information to be put into the QR code (?pin=true, ?2step=true)
      • if at all/how and when to use 2step. So that not the admin or use can choose to enroll 2step but a policy will define this. The config options are probably best defined in an enrollment policy.
    Type: Enhancement Topic: Token Type: Main feature 
    opened by cornelinux 20
  • After upgrade there are LDAPresolver errors

    After upgrade there are LDAPresolver errors

    What did you try to do?

    I wanted to upgrade privacyIDEA from version 2.11.3 to newest 2.19 or 2.18.1 version. I did everything as written in this website: http://privacyidea.readthedocs.io/en/latest/installation/upgrade.html but after upgrading I discovered problems with ldapresolver

    What outcome did you expect?

    What do you think, how the system should have worked?

    Update should work without any problem.

    What did acutally happen?

    Users from Active directory are not able to log via VPN because of errors. The second issue is that privacyIDEA is running after update in debug mode, but in config file is still set to INFO.

    Configuration

    • privacyIDEA Version: 2.11.3 -> 2.19

    • Installation method: pip install in virtualenv

    more details:

    • OS: CentOS 7

    • Webserver: HTTPD 2.4.6-31.el7

    • Tokendatabase: 5.5.44-MariaDB

    Log file

    Update LOG update.txt Database update LOG update_db.txt privacyidea.log [2017-06-26 11:30:14,202][3303][139998652352256][ERROR][privacyidea.lib.token:424] User information can not be retrieved: 'ascii' codec can't encode character u'\u0144' in position 27: ordinal not in range(128) [2017-06-26 11:30:14,202][3303][139998652352256][ERROR][privacyidea.lib.token:424] User information can not be retrieved: 'ascii' codec can't encode character u'\u0144' in position 27: ordinal not in range(128) [2017-06-26 11:30:14,793][3303][139998652352256][ERROR][privacyidea.lib.token:424] User information can not be retrieved: 'ascii' codec can't encode character u'\u0144' in position 14: ordinal not in range(128) [2017-06-26 11:30:14,793][3303][139998652352256][ERROR][privacyidea.lib.token:424] User information can not be retrieved: 'ascii' codec can't encode character u'\u0144' in position 14: ordinal not in range(128)

    Topic: LDAP Status: Waiting for feedback 
    opened by ghost 20
  • Deterministic installations with pinned dependencies

    Deterministic installations with pinned dependencies

    Currently, this is just an idea and I would be interested in your opinions :-)

    There are currently three ways to install privacyIDEA (please correct me if I'm wrong):

    • via native distribution packages, currently only Ubuntu
    • via distribution packages using virtualenv (e.g. centos and debian-virtualenv)
    • manually in a virtualenv via pip install privacyidea

    In the past, we often had problems when there were new versions of dependencies which were incompatible with our codebase (e.g. ldap3/pyasn #912).

    This can still happen, e.g. assume there is a dependency X which releases a new version 1.1 today that is incompatible with privacyIDEA 2.22. Then, all users who use pip install privacyidea today to install privacyIDEA 2.22 will get the newest version 1.1 of dependency X, which will cause problems, and will need to manually downgrade X to get a working installation. We can react by putting X<1.1 in our setup.py, but this requires us to make a new release.

    In case of Ubuntu packages, the package repositories don't get updated too often, so the risk of incompatible new versions is pretty low here. The risk is higher for virtualenv packages and pip installations, because privacyidea-pip-update will upgrade all installed dependencies to their latest versions by default (though we can still explicitly exclude versions in setup.py).

    So it might be nice to have "deterministic" installations in the sense that all versions of dependencies installed on user's machines are pinned and known to work with our current stable version.

    Currently, I'm not sure how to do that nicely: Putting pinned dependencies in setup.py is discouraged. requirements.txt contains pinned versions, but pip install privacyidea installs dependencies from setup.py, not requirement.txt.

    What do you think? :)

    Type: Idea! 
    opened by fredreichbier 19
  • Policies could be dependent on any user attribute

    Policies could be dependent on any user attribute

    The conditions for a policy and event handler to apply could depend on any arbitrary user attribute (like a group membership)

    See https://community.privacyidea.org/t/resolver-and-user-token-relation/941

    Type: Idea! Prio: High Topic: Policy Type: Main feature 
    opened by cornelinux 18
  • Statistics and dashboard

    Statistics and dashboard

    Use RRDTool for data in time series.

    https://oss.oetiker.ch/rrdtool/prog/rrdpython.en.html

    We can do timeseries over:

    • successfull authentications (all or per user, serial, resolver, realm)
    • failed authentications (all or per user, serial, resolver, realm)
    • API calls (all or per user)
    • users, who issued calls
    • ...
    Layer: UI Topic: Monitoring 
    opened by cornelinux 17
  • Update to 3.8 fails with `relation

    Update to 3.8 fails with `relation "customuserattribute_seq" already exists`

    Top-level intent

    I tried to upgrade my PI instance from 3.7.4 to 3.8.

    Steps to reproduce

    1. Install PI at version 3.7.4
    2. Update to 3.8
    3. Run pi-manage db upgrade

    Expected outcome

    Upgrade working fine without any issues.

    Actual outcome

    DB migration failed like this:

    (psycopg2.errors.DuplicateTable) relation "customuserattribute_seq" already exists
    

    Context

    This was probably introduced by #3384 which also creates the db sequence customuserattribute_seq even though the corresponding data-structures seem to exist since 3.6 which seems questionable on its own already.

    I just installed another instance of PrivacyIDEA at version 3.7.4 and on that instance the sequence customuserattribute_seq also existed already, so updating this test instance to 3.8 would cause the same problem.

    Configuration

    • privacyIDEA version: 3.7.4, issue occurred while upgrading to 3.8
    • Installation method: NixOS module (services.privacyidea
    • Python version: 3.9.16
    • Operating system: NixOS
    • Webserver: nginx
    • Token database: PostgreSQL 13.9

    Log file

    n/a

    Type: Possible bug 
    opened by Ma27 0
  • 2 possible image fields in the challenge

    2 possible image fields in the challenge

    Hi,

    as I see, the server response has 2 image fields. One is called image (new, to show the QR Code) and another called img, which can contain any image assigned to the given challenge.

    Can you consider using only one field for both of these? That will make our work easier and cleaner. And though, by token enrollment, we don't need to show any other image than this QR Code. E.g.: if "qrcode" is not empty -> replace the "img"

    Or maybe I miss something?

    Type: Possible bug 
    opened by lukasmatusiewicz 0
  • Do not require second factor when unlocking system for certain amount of time after having used it last

    Do not require second factor when unlocking system for certain amount of time after having used it last

    We'd like to introduce PrivacyIdea in our environment, mainly to secure local Windows logins, but during brainstorming people quickly raised the issue that they'd get very annoyed with it if they had to enter their second factor every time they unlock their computer.

    We've got a system policy set that locks a computer after X number of minutes of inactivity, and because of that a bunch of people would be forced to enter not only their password, but also their second factor multiple times per day. We do not want to disable the second factor for unlocking the system entirely though. We just want it to not be required every time the system is unlocked.

    Our idea to combat this was to basically set things up in a way that will make the second factor absolutely mandatory if the system has been (these rules beat any others):

    • just booted
    • woken from standby (suspend to ram)
    • woken from hibernation (suspend to disk)

    However, if the system was only locked then the client should NOT require the second factor if the following condition is met:

    • the user is just unlocking the system within XX minutes after having last used the second factor for login (or unlocking if XX had already expired before; we considered a value of something like 4 hours for XX; though obviously that should be configurable)

    Further, the system should fall back to requiring the second factor under certain circumstances even if XX has not expired yet:

    • If the system has been locked more than XY times in the last XZ minutes (our default was 10 times in 1 hour; both values should be configurable)
    • If the user has entered a wrong password YY times while trying to unlock the system with the second factor disabled (our default value here was 3; again should be configurable)

    I've got the whole ruleset written down as a Powershell script that gets executed by a scheduled tasks triggered on a number of eventlog IDs from the system and security eventlogs. Following the rules outlined above the script then modifies the "cpus_logon" and "cpus_unlock" registry keys to either enable or disable the second factor requirement. It also keeps track (in the registry) of when the second factor was last used (to calculate when XX has expired), when it was locked (MultiString with a list of timestamps) and number of unlocks to calculate when XY in XZ is exceeded, and obviously number of failed unlocks to reenable the second factor again after YY is exceeded.

    The whole thing works but it adds an additional level of complexity I'd rather avoid if possible. However, we feel it is necessary to add such a feature to get not only our users but also management and VIPs on board with introducing PrivacyIDEA in our environment.

    Instead of having a custom Powershell script trigger on eventlog entries I'd much rather have the client natively support all these features and pull the configured values (XX, XY, XZ and YY) from a central configuration point allowing us to easily change and adjust values.

    Is this something you could/would consider to implement? Would be very much appreciated and surely very useful not only to us but others as well. On top of that it would add a nice feature to the list that other competitors in this field might not have and set PrivacyIDEA apart in that regard.

    Type: Feature request 
    opened by kheldorn 1
  • Send correct QR-code image to client

    Send correct QR-code image to client

    The QR-code sent to the client after enrollment during validate/check was incorrect, it just contained the token secret without the necessary HOTP/TOTP parameter.

    opened by plettich 1
Releases(v3.8)
A python package with tools to read and postprocess the output of the channel DNS-solver (davecats/channel), as well as its associated postprocessing tools.

Python tools for davecats/channel A python package with tools to read and postprocess the output of the channel dns solver, as well as its associated

Andrea Andreolli 1 Dec 13, 2021
Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries

Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries. Using xrefs to commonly injected and format string'd files, it will scan binaries faster than F

Christopher Roberts 3 Nov 16, 2021
Cisco RV110w UPnP stack overflow

Cisco RV110W UPnP 0day 分析 前言 最近UPnP比较火,恰好手里有一台Cisco RV110W,在2021年8月份思科官方公布了一个Cisco RV系列关于UPnP的0day,但是具体的细节并没有公布出来。于是想要用手中的设备调试挖掘一下这个漏洞,漏洞的公告可以在官网看到。 准

badmonkey 25 Nov 09, 2022
Simple python script for generating custom high-secure passwords for securing your social-apps ❤️

Opensource Project Simple Python Password Generator This repository is just for peoples who want to generate strong-passwords for there social-account

K A R T H I K 15 Dec 01, 2022
A forensic collection tool written in Python.

CHIRP A forensic collection tool written in Python. Watch the video overview 📝 Table of Contents 📝 Table of Contents 🧐 About 🏁 Getting Started Pre

Cybersecurity and Infrastructure Security Agency 1k Dec 09, 2022
RapiDAST provides a framework for continuous, proactive and fully automated dynamic scanning against web apps/API.

RapiDAST RapiDAST provides a framework for continuous, proactive and fully automated dynamic scanning against web apps/API. Its core engine is OWASP Z

Red Hat Product Security 17 Nov 11, 2022
User-friendly reference finder in IDA

IDARefHunter Updated: This project's been introduced on IDA Plugin Contest 2021! Why do we need RefHunter? Getting reference information in one specif

Jiwon 29 Dec 04, 2022
OpenTOTP is yet another time-based, one-time passwords (OTPs) generator/verifier inspired by RFC 6238.

OpenTOTP is yet another time-based, one-time passwords (OTPs) generator/verifier inspired by RFC 6238. It generates and validates OTPs based

1 Nov 15, 2021
Fast subdomain scanner, Takes arguments from a Json file ("args.json") and outputs the subdomains.

Fast subdomain scanner, Takes arguments from a Json file ("args.json") and outputs the subdomains. File Structure core/ colors.py db/ wordlist.txt REA

whoami security 4 Jul 02, 2022
PasswordManager is a command-line program that helps you manage your secret files like passwords

PasswordManager is a command-line program that helps you manage your secret files like passwords. It's very minimalistic and easy to use.

Michael 3 Dec 30, 2021
Dapunta Multi Brute Force Facebook - Crack Facebook With Login - Free

✭ DMBF CRACK Dibuat Dengan ❤️ Oleh Dapunta Author: - Dapunta Khurayra X ⇨ Fitur Login [✯] Login Token ⇨ Fitur Crack [✯] Crack Dari Teman, Public,

Dapunta ID 10 Oct 19, 2022
Provides script to download and format public IP lists related to the Log4j exploit.

Provides script to download and format public IP lists related to the Log4j exploit. Current format includes: plain list, Cisco ASA Network Group.

Gianluca Ulivi 1 Jan 02, 2022
A fast tool to scan prototype pollution vulnerability

proto A fast tool to scan prototype pollution vulnerability Syntax python3 proto.py -l alive.txt Requirements Selenium Google Chrome Webdriver Note :

Muhammed Mahdi 4 Aug 31, 2021
Python exploit for vsftpd 2.3.4 - Backdoor Command Execution

CVE-2011-2523 - vsftpd 2.3.4 Exploit Discription vsftpd, which stands for Very Secure FTP Daemon,is an FTP server for Unix-like systems, including Lin

Padsala Tushal 5 Nov 08, 2022
Worm/Trojan/Ransomware/apt/Rootkit/Virus Database

Pestilence - The Malware Database [] Screenshot Pestilence is a project created to make the possibility of malware analysis open and available to the

*ERR0R* 47 Dec 21, 2022
Privacy-respecting metasearch engine

Privacy-respecting, hackable metasearch engine / pronunciation səːks. If you are looking for running instances, ready to use, then visit searx.space.

Searx engine 12.4k Jan 08, 2023
(D)arth (S)ide of the (L)og4j (F)orce, the ultimate log4j vulnerabilities assessor

DSLF DSLF stands for (D)arth (S)ide of the (L)og4j (F)orce. It is the ultimate log4j vulnerabilities assessor. It comes with four individual Python3 m

frontal 1 Jan 11, 2022
A script based on sqlmap that uses sql injection vulnerabilities to traverse the existence of a file

A script based on sqlmap that uses sql injection vulnerabilities to traverse the existence o

2 Nov 09, 2022
A simple multi-threaded distributed SSH brute-forcing tool written in Python.

OrbitalDump A simple multi-threaded distributed SSH brute-forcing tool written in Python. How it Works When the script is executed without the --proxi

K4YT3X 408 Jan 03, 2023
Repository for a project of the course EP2520 Building Networked Systems Security

EP2520_ACME_Project Repository for a project of the course EP2520 Building Networked Systems Security in Royal Institute of Technology (KTH), Stockhol

1 Dec 11, 2021