configure FreeRADIUS rlm_rest module in CentOS - freeradius

I want to construct a 2 factor authentication system using freeRADIUS for proxy and privacyIDEA for authentication in server. I read some documents about freeRADIUS and privacyIDEA, and find that rlm_rest module could be helpful for this. I find this document in privacyIDEA webside:
http://privacyidea.readthedocs.io/en/master/application_plugins/rlm_rest.html#rlm-rest
and it just show how to install rlm_rest module in Ubuntu using apt-get, but my server is CentOS 7. So my first question is:
How to install the required packages of rlm_rest module in CentOS?
After that ,the document shows the configuration steps:
The authentication type needs to be configured in the /etc/freeradius/users file:
DEFAULT Auth-Type := rest
and the site configuration should invoke the module as follows:
authenticate {
Auth-Type rest {
rest
}
digest
unix
}
And I don`t know where I should invoke the “authenticate {…}”module? Does it should be write in /etc/freeradius/users ? This is my second question.
Could you please give me some advice or some references? Any help will be appreciate.

The authenticate section goes to your site configuration.
Also on CentOS this would be located in /etc/raddb/sites-enabled, which is linked to sites-available.
You should consider using the rlm_perl module, since this is more flexible.
http://privacyidea.readthedocs.io/en/master/application_plugins/rlm_perl.html#rlm-perl

Related

Freeradius using Google LDAP error with rlm_options

I've got a fresh freeradius server and I'm trying to set it up with Gsuites LDAP service for authentication using the instructions set here:
https://support.google.com/cloudidentity/answer/9089736?hl=en&ref_topic=9173976#zippy=%2Cfreeradius
Debug mode worked prior to installing and configuring the ldap module. I've gone through and checked my settings, when I start freeradius in debug mode I receive the error:
/etc/freeradius/3.0/mods-enabled/ldap[496]: Failed to link to module 'rlm_options': /usr/lib/freeradius/rlm_options.so: cannot open shared object file: No such file or directory
I'm unclear on what that file is or why it's missing. Searching documentation I haven't found any reference to the file.
Line 496 in the ldap file seems to refer to the options { breadcrumb section.
Curious if anybody can point me in the right direction, or if I just comment out the options section.

Trouble Enabling SSL on Fuseki Server

I'm hoping some of you may be able to help me with setting up SSL on my fuseki server. I've been battling with it for a few days now and am running out of possible solutions!
OS: RHEL 8.5 (Ootpa)
Fuseki: Version 4.2.0
Currently running as system service with:
ExecStart=/home/fuseki/apache-jena-fuseki-4.2.0/fuseki-server -v -tdb2 -update -config=/home/fuseki/fuseki_data/config.ttl
This is the manual I've been working with- https://jena.apache.org/documentation/fuseki2/fuseki-data-access-control.html
The following are the provided arguments to add in the startup sequence of fuseki-server.
–https=SETUP [Name of file for certificate details.]
& –httpsPort=PORT [The port for https. Default: 3043]
The --https argument names a file in JSON which includes the name of
the certificate file and password for the certificate.
The issue is that no matter how I phrase the arguments the process returns "fuseki-server[9469]: Unknown argument: https" in the journalctl logs.
I have tried -https=dir, --https=dir, & -httpsConf=dir (where dir is the directory to my cert_details.json file).
Based on the docs https should have native support but when I check fuseki-server -help there is no mention of an https argument. I have created a .jks from my cert, have set the correct file permissions, and have allowed 3043.
I have also located the block of code in fuseki that resolves the keystore and passwd from the .json file (which led me to try using -httpsConf=)
private void setHttpsCert(String filename) {
try {
JsonObject httpsConf = JSON.read(filename);
Path path = Path.of(filename).toAbsolutePath();
String keystore = httpsConf.get("keystore").getAsString().value();
// Resolve relative to the https setup file.
this.httpsKeystore = path.getParent().resolve(keystore).toString();
this.httpsKeystorePasswd = httpsConf.get("passwd").getAsString().value();
Not sure what I'm missing here. For what it's worth I'm a chemist and I definitely don't know java all that well so it very well could be me being stupid. Any suggestions/knowledge would be greatly appreciated.
there are two ways to get HTTPS+Fuseki:
The document referred to is for the jar file here: https://repo1.maven.org/maven2/org/apache/jena/jena-fuseki-server/4.2.0/jena-fuseki-server-4.2.0.jar, not the jar in the apache-jena-fuseki download. (BTW It does not have the UI.)
The one in the apache-jena-fuseki can be use HTTPS by using a Jetty configuration using --jetty=jetty.xml (https://www.eclipse.org/jetty/documentation/current/jetty-xml-config.html) -- example: https://github.com/apache/jena/blob/main/jena-fuseki2/examples/fuseki-jetty-https.xml (which will need modifying).

Debug authentication of Bazel's http_file

I want to fetch some data in Bazel over HTTP. There's a http_file method that looks like what I want. The remote server I'm fetching from uses authentication, so I've written it as
load("#bazel_tools//tools/build_defs/repo:http.bzl", "http_file")
http_file(
name = "data_file",
urls = ["https://example.com/data.0.1.2"],
sha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
downloaded_file_path = "data_file",
)
When I try the build, I get
WARNING: Download from https://example.com/data.0.1.2 failed: class com.google.devtools.build.lib.bazel.repository.downloader.UnrecoverableHttpException GET returned 401 Unauthorized
Followed by fatal errors because the file doesn't exist.
The error makes me think that I'm not authenticating correctly. I have a .netrc file and curl is able to use it to fetch the file.
Is there a way for me to debug? If it was curl, I would pass -v and see the auth header being sent with the request. I'm not sure if bazel is failing to send any authentication or if it's incorrect.
Running Bazel 3.2.0 on Mac OS (Darwin 19.6.0) and on Linux (Ubuntu 18.04).
HTTP 401 indeed sounds like incorrectly or not at all authenticated. .netrc should be supported and recognized. If not explicitly specified with netrc attribute, ${HOME}/.netrc would be tried if HOME is in the environment and bazel runs on non-Windows host (this has been the case since bazel 1.1; and shortly in 0.29) or %USERPROFILE%/.netrc if the variable is in the environment and running on Windows (this has been the case since 3.1). At the risk of stating the obvious, the .netrc should be owned by the same UID under which the process using it runs and its permbits should be 0600. If authentication methods other then http basic are needed, auth_patterns attribute needs to be used to configure that.
I am not aware of there being any ready made repository rule debugging facility such as CLI flag, but in this case it should be viable to copy the implementation of of the rule and functions it uses from tools/build_defs/repo, instrument it to get debugging info from it and use that for the purpose. For starters perhaps just print(auth) of what auth = _get_auth(ctx, all_urls) yielded to see if the that rule got the right idea about how to talk to host in question. It should be a dict with type, login, password information for each individual urls entries. The magic itself happens in use_netrc.

Keycloak Unknown authentication mechanism

I need help with using keycloak in an Errai app. I am getting an error about "unknown authentication method" for "KEYCLOAK" ? I have the keycloak-appliance running (on a different port though), and the Errai app has a with KEYCLOAK in the web.xml file inside WEB-INF
When I run the Errai app with mvn gwt:run, I get : RuntimeException caused by "Unknown authentication mechanism KEYCLOAK". I have no idea how to go around this issue .
Just wanted to add a little more detail to #cfsnyder's answer. In order for your application server to recognize a definition in the web.xml that looks like this:
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>internal</realm-name>
</login-config>
you'll need to tell jboss (in this instance) how to interpret that particular auth method. At the time of my answer, this is in section 8.2 of the Keycloak docs.
First, download the keycloak adapter (remember, this is not the same as the Keycloak Server). Next, unzip the download in the wildfly home directory. With your application server running, just use the following command to install the Keycloak configuration into the appropriate files:
jboss-cli.sh -c --file=adapter-install.cli
When this script completes, your configuration file will have the new entry added to accommodate the KEYCLOAK entry in your web.xml. The script will add something like this to either a domain.xml or standalone.xml:
<security-domain name="keycloak">
<authentication>
<login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
</authentication>
</security-domain>
Once you have the Keycloak module files provided by the adapter + the security domain configuration to link the KEYCLOAK method to the appropriate LoginModule, you should be all set.
You will need to install and configure the Wildfly adapter in order for your Errai app to recognize the "KEYCLOAK" authentication method. See section 7.2 of the Keycloak documentation.
To add to #josh-cain's answer, you might also need following additions in your domain.xml or standalone.xml:
To <extensions></extensions>, add:
<extension module="org.keycloak.keycloak-adapter-subsystem"/>
To <profile></profile>, add:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
The adapter installation cli scripts can fail for various reasons so you might need to add these entries manually.

jetty 9: setting up the most basic SSL / https

NOTE: If you want to see the behaviour of this demo app, just go to www.collaborativepowernowinternational.us. Here, select the testssl.PersonController, and you may create a person. Then go and edit the person, where the SSL channel is designated, which will give a redirect loop.
It seems like with Jetty 9 more configuration items went into the start.ini file, I have version 9.05.
In order to test the most basic SSL/https, I am uncommenting the following lines in start.ini:
#===========================================================
# SSL Context
# Create the keystore and trust store for use by
# HTTPS and SPDY
#-----------------------------------------------------------
jetty.keystore=etc/keystore
jetty.keystore.password=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
jetty.keymanager.password=OBF:1u2u1wml1z7s1z7a1wnl1u2g
jetty.truststore=etc/keystore
jetty.truststore.password=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
jetty.secure.port=8443
etc/jetty-ssl.xml
#===========================================================
# HTTPS Connector
# Must be used with jetty-ssl.xml
#-----------------------------------------------------------
jetty.https.port=8443
etc/jetty-https.xml
No other Jetty configuration changes. I then built the most basic Grails app (has a Person class) where I set certain controller actions to secure, which works fine on my development machine using an older built in Jetty version (that Grails includes). This is done simply by including spring-security-core and then adding the following lines to a configuration file:
grails.plugins.springsecurity.secureChannel.definition = [
'/person/list': 'REQUIRES_INSECURE_CHANNEL',
'/person/delete/**': 'REQUIRES_SECURE_CHANNEL',
'/person/edit/**': 'REQUIRES_SECURE_CHANNEL',
'/person/show': 'REQUIRES_INSECURE_CHANNEL'
]
grails.plugins.springsecurity.portMapper.httpPort=80
grails.plugins.springsecurity.portMapper.httpsPort=443
When I access the person/edit action I get a redirect loop in the browser (using deployed WAR file to Jetty 9 on dedicated CentOs 6 machine). This is using the provided keystore that comes with Jetty 9, just uncommenting the lines in start.ini to use it.
The main Jetty SSL configuration page I'm reading is here. What isn't clear to me is, is updating the start.ini file enough? If not, how exactly does one add the lines in jetty-https.xml described in this previous link, i.e. the lines:
<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="KeyStorePath"><Property name="jetty.home" default="." />/etc/keystore</Set>
<Set name="KeyStorePassword">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
<Set name="KeyManagerPassword">OBF:1u2u1wml1z7s1z7a1wnl1u2g</Set>
<Set name="TrustStorePath"><Property name="jetty.home" default="." />/etc/keystore</Set>
<Set name="TrustStorePassword">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
</New>
Not sure how to add them, but they also seem a duplicate of the start.ini file lines above.
Can you please help help me get the most basic Jetty SSL running? Thanks much.
If not familiar with Grails, one can simply download it, then create a domain class -- there is a command line option for this. Then give it fields String firstName, String lastName. Then there are commands to generate a controller and views for it -- this is all totally automatic. Then one adds the plugin, spring-security-core. In chapter 16/17 of this doc and as I have shown, when lists which controller actions are secure, such as person/edit.
You actually have enough here for just the Jetty portion of this to be working using the default trial keystore we ship in Jetty 9.0.6 distribution.
Simply the blurb you have above is enough to make SSL work within Jetty. I downloaded the 9.0.6 distribution and uncommented those lines and it works. Well, I had to go into the start.d/demo.ini file and remove the last two lines with etc/jetty-ssl.xml and etc/jetty-https.xml because they would get run twice...but I digress.
If you start up Jetty you can navigate to https://localhost:8443 and it will complain about being an untrusted certificate and then load up the jetty distribution page.
Based on that I would say this is likely some sort of grails configuration issue that I sadly don't know the answer too, sorry.
Starting Jetty 9.1, things have changed, and you have to follow the instructions in here for things to look correct, per Jetty developers. Moreover, you are not supposed to change/delete/edit anything in ${jetty.home}'s directories. Here's what you need to do for a self-signed certificate based SSL/HTTPS on Jetty 9.1+:
(a) set up your environment variable $JETTY_HOME to point to where you installed your jetty tar bundle, say /opt/jetty/.
(b) Create a new directory, /tmp/myJettyApp, point it to $JETTY_BASE in your environment.
(c) cd to $JETTY_BASE
(d) Follow instructions in here:
/home/sonny $ cd $JETTY_BASE
/tmp/myJettyApp/ $ java -jar $JETTY_HOME/start.jar --add-to-startd=https,http2
(e) Set your port if you'd like:
/home/sonny $ cd $JETTY_BASE;
/tmp/myJettyApp/ $ java -jar $JETTY_HOME/start.jar jetty.ssl.port=8444
(f) And now, run jetty:
/tmp/myJettyApp/ $ java -jar $JETTY_HOME/start.jar
you will see that HTTPS is running at port 8444. Now, if you want to make jetty listen in the traditional HTTPS port, you have to use sudo to run:
/tmp/myJettyApp/ $ java -jar $JETTY_HOME/start.jar jetty.ssl.port=443
/tmp/myJettyApp/ $ sudo java -jar $JETTY_HOME/start.jar
Note that this already does the self-signed certs etc. automagically.
Now, if you want to generate your own self-signed certificate (say, because you want to modify the validity to an arbitrary large or small value, depending on your needs), follow the instructions in here, generate a new self-signed cert using keytool and then place it in $JETTY_BASE/etc/ and modify the $JETTY_BASE/start.d/ssl.ini for jetty.sslContext.keyStorePassword and jetty.sslContext.keyManagerPassword respectively. BTW, for the last two ssl.ini passwords, you can use the obfuscated plain text password you used when you ran keytool or use the plain text ones. If you want to obfuscate them, run {jetty.home} $ java -cp lib/jetty-util-9.3.6.v20151106.jar org.eclipse.jetty.util.security.Password "MyInterestingAndAwesomePassword"
Hope this helps someone.

Resources