 Hello, my name is Josefine Zeifert, I'm from ZicklStack, and our work mainly focuses on security, on the infrastructure as a service level, and there we search for some security features everywhere. In an OpenStack we found a gem, multi-factor authentication. And it's a little bit sparsely documented, that's why I wanted to tell you today how to use multi-factor authentication in OpenStack Keystone. And we will start with a recap of how authentication in Keystone works. After that I will come to the state of the multi-factor authentication in Keystone, and I will show you how to configure MFA, and how the usage workflow is. And after this theory we come to a demo video, or better two demo videos, so I can show you how this works in real time. And after that I have a conclusion, and as you see I will mainly focus on shortcomings because the good feature is there is MOA in Keystone. So let's start with how does authentication in Keystone works. So when a user normally authenticates they are using their specific username and their password or they use LEAP as a login, and then Keystone issues a time-limited token for them. And this token is used by other services, as you can see down there, to authenticate the user. Once if a user wants to create a new server, the user first goes to Keystone, authenticates themselves, gets a token, and with that token the user goes to NOVA and says, hey, here you have a token, please create a VM. NOVA is then checking with Keystone, hey, is this token valid, is that user authenticated, and if Keystone says yes, then NOVA creates the VM. And this may already sound a little bit difficult to some of you, but OpenStacklined and all the dashboards usually handle this process for you. So what is different in multi-factor authentication? First that there is not much documentation about it, so you have a lot to find out for yourself, and that it's only implemented in the API. So you cannot just go to Horizon or Skyline or in the OpenStacklined and type in you want to use MFA, it just doesn't work. There are APIs for the admin, for setting all the MFA settings necessary, and for the user to use this MFA for authentication. And you see right there the sequence diagram didn't really change, it's just in theory just one more step. How this is handled in the backend is that Keystone has user objects, and those user objects have MFA-related properties that enable MFA for each user, so that's user-specific. And also the combinations of authentication factor, you can set that per user. You can configure Keystone with TOTP, TOTP means time-based one-time password, and it's commonly used, for example, in the Google, Authenticator, and the things you have to do as an administrator to set up. MFA is just at first to just the config, one time that can be done when you deploy a cloud and you add in the Auth matters next to password and token, which is already there, TOTP. Then, and that has to be repeated for every Keystone user who would like to use MFA, the administrator has to set those properties via V3 users API, multi-factor auth enabled and multi-factor auth rules, you will see that later. Then the administrator has to register the TOTP shared secret for the users via the credentials API and generate a URI and QR code, so the user can register with an OTP app. And here you can see it as an admin, at first you have to enable MFA for the Keystone users and set the rules, then you create the secret and share it for the user, provide an URI including that shared secret and that maybe as a QR code, you will see that in our demo. After that, the user can register the QR code and use the special authentication workflow on the CLI. Sounds pretty nice, sounds pretty easy. We will get through this in the demo. You just see green text as commentary, the yellow lines are the comments which are executed and the white lines is the output. Start with, start with first one. So first one, we follow the administrator, administrator rule. We source our admin credentials, as you can see. So we are really our administrator, then we create a project and user for the demo purposes. Here you can see normal project creation and user creation, that's not recommended by the way to just type in the password like this, it's just for demo purposes because we will use that password later and you will recognize it. Now we add a role so the user can use his project and we save the user ID. That was the easy part. Now we will go into the API calls and I will guide you through this. First of all, we export the auth token. We get as administrator because we need to provide it for the API call. There is the token and we go to the user's API from that specific user and we set multi factor auth enabled to true and we add the multi factor auth rules. As you can see here, this is a set of rules and it can be even more, it can be other things. For this user, we chose that the user has to log in with password and with TOTP. Now we want to give the user access to the TOTP or make it usable and therefore we have to create a shared secret which we will make available for the user. To the user's app, we create it here and we register it into Keystone. Again, for every API command you need to provide tokens so we issue a new token here and do the API request. There we have our shared secret and we set the type of the secret, it's TOTP and we also set the user, here you can recognize the user ID we saved from the beginning where we created the user. Now OpenStack knows that shared secret. Now we have to make it available for the user also. So both ends know what the shared secret is and therefore we will generate the required LTP URI, there it is, and we used a QRank code to transfer this URI into a QR code which will be done next and now that was part of the administrator. As you can see that Edmund has a lot of stuff to do, a lot of API calls to do and that for each user. Now I don't think that would work. Now the user can approach us and use this QR code to register and as you can see here we have done this, as you can see the username is M of A minus user at SecretStack.com that was the username we registered, it was issued from Keystone and there we have, wonderful. That was only part one because now the user has to actually work and authenticate with M of A every time. And how that feels like I will show you in the next video. First of all our user wants to just show his own user's site or if the user would just want to create a server, they would fire a normal OpenStack command using OpenRC but that won't work when M of A is enabled and instead there will be an error message because as you can read it, not all authentication methods were satisfied and now we have a two step process to use TOTP with the OpenStack client. First as you can see here we have to set some variables like in the OpenRC file for authentication so you set username, project name, the auth URL where Keystone is and we read the password so that's the password from before we type it in and now we need to acquire the TOTP passcode using the mobile device. We start our app, we get a one time password, type it in and now we can craft an API request to get the actual token and yeah the request for the post to v3 auth tokens is a little bit big so we just have all the important lines here for M of A so we want to issue a token for identity and we use the methods as you can see password on TOTP then the password is just the user, the username, the password and for TOTP we also have the username and there is the passcode that we generated and as you can see there's much more in this request which needs to be provided but we cut it out here for better readability. Now we get back a response and that carries the authentication token and there it is we can export this token and use it. Such tokens in Keystone at default have a lifespan of one hour so you can for one hour use such a token to identify yourself against any OpenStack servers. After that you would need a new token but how to use that token in the OpenStack line that's the next step that means in the end we have to switch from the normal OpenRC and password based authentication to token based authentication for the rest of the session. We are unsighting a few things here that we don't need anymore but we still need those interface on the auth type and the other variables like project name and project name are still active and as you can see here that are our local variables and now we can issue OpenStack client comments after having this. Yay, it worked. So as you can see this is a little bit difficult for a user to fire API requests. The good thing is that it can be automated in scripts and we have done this also with scripts. Again, we are in this session again at the beginning and we have not yet MFA authenticated user and the first script is just for the token retrieval where we enter our password, where we enter the TO2P authentication code and we get back our token way faster as you can see and does not require handling API request on a comment line. The second script is just another OpenRC which is MFA user which use token based authentication and that will just act like a normal OpenRC file and if you saw that then you can use it as shown. As you have seen in this demos there are a few downsides to this and the first of all is that yeah why am I doing this on console, why am I not showing you a fancy dashboard and doing this, yeah there is no dashboard integration, you don't have anything in horizon or skyline or any other thing as far as I know. So if you activate MFA for a user that will definitely lock them out of every dashboard so the user is forced to use the OpenStack client but even if the user wants to use the OpenStack client there is no proper CLI integration unfortunately and in the demo you can see there is a lot of fiddling with variables or scripting for the user and a lot of API requests that an administrator has to fill out and when the token expires after the default of a one hour for example then you even get a bad user experience and just the former comment did work, you've for example created a VM everything else now you wanted to show, make a show on the VM and you get request you've made requires authentication, you might think you're still authenticated because you have a token but it is not valid anymore, that's the problem, it's not pretty clear what's up to the user but the biggest thing, the biggest problem we see here overall is that there's no self-service for the users so there has to always be an administrator involved to create the shared secret to register it or to set the methods for authentication for each user and the user has no insights about registered devices or the history and another open question to conclude is we just created a shared secret and build a QR code from it but how to securely handle this, I mean we're talking about security if we are talking about MFA so how to securely handle and transmit the shared secret for example web portals usually display such a QR code via HTTPS and that's just up to the administrator and these are some things we just wanted to put in here and give you a short overview over multi-factor authentication in Keystone and how it currently worked and if you want to try it for yourself there's a guide I put also the scripts online so you can follow it like a tutorial and try it for yourself thank you very much and if you have any questions you're welcome to ask thank you very first can you can use the mic yeah thanks for the walkthrough through the complex process indeed it is but I wonder why didn't you use the functionality that is already built in to open a stack in the CLI most of the stuff that you explained at least for the user side is already built in there did you know for which release so if you want to actually authenticate with totp and or with two factors whatever you want to use passing for example the passcode and retrieving the token itself is all built in into the normal vanilla open stack client at least since open stack SDK 1.0 but I'm pretty sure that way longer so why did you use the the shell scripts was it difficult to figure out how to to use this functionality as a first then there's no documentation we found this gem years ago and always wanted to have a presentation about this and at the open stack summit and we tried this again and there was no new documentation about us so if you say that it's new in open stack SDK 1.0.0 there's no documentation about it I'm pretty sure there is some documentation but it's not no good documentation I agree to that but what I just wanted to say it's all built in already and you can shortcut a lot of what you you're shown here with your especially with the share scripts that you provided so that will be new to me okay yeah thanks anyway great presentation by the way a lot to learn in terms of self service is there any plans to automate this so user can help themselves by running say if you you're implementing UI you run the script but user kind of becomes half the admin with the provisioned themselves is there any work going on towards that um not it's not planned from outside it's just we wanted to just um yeah focus on the m of a and show that there's the feature like you have multi-factor authentication and keystone and we wanted to highlight also a few downsides and maybe if you say it's already in SDK maybe they are already on working on it and the other thing with the authenticator app is it possible to integrate with a phone call a text message as well there's functionality like that too it just depends on the provider how that part could work because some authenticators they have an option to send a text or authenticate by a phone call like six digit code things like that um um I only know about um this way so okay thank you any other questions thank you for the presentations the I want to ask about the integration between the multi-factor authentication and the summer protocol support in the keystone so actually we are using summer protocol support in keystone in our dashboard so is it possible to utilize the multi-factor authentication with our dashboard using the summer protocol um I don't know much about that protocol so I cannot answer that question unfortunately okay thank you okay thank you for your attention and have a nice summer day