 what we're gonna see on the videos well it's full hd and it's supposed to be full hd as well yeah so i'll be referring to you in some slides so yeah so you can you can stand up and wave people i actually believe in the meritoclavic thing is so people have to know who they who they can punch yes and that's as well oh actually just a second i'll do a bit of you just a second i did a stupid mistake that i want to rectify and now we'll return back to screen configuration no i'll tell people that yeah yes yeah thank you so just in the last minute and a half i actually noticed it that the date here was the last weekend when i was given this talk a variation of this talk at fosden so it's kind of a deaf con at fosden right so now it's the right date at least for today and we can start with it so um the is the idea for this talk actually started more than half a year ago when we gradually work it on the server side to get all the bits and pieces for the single sign-on available and then i started looking how those pieces can be combined together to have our laptops and overall our desktops working nicely so that there's no excuse anymore called mac os 10 to be on the desktop with linux it shouldn't be cool it should just work and i came first to non-foundation at the goa deck with this idea and a practical demos of what can be achieved with as little as possible which show it what rod blocks we have now six months later we have those some of those rod blocks eliminated and it actually shows how far you can get with even a little of effort there and some of that effort is a really small one but some some of the work was groundbreaking but let's go there so we talk about enterprise desktop and the goa deck was last year quite interesting in this sense we had two talks on enterprise desktop one coming from redhead one coming from susie the susie talk was traditional uh enterprise desktop mainly a linux desktop to run your office applications and traditionally people think that the desktop for enterprise is actually that you get office applications to run some documents to write some presentations to show and so on and you are basically limited to that okay there are printers that can be used to print if they don't work that's all a fail meaning the server guys and not the desktop people and when desktop is enterprise linux desktop is usually mentioned it's in the migrations from windows where people try to compare how easily to use it basically what the icons there what is the ux experience natural for them and so on but not all the um integration into the environment that that this desktop runs with so yeah enterprise but almost yeah i work from home and in a sense my local office network which i do have we have office in finland for redhead but it's the same as i if i work from home because there's no it support uh that that supports that office we do support we associate it's supported by ourselves so working from home with vpn is equal working from the office that we have except that i don't see my colleagues and i can be of certain freedom of what i wear or where i see it or lie and um but at the same time the company services that are in use or in enforce it to be used by employees they also not in this certain central place and that place is actually might be spread out over different clouds not even the single one and we can even have something that's inside outside an internal cloud or a single machine somewhere or provided by external providers there are plenty of them and i'm sure everybody can really experience about that and also even if i use the corporate laptop and i have certain limitations to what i can do on it uh redhead is very good at allowing to the open source work on on the corporate laptops and so i need to have corporate identity to sign in into corporate applications whatever they are they might be just i don't know uh places where somebody else brag about bacon and pizza but still it's a corporate stuff i have my home network which i also need to use even from the corporate laptop if i want to print which is my printer is there or it at the local office the printer is actually managed by the company that manages the local space at the same time there are plenty of social networking and if you look at the messages that the defconn for organizers are putting out they are explicitly asking you to be active on social networks promoting your talks and talks of your colleagues and written blogs and so on and i only have this leftover so i have to have access to those social services if i want to participate and win something that they promise it for the best blog about then i'm participating in multiple free software projects so so to say i have multiple hats to wear if they all fit here but sometimes i need to kind of junk juggle them but also at the same time i have um governmental ideas issued to me and sometimes i have to use those governmental ideas when talking to tax office luckily in finland people don't like to talk face to face with the government so the government made a perfect system where you're just logging over the web using your smart cards and bank credentials that avoids talking but it means that you have those identities to be supported on linux to be useful and i also have my private data whether it's a private data on a corporate laptop which supposedly not to be there it's still there and i want to protect and share it with those whom i care about and i kind of crazy person that wants to have access to that all at the same time is this a rare example i think most of you can relate to the same story so i work on free ipa which is really a management of identities and policies i store it in a single place and force it at the at the end endpoints which those laptops are one of the example applied locally and it's a number of different free software projects unified together in a common management framework to rule them all so it's available in multiple distributions slowly but surely it's most of it capabilities infiltrate stable versions so like two years ago we missed by one week a deadline a freeze deadline in debian so debian has free ipa server side but only in testing because we just missed a deadline hopefully next deadline will already be we will be ready to that and gnome foundation and gnome as an organization runs free apa as their accounting system so all gnome developers they have account in account gnome org which is free apa if you go there right now you will see that it's standard free apa login screen which you will see today so how enterprise are we there are multiple ways of scoring so let's score by one of those thing by password if you have multiple passwords to enter you're not enterprise and the lower number of passwords you enter because in an enterprise marketing materials if you sell enterprise products the single sign-on phrase is kind of rules them all none of those products actually has real single sign-on but they have them to do it so a typical workflow if you're happy enough to reboot your laptop is actually you have to sign in in your local system account so you enter a password you jump on to virtual private network VPN to your office environment that might include a password and maybe a token value one way or another certificate and god knows what if your corporate environment uses Kerberos or active directory you most likely will obtain the Kerberos ticket and then supply this ticket to the application or you're supposed to use Kerberos ticket as evidence that you are who you are to those applications and therefore go with single sign-on in those apps but you already strike stroke like three times that password before you go to that's point and many of those enterprise apps actually do not support Kerberos so in fact you will have to be requested to enter a password again so can we be really better than this obviously crossing out some password entering procedures that you have to do I would say every day would probably be good can we really slim it down to one or two let's see let's try to log in I'm I'm not gonna run live demo so I have pre-recorded videos which show the same stuff this one was done in in VM and basically I'm just trying to log on to that VM the VM is enrolled into free APA server that I have and the VM is actually not on the same network as I have therefore I use a VPN to log on there and as you saw there's no there's nothing to enter there's no password required because I used Kerberos credentials that I obtained it when I tried to log on and those Kerberos credentials were forwarded over the Kerberos proxy through the public internet to obtain a ticket so here is the in the second output of K-list you see the first ticket is HTTP slash that's that's the ticket to my VPN service that this ticket was obtained without any credentials entering because they already have credentials and now as that I'm on the VPN to my internal network I can actually run IP commands to that IPA server which is behind the VPN so it's not accessible from the public internet but it's accessible obviously on the internet on the intranet so this is this is the basic thing we just logged on on a system that is configured to be a client to free APA SSSD as a local daemon that enforces IPA policies and provides all these users and IDs it handles log on and Kerberos keys the log on verified over a public network using proxy for Kerberos protocol the VPN connection based it authenticates based it on the Kerberos ticket that I obtained it on top of the ticket grants and ticket or initial ticket that I got when I log on my credentials were entered only once in that log on screen it's kind of a paradise right what I'm dreaming at night so this Kerberos proxy it's actually in at some time good things come out of Microsoft not only in form of Hyper-V and Azure and and so on but also some real good things like this Kerberos proxy they had this exactly the same problem with the Windows lab Windows workstations for the customers and they invented this protocol of proxy Kerberos data over HTTPS to allow to get the initial ticket then use that ticket to establish the VPN connection and use IPv6 over that VPN connection to bring together all the laptops it happens behind the behind the curtain you don't see it if your active directory administrator configure it all this thing you just don't see anything it just works but it took them a certain amount of time I think they introduced this first in 2007 or so and it didn't really work well until 2008 or so because the client side need to be updated they needed to build IPv6 infrastructure to host all these virtual VPN environments and so on so Nathaniel McCullum implemented this protocol for MIT Kerberos and as a separate Kerberos proxy server and then we integrated one with I think Christian did this work to integrate it in free APA for two so now if you deploy free APA for two you get the Kerberos proxy enabled by default it's on the same HTTPS port like the management interface that IP runs which is neat you just do it and your public network can be used to connect and get there. GNOME guys are really spearheading the deployment two years ago once we introduced the Kerberos proxy in free IPA for zero I think even before that they simply deployed it for their own needs to allow their developers to use JSS API for SSH connections and that is to replace the SSH keys access to make sure that you have single sign-on but you still have pretty serious security over that one ticket is expiring over some time SSH keys people have had to keep them decades instead of rotating them regularly and on the VPN side last DevCon we talked with Nikos from the OpenConnect and we persuaded him that it's actually an interesting problem and he solved it in less than one week so OpenConnect client supports JSS API negotiations since Fedora 22 and the OpenConnect server supports it own Kerberos proxy so you can use actually OpenConnect server as your proxy that's what I do and my VPN runs open runs Kerberos proxy in the same time as as the VPN itself OpenVPN does not support JSS API and its developers have interesting mixture of understanding why JSS API is interesting and they think that it's kind of not the technology that you should use you should use X509 certificates let we'll leave this them that's not quite true well I mean there are some stories you can really look up using the search engines the responses that I refer to and they did not change in in the last five or seven years it's been on that's actually the first time we actually talked about JSS API so in 2005 people were asking on OpenVPN development list for support for JSS API and it was negatively responding all the time IPsec has this standardized for ike one if I understood Paul yeah so it's in the works now and Liberus one would get it hopefully this year so there's there's improvement compared to what we had even six months ago um could we do a stronger authentication of the at the VPN edge because you don't want to just allow everyone to connect into the enterprise with with ticket that was obtained with a single single factor so yeah with Kerberos 114 which is out we have support for so-called authenticator indicators they are already like Nathaniel found this week they already put the OTP indicator if you use it to two-factor authentication to log in but we don't have enforcement yet this is coming very soon it's high on my priority yes so two-factor authentication is what we support in free APA for HOTP, TRTP types of tokens so things like Ubiqui with HOTP, TRTP token written in it or you can use free RTP client on android or iOS or you have some blackberry stuff even oh it's outdated so yeah that's the that's the cheating stuff yep and the um the two-factor oath is enforced for users on the Kerberos site so once you try to log in if you have the two-factor and force it and one factor is disabled then you will not be able to get Kerberos ticket unless you really use there are some problems on how to make it sure without the clients that know how to deal with it so SSSD knows how to deal with it a regular key in it doesn't you need to be you need to do some tricks so how this works this is free OTP you can install it and use and I guess many of you are using if you're in red hat so let's try to see it here is the same session that I had right so this poor user has been a member of group USB access this is just to allow you dev to map permissions to allow the programming the USB token and I'm doing this programming actually in the console just because we don't have from the browser we don't have access to USB devices and that's probably for a good thing and it also means that having some nice desktop UI integrated with IPA that knows about the features like these tokens and is able to program the token without referring to the actual commands would be very nice to have that then you'll actually implement the UB key support in just one one night now I have the token and suppose I inserted the actual token into the machine let's pretend that this is really show I close the screen and now what you see is that instead of the password prompt I get a first factor prompt I did not change anything I just locked the machine and when GDM asks me for the prompt what to enter SSSD sees that the Kerber server actually is responding with the I need additional information kind of response and that means that it also returns a prompt that I can show we are a bit weirder so we told them call them first factor second factor of course that people who want to have them name it properly can file bugs and talk to to the people who one is the password is another is token generated by UB key exactly saying can happen if I load the free OTP and have a token generated let me launch free OTP yeah so if if I press on this one then it generates a code and I enter the same code UB key is just a keyboard in reality actually we're going to yeah so using Bluetooth as a keyboard your phone can be keyboard and free OTP then inserts the code into your laptop do we have all the system departs fix it actually okay so now I enter it the first factor and second factor and I logged in and looking at the credentials the Kerberos credentials you can see that I actually have a fresh initial ticket which means that this ticket actually has now authentication indicator saying that I did two factors we don't have on the client side and the Kerberos actually ingest this API library is a way to pick up this indicator and see and verify that it's actually valid and sign it by all the partners it's coming some point later but it's there so the basics are there now what I can do with it right with this token okay coming back here is a summary we got the one-time password programmed to UB key we handle login and SSSD notices that there is a pre-authentication request from the Kerberos server say that I need more info and what info and it pushes the GDM to show that we log into the system verify it over a public network using Kerberos proxy forwards into the actual QDC then we got the ticket first factor is provided to GDM to unlock the GNOME passwords and key storage if we don't do this on the first logon ever in your system your GNOME key ring will be encrypted with a password that is for sure never will repeat again and you will not be able to encrypt decrypted so what we do is that we split these prompts we provided infrastructure to actually handle prompts separately exactly for these reasons for a small thing like reusable key store the secret store if you are offline SSSD has support for that it knows that you are offline you cannot reach the identity server and it only asks you for the first factor it asks for the first factor and then does the hash comparison with the stored hash of the hash of hash basically of a local of the password that was used once you cannot log in offline to the system that you never log on to but if you log it once and you have this enabled it's not enabled by default at the first attempt when the password will be needed it will be upgraded to the online use and you will get the request for the password for the token again credentials were entered only once now if i have them what i can do with them or almost everything so i can authenticate even against the wall if the wall understands this protocol i can obtain um sum a surgeon or any other equal thing that uh basically reports back what what this identity is i can access network file systems that's the first thing that started like 15 or more even more years ago i can display properties of the tickets i can renew tickets i can choose what principle to use and to authenticate with jss api now uh that's the interesting part uh the epiphany web browser does not support jss api since 2009 when its support was removed uh from lip soap this is the famous bug that's still being fixed do not spoil my presentation please so webkit gtk is unusable for some or two interactions open id even if you want to um involving caribou's one cannot use for example google apps with jss api in normal line accounts no single sign on as a result of it basically that's it can we do better than that i would say yes so let's look at the hacked version done by thomas popular and david woodhouse from intel um now i'll be fast because i will be showing just demos right so i got logging i i got the ticket and now with that ticket i'm logging into the free ip web ui uh using the jss api the browser that i use is epiphany it's a standard fedora 23 with hacked uh lip soap and webkit gtk packages now the next step i go in normal line accounts and enter my email for this user which as you can see in the background uh and google then accepts it because i have paired my free ip install with the identity provider called ipsilon which supports pulling data from ipa including email information and pushing that data out to uh to the service provider and google apps now service provider to this so i logged in into the docs and you can actually see that that's me once the cursor goes there yeah that's the same email as the as the one in the database you have to pre-create users with uh within the google apps but at no point google sees any credentials you use they get signed assertion from your identity provider that is enough for them so what else the google calendar bug is uh that's why you see this kind of uh the screen is not really good there right um it's the bug with the browser for the user agent string uh which turns the google apps to to serve you um mobile yes and you can see that i have all the in normal line accounts i have all this stuff basically enabled for use of the uh well session cookie that that was obtained through the perverse credentials okay that's that's the work uh that we hope to get into you know 320 can we do better than that yes so that's exactly what happened here the google apps accepted it you can get more from patrick's talk tomorrow about the same time about epsilon and he will show some of these demos and his own demos as well um this should work with any identity provider that knows how to use how to utilize ssd features uh that expand beyond posix attributes because email is not a posix attribute and this is what um google cares about yes yes yes i think it had it had created a lot of issues for epsilon guys when my logout was implemented yes so what we can do in the gnomon line accounts a lot we can visualize uh and see the properties but unfortunately those properties they are not really well visible right now i will skip parts of it um we can have multiple credentials used and the one that that you want to use can be selected uh from the console using kswitch uh command but we would like to have something more uh user friendly for your definition of user and um we can have ticket renewals and that's now a big problem that everybody complains whoever uses gnome with kerberos the ticket is expired but nobody pops up a message for that one does not initiate it so i talk it with debar she on it and hopefully we get we get this fix it at some point um the browsers have their own problems so firefox for example needs manual configuration but at least it accessible for the users chrome requires system wide configuration or command line parameters you have to specify all the time we have the um uh fix it lip soup uh webkit gtk epifani will just work against any as uh https website as much as conqueror does already but a conqueror html engine for example is not enough for google apps and for the other applications and there are some limits that you need to be aware of like gss api flow is uh synchronous so you have to do it outside of your ui thread but that's not news for ui developers but any any kind of practical use of it right the google apps is one thing you probably don't want to to do google apps for your home if you want to stay under the budget right so let's do some practical thing it's two minutes demo i skip it one uh demo in this one and i show another one so this is uh actually i'm becoming an administrator from active directory this active directory it has established it cross forest trust relations with free ip a and now i will use these credentials over epiphany to log in into the own cloud instance that i have and that works with the epsilon with help of the epsilon it accepts the uh gss api authentication so now what will happen it takes a bit of time that this windows administrator is actually part of my own cloud environment it does not exist in free ipa it purely exists in the active directory that i have somewhere uh under the table of my office and you can actually see i will get it a bit larger here and scroll it that the cloud id is a fully qualified username including the realm or ad domain so this is this is something you can do and practically yes this is a setup um that i have hacked own cloud to basically accept uh some assertions coming from uh epsilon and auto create users if they are come in this way again no need to enter passwords from the first log on with the two factor authentication towards use of this application i'm i'm there right if i on on pause we can see that we should be able to go into we can see that tickets were obtain it a first initial ticket for active directory real then the cross forest ticket for access in ipa resources and then the ticket for epsilon so we got through the whole stages and finally got to the uh to the on cloud system and credentials we enter it only once that's what i want to see in let's say fedora 25 for majority of services that support gss api there and i need your help actually this is not existing in the standard own cloud community edition uh on cloud company sells this as their uh enterprise edition features so now i'm kind of commodizing that feature and uh even more because they don't have support for active directory trusts and going through it we do yes and we want to have a normal line accounts working well for all summer enabled services not just the way how how it only works for google apps now but doesn't work for on cloud within the normal line accounts free api also has support for user certificates so you can actually plug the hole and have your own environment at home for all your small company that way you trust your infrastructure so you i'm skipping this because that's what i show it you can control your own infrastructure that's the very important part of it you can improve user experience we become uh older and older and we don't remember all these techie steps anymore well 20 40 years in future is going to be interesting challenge to every single one of us here and finally somebody can profit with it not only redhead thank you i'm here here and uh today and tomorrow you can come and ask uh i don't think we have any time left otherwise uh i get kicked completely by the guys who do the call wait yes