Add support for OpenID Connect
-
-
Any logical (software) solution can be broken. Assurance companies will prefer physical solution. And pfSense has one.
Get a device with multiple LAN's.
All the LAN interfaces should contain rules that forbid connection to SSH and https to the device (pfSense) itself. Except for one LAN, a port that you leave non connected at all times. You, as an admin, will use this port with your device to admin your pfSense. This means you have to connect to the device physically, which means you 'own' the device, as you must have access to it."OpenID Connect" for a firewall router : nice - why not.
But what happens when the WAN fails ** ? As long as their is no WAN interface aviable, you have no access to the device to 'set' or change a setting to re enable the connection. The same Assurance companies (another desk) will now yell that your "catastrophe plans" are not ok ...
Oh, I get it !! You also have several 'one shot' access codes that can be used to access the router in case of broken WAN. Now you have to manage these codes, because when IBtw : Ones a router firewall is set up, it could be days, weeks months before you reconnect to it again. The admin interfaces are use dby the admin only, not by a group of persons or even the public.
Which means that the real time clock (NTP) fails, which means that OpenID Connect checking will fail.
Also : Google will tell you that OTP is possible. Not exactly OpenID, but it comes close. It will also tell you that pfSense doesn't support OpenId, as Google has access to the pfSense Netgate full documentation.
The pfSense FreeRadius package has an OPT option. You could use the Google Authenticator. Google, and the connection to them, should be trusted and available.
Now, let's hope that Google doesn't do what Facebook did to itself a couple of month ago .... ;) -
@gertjan said in Add support for OpenID Connect:
Any logical (software) solution can be broken. Assurance companies will prefer physical solution. And pfSense has one.
- This is of course true and I understand where you are coming from, but by the same token pfsense is a software firewall so this point is sort of moot.
@gertjan said in Add support for OpenID Connect:
Get a device with multiple LAN's.
All the LAN interfaces should contain rules that forbid connection to SSH and https to the device (pfSense) itself. Except for one LAN, a port that you leave non connected at all times. You, as an admin, will use this port with your device to admin your pfSense. This means you have to connect to the device physically, which means you 'own' the device, as you must have access to it.- I would agree this is the most secure way to have access setup to pfSense. We will probably end up going with this route as our hardware would be behind a locked door (something you have) and the interface is protected by a password (something you know). The main reason I would like to avoid this if possible is that I can be a pain the the rear to drive/go to the site and connect to the pfSense box in a noisy server room while being sure not to bump any other servers just to update a DNS entry.
@gertjan said in Add support for OpenID Connect:
"OpenID Connect" for a firewall router : nice - why not.
But what happens when the WAN fails ** ? As long as their is no WAN interface aviable, you have no access to the device to 'set' or change a setting to re enable the connection. The same Assurance companies (another desk) will now yell that your "catastrophe plans" are not ok ...
Oh, I get it !! You also have several 'one shot' access codes that can be used to access the router in case of broken WAN. Now you have to manage these codes, because when I- The answer I would say is to make sure multi-wan is configured. For my particular use case, I was playing around with hosting most of the OpenID Connect infrastructure locally anyway so that if the WAN did go down, I would still be able to authenticate assuming I have power. A solution like Authelia seems like an attractive offering. The user database could be hosted on a local LDAP server and there is no inherent need to use a cloud login provider such as Google, Facebook, or Github. The TOTP standard to my knowledge does not depend on an internet connection. The use of one-shot codes would be up for debate on whether they are a good idea or even necessary, but I do see you concern in trying to manage those as well.
@gertjan said in Add support for OpenID Connect:
Btw : Ones a router firewall is set up, it could be days, weeks months before you reconnect to it again. The admin interfaces are use dby the admin only, not by a group of persons or even the public.
- To that I would say yes and no. Theoretically, a firewall once configured shouldn't ever need looked at again until an update comes out. For example, I barely touch my home pfSense installation as it just works and my home needs are not that complex. However, in a larger corporate environment where more modules are being used, I find myself logging into pfSense on an almost daily basis. Task are delegated to different users and have different levels of access. The other thing to consider is that pfSense is more than just a firewall. OpenVPN I would say is a good example of where you need to authenticate users on pfSense quite often.
@gertjan said in Add support for OpenID Connect:
Which means that the real time clock (NTP) fails, which means that OpenID Connect checking will fail.
- HTTPS also relies on NTP to have accurate time to establish secure connections. (albeit maybe not as strict as TOTP) If you want to get super concerned about NTP, host your own stratum 1 time server.
@gertjan said in Add support for OpenID Connect:
Also : Google will tell you that OTP is possible. Not exactly OpenID, but it comes close. It will also tell you that pfSense doesn't support OpenId, as Google has access to the pfSense Netgate full documentation.
The pfSense FreeRadius package has an OPT option. You could use the Google Authenticator. Google, and the connection to them, should be trusted and available.
Now, let's hope that Google doesn't do what Facebook did to itself a couple of month ago .... ;)- I am aware of the FreeRADIUS implementation for pfSense. The issue I have with it is that you can only use a PIN code for your password which I don't find as secure IMO. The other issue is that the TOTP needs to go at the end of the PIN instead of on a different field. This isn't a big deal for anyone who is technically inclined, but this would result in extra confusion for non-techy users who still need to use services offered by pfSense such as OpenVPN. Sure, I could use another server/VM to host my OpenVPN server, but that's another piece of infrastructure that I need to maintain and my NetGate XG series still has plenty of horsepower to run extra services.
- Not sure what you mean by hoping Google doesn't pull a Facebook. I don't depend on either service because despite their contributions to FOSS, I think they both have bad business models. DuckDuckGo suites me well.
All in all, adding OpenID Connect protocol to pfSense may be a hammer looking for a nail, but I think it could still be useful for plenty of users. Thanks for your response and I would be open to hear any other input or ways to better secure/manage pfSense logins.
-
Ok, you gave it some thoughts, ;)
@ben-ihelputech said in Add support for OpenID Connect:
you can only use a PIN code
never used it, but this PIN code is a rotating one, valid for 30 seconds or so.
@ben-ihelputech said in Add support for OpenID Connect:
Not sure what you mean by hoping Google doesn't pull a Facebook
Facebook removed themselves from the Internet for a couple of hours. This wasn't Google fault.
-
No support currently. You can open a feature request:
https://redmine.pfsense.org/Steve
-
@gertjan said in Add support for OpenID Connect:
Facebook removed themselves from the Internet for a couple of hours. This wasn't Google fault.
Lol now I remember what you said. I think it was something like a BGP mis-config or something like that. The world was probably about 20% more productive that day
@gertjan said in Add support for OpenID Connect:
never used it, but this PIN code is a rotating one, valid for 30 seconds or so.
I think the way it works it that you enter the PIN + the TOTP (which is the 30 second rotating pin).
@stephenw10 said in Add support for OpenID Connect:
No support currently. You can open a feature request:
https://redmine.pfsense.org/
SteveWill do!
