Today we released privacyIDEA 2.15. In this release privacyIDEA command line client supports the initialization and enrollment of the Nitrokey. The Nitrokey is an open USB devices that acts as authentication device and password safe. It can hold your PGP keys but also provides several OTP slots. privacyIDEA now can initialize these OTP slots, so that you can use your own key material and use the Nitrokey as an open and trusted authenticator. This way you get the maximum trust and transparency by running open source software, using open and standardized algorithms and open hardware.

Arbitrary User Attributes and Client Overview

With privacyIDEA 2.15 the administrator now can edit arbitrary user attributes. These user attributes can be included in the authentication response and the new privacyIDEA FreeRADIUS plugin can map these user attributes to any RADIUS response attribute.

In the Web UI the administrator now also gets an overview of all authenticating clients. This may help him to keep track of the connected applications.

Download

You can download privacyIDEA via github, the python package index or the Ubuntu Launchpad repository. privacyIDEA is also available as privacyIDEA Enterprise Edition from NetKnights providing additional downloads for CentOS or the Univention Corporate Server.

Changelog

• Client Overview. Display the type of the requesting   authenticating clients (#489)
• Support for NitroKey OTP mode (admin client)

Enhancements

• You can edit arbitrary user attributes in privacyIDEA.
• Such user attributes can be mapped to any RADIUS attribute.
• Performance enhancements using Caching singletons for Config, Realm, Resolver and Policies
• Allow configuration of the registration email text (#494)
• Return SAML attributes only in case of successful authentication (#500)
• Policy “reset_all_user_tokens” allow to reset all  failcounters on successful authentication (#471)
• Client rewrite mapping also checks for X-Forwarded-For (#395, #495)

Fixes

• Fixing RemoteUser fails to display WebUI (#499)
• String comparison in HOSTS resolver (#484)

Look at my Nitrokeys. The pre-release of the Nitrokey Pro, the Nitrokey Storage and Nitrokey HSM. The Nitrokey is a crypto device, which you can use to store your PGP Keys or just RSA keys and thus sign and decrypt data. It comes with a password safe and the ability to generate one time passwords. It is open hardware and all necessary software is open source. Thus it is a great device to be combined with the open source authentication system privacyIDEA.

Nitrokey managed by privacyIDEA

You can manage your keys locally on your desktop with the Nitrokey-App. You can reset the user PIN and the administrator PIN (SO PIN). And you can manage the passwords in your password safe.

But you can not use the OTP functionality as you need a backend or an application to authenticate against. The idea to manage the Nitrokey with privacyIDEA was around for a while. Issues have been filed to the privacyIDEA github project and the privacyIDEA command line client. Managing the OTPs of the Nitrokey seemed to be a logical first step.

Just yesterday I pushed the code to the github repository of the privacyIDEA command line client. The good news is, that there are no changes in the privacyIDEA backend necessary. The Nitrokey acts as an HOTP or TOTP token – both token types are already supported by privacyIDEA. The command line client takes care of initializing the Nitrokey and creates the token object in the privacyIDEA backend.

privacyIDEA and hardware tokens

privacyIDEA already supports several hardware tokens, which can be seeded: like the Yubikey, U2F devices, eToken NG or daplug token. Most of these tokens (except U2F) are initialized via the command line client. The great thing with the command line client is, that the tokens like the Yubikeys can be mass enrolled. This way the administrator can initialize hundrets of tokens in a few minutes and initialize these with new key material – being independent of the vendor.

With the Nitrokey you can do this, too. But you also get a bonus. You are indepent with your key material of any vendor and you get a hardware, that is open, where you can simply run your audits on it.

Enroll a Nitrokey HOTP token

To be able to enroll the Nitrokey you need to get and install the Nitrokey-App and libnitrokey. The privacyIDEA admin client uses libnitrokey to initialize the OTP slot. The Nitrokey support in the privacyIDEA admin client is totally new. It is not contained in the packages of the privacyIDEA admin client, yet. So you also need to get the github repository and install the privacyIDEA admin client via

  python setup.py install

Now you can enroll Nitrokeys:

  privacyidea -U https://localhost --admin super --nosslcheck token nitrokey_mass_enroll --slotname meiner0 --slot 0

The new command option nitrokey_mass_enroll will start the mass enrollment process for Nitrokeys. This will only work if all Nitrokeys have the same admin PIN. At the moment the admin PIN is requested during startup and not for each enrolled Nitrokey.

You can specify which slot should be written. There are 3 HOTP slots, so this value can be 0 – 2. You can also set a slotname for this slot.

The admin client will ask you for the next Nitrokey to be inserted. This way you can initialize OTP slots of many Nitrokeys and then give these keys to your users.

The great thing is, the admin client will read the serial number of each Nitrokey during the rollout process. It then create an HOTP token object in the privacyIDEA backend with the token serial NK<serial>_<slotnumber>. This way you can easily identify devices.

Maximum trust

privacyIDEA once more improves the level of trust by supporting the open hardware Nitrokey. Get transparent software and transparent hardware to boost trust to the max.

We found a nasty bug this week, which required our attention.

Support for Nitrokey

We are talking a lot to Nitrokey, since it is a great idea to combine transparent, open source authentication software with open authentication hardware like the Nitrokey Pro. As you can see in the ticket, this idea is around for quite a while. But to do an easy enrollment we need some high level function in the just upcoming libnitrokey. This is not as straightforward as wished. If you are an experienced C/C++ and Python programmer, you are welcome to contact me and assist!

Finally a simple feature request which we decided to put into 2.12 turned out to be an interesting concept, when designing and implementing it in a flexible way.

Event Handling Framework

We could send an email to a user, if an administrator modified his token. But which modifications, how and why? Thinking about it resulted in a more flexible concept, of an event handling framework, where you can define rule, which should happen in which occasion under which condition. Different event handler module will be able to enhance the possible actions in response to events.

Finally we have done the database model and are just working on the base class and the decorator. We will come up with the user notification on modified user tokens.

But therefor we need to push the release data accordingly.