2FA With LemonLDAP-NG or Keycloak

[Francewhoa]

English

English version below. Version française ci-bas.

Hello all OVH enthusiasts :)

This is a suggestion for the OVH team. About adding Two-Factor Authentification (2FA) on this log-in page at https://horizon.cloud.ovh.net so that both OVH and its clients benefit from stronger security, increase OVH income, reduce OVH operating cost.

To resolve this challenge, for OVH review for interest and decision, I suggest to concider using either https://lemonldap-ng.org or https://www.keycloak.org

Both products above have strong security and strong privacy. Because they are open source :) My favorite is LemonLDAP-NG. Because, legally speaking, LemonLDAP-NG is owned and controlled by both you and a not-for-profit community. In comparison, Keycloak is, legally speaking, indirectly owned and controlled by the for-profit IBM.

---

Below is the same suggestion as above. But with details if you're interested in those.

User Story

As a OVH Public Cloud user, I need a Two-Factor Authentification (TFA) on this OVH Public Cloud (OpenStack Horizon) log-in page at https://horizon.cloud.ovh.net so that I benefit from:

• Stronger Security Stronger protection against brute force attack https://en.wikipedia.org/wiki/Brute-force_attack Stronger security because as TFA are constantly changed, dynamically generated passcodes are safer to use than fixed (static) log-in information. Also depending on the solution, passcodes that have been used are automatically replaced in order to ensure that a valid code is always available, transmission/reception problems do not therefore prevent logins.
• Increase OVH Income Most of both my clients & my insurance companies require a TFA to do business with them. This is often included in contracts between us. In other words, to be illegible to do business most of them require TFA on all servers. In turn, the OVH's Public Cloud product would be more attractive. In turn, the OVH's income could potentially increase. Also most of OVH competitors, such as Amazon and Microsoft already have TFA on most of their log-in forms.
• Reduce OVH Operating Cost Like most hosting companies, I guess that OVH has a significant cost dealing with costumer's requests about intrusion. The TFA could significantly reduce those intrusions. In turn, OVH would reduce its operating cost..

Below is the same suggestion as above. But with Details if you're interested in those. Including suggested resolutions.

Assumptions:

• Assumes that this screenshot shows an example of a successfully implemented TFA

• Assumes that by Two-Factor Authentication (TFA) we mean this https://en.wikipedia.org/wiki/Multi-factor_authentication

• Assumes that synonyms of TFA are:

  • Authentification en deux étapes
  • Multi-Factor Authentication
  • Two-Factor Authentication (TFA)
  • Vérification en deux étapes

• Assumes that the TFA would allow using a mobile App. Such as:

  • FreeOTP+ at https://play.google.com/store/apps/details?id=org.liberty.android.freeotpplus&hl=en_US&gl=US
  • FreeOTP at https://freeotp.github.io/

• Assumes that optional backup codes would be available. So that when somehow the user lost their phone, he/she is still able to log-in at https://horizon.cloud.ovh.net

Suggested Resolution

Free really free to choose any TFA option to your liking. The Ubertus team suggestion to concider the following options. Which are all secure & safe. For OpenStack Horizon Keystone version 3+.

Option 1 : LemonLDAP-NG

• Free & open source software. This means stronger security & stronger privacy. Because the software code is fully available for all to review and or contribute to https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng

• Cost reduction for OVH. Because no license fees to pay to LemonLDAP-NG.

• Docker container repository at https://github.com/LemonLDAPNG/lemonldap-ng-docker

• Screenshots at https://lemonldap-ng.org/screenshots

• LemonLDAP-NG is use by many organizations. One example is the "Document Foundation". Which facilitate the growth of LibreOffice. You can try LemonLDAP-NG for free at https://auth.documentfoundation.org

• Download at https://lemonldap-ng.org/download

• Homepage at https://lemonldap-ng.org/welcome/

Option 2 : Keycloak

• Free & open source software. This means stronger security & stronger privacy. Because the software code is fully available for all to review and or contribute to https://github.com/keycloak/keycloak

• Cost reduction for OVH.[<---ACTION : ADAPTER###########################] Because no license fees to pay to Keycloak.

• The main challenge with Keycloak is that it is owned by RedHat. In turn, RedHat is owned by IBM. And IBM is a for-profit corporation. Legally speaking, this means that Keycloak is indirectly (proxy) CONTROLLED by IBM.

  • Source about RedHat owned by the for-profit IBM since 2018:

    • https://www.itworldcanada.com/article/ibm-acquires-red-had-in-largest-software-acquisition-ever-for-34-billion-analysis/410878

      • https://archive.ph/smFLy

• Docker container repository at https://www.keycloak.org/getting-started/getting-started-docker

• Documentation at https://www.keycloak.org/documentation

• Download at https://www.keycloak.org/downloads

• Homepage at https://www.keycloak.org

Option 3: TOTP

• Use Keystone, activate « Time-based One-time Password (TOTP) »

• TOTP documentation https://docs.openstack.org/keystone/latest/admin/auth-totp.html

  • Archived https://archive.md/w9ZfO

Option 4: MFA

• Multi-Factor Authentication (MFA) documentation https://docs.openstack.org/keystone/latest/user/multi-factor-authentication.html

  • Archived https://archive.md/qmrwZ

• Configure MFA documentation https://docs.openstack.org/keystone/latest/admin/multi-factor-authentication.html#multi-factor-authentication

  • Archived https://archive.md/9AdoK

• Free code repository:

  • « PyOTP is a Python library for generating and verifying one-time passwords. It can be used to implement two-factor (2FA) or multi-factor (MFA) authentication methods in web applications and in other systems that require users to log in. » https://github.com/pyauth/pyotp

  • « This plugin adds a second factor to the Horizon Authentication facility using the TOTP protocol. » https://github.com/mcaimi/openstack-horizon-2factor-auth

  • « The purpose of this project is to develop a two factor authentication feature that integrates Twilio with OpenStack Keystone and Horizon » https://github.com/agileblaze/OpenStackTwoFactorAuthentication

Contribution

If needed, both me and the Ubertus team would be happy to contribute testing & documentation

Français

Version française ci-bas. English version above.

Bonjour à tous les enthusiasts de OVH :)

Ceci est un suggestion pour l'équipe OVH. À propos d'ajouter la Double Authentification (DA) About adding Two-Factor Authentification (TFA) sur cette page à à https://horizon.cloud.ovh.net Pour que tous deux OVH et ses clients bénéficit d'une Sécurité plus forte, d'augmenter les revenues d'OVH, et réduire les coût d'opération d'OVH.

Pour résoudre ce défi, pour la concidération and la décision de l'équipe OVH, je suggère soit https://lemonldap-ng.org ou https://www.keycloak.org

C'est deux produits on une vie privée forte et une sécurité forte. Parce qu'ils sont des logiciels Libre. Mon préféré est LemonLDAP-NG. Parce que, en term légal, LemonLDAP-NG est la propriété et controllé par tous deux TOI est un communauté gentille à sans-profit. En comparaison, Keycloak est, en terms légal, indirectement la propriété et controllé par la pour-profit IBM.

---

Ci-dessous est le même message que ci-dessus. Mais avec des détails. Si tu es intéressé dans ceux-ci.

Scénario d'utilisateur

En tant qu'utilisateur d'OVH Public Cloud, j'ai besoin d'une Double Authentification (DA) sur cette page de connexion à OVH Public Cloud (OpenStack Horizon) à https://horizon.cloud.ovh.net pour que je bénéficit de:

• Sécurité plus forte Sécurité plus forte contre les attacks à force brute https://fr.wikipedia.org/wiki/Attaque_par_force_brute
• Augmenter les revenues d'OVH Pour la majorité de tout deux mes clients & mes compagnies d'assurances, la DA est un prérequis. C'est a dire que la majorité de mes gros clients exigent un TFA sur tout les serveurs pour faire des affaires. Souvent ceci est un prérequis dans nos contrat d'affaires. Alors avec la DA le produit OVH serait plus attirant pour nous. En tour, les revenue d'OVH serait augmenté. Aussi la plupart des compétiteur d'OVH, tel que Amazon et Microsoft ont déjà la DA sur la majorité de leur formulaires de connexion.
• Réduire les coût d'opération d'OVH Comme la pluspart des compagnies d'hébergement, je suppose que OVH a une dépense significante pour répondre au demande de support à propos d'intrusion dans les serveurs. La DA pourrait significativement déruire c'est intrusions. En tour, les coûts d'opération d'OVH serait réduit.

Ci-dessous est la même suggestion que ci-dessus. Mais avec des détails si ceci est d'intérêt. Incluant des résolutions suggérées.

Suppositions:

• Suppose que cette capture d’écran montre un exemple d’un succès avec un DA

• Suppose que par Double Authentification (DA) on veut dire ceci à https://fr.wikipedia.org/wiki/Double_authentification

• Suppose que des synonymes de Double Authentification (DA) sont:

  • Authentification en deux étapes
  • Multi-Factor Authentication
  • Two-Factor Authentication (TFA)
  • Vérification en deux étapes

• Suppose que la DA permet l'utilisation du application sur téléphone portable. Tel que:

  • FreeOTP+ à https://play.google.com/store/apps/details?id=org.liberty.android.freeotpplus&hl=en_US&gl=US
  • FreeOTP à https://freeotp.github.io/

• Assumes that optional backup codes would be available. So that when somehow the user lost their phone, he/she is still able to log-in at https://horizon.cloud.ovh.net

Résolution suggéré

Sentez vous libre de choisi n’importe quel DA de votre choix. L’équipe Ubertus suggère de considérer les options suivantes. Qui sont gratuites et sécuritaire. Pour OpenStack Horizon Keystone version 3+

Option 1 : LemonLDAP-NG

Avantages avec LemonLDAP-NG :

• Logiciel libre & gratuit. Alors sécurité plus forte & vie privée plus forte. Parce que le code du logiciel est disponible pour tour pour évaluer et contribuer à https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng

• Réduction des coûts pour OVH. Parce qu'aucun frais de license à payer à LemonLDAP-NG.

• Docker conteneur isolé à https://github.com/LemonLDAPNG/lemonldap-ng-docker

• Capture d'écrans at https://lemonldap-ng.org/screenshots

• LemonLDAP-NG est utilisé par « Document Foundation ». Qui est l’organization qui facilite la croissance de LibreOffice. Essayé LemonLDAP-NG gratuitement à https://auth.documentfoundation.org

• Télécharger à https://lemonldap-ng.org/download

• Page d'accueil à https://lemonldap-ng.org/welcome/

Option 2 : Keycloak

• Logiciel libre & gratuit. Alors sécurité plus forte & vie privée plus forte. Parce que le code du logiciel est disponible pour tour pour évaluer et contribuer à https://github.com/keycloak/keycloak

• Réduction des coûts pour OVH. Parce qu'aucun frais de license à payer à Keycloak.

• Le défi principale avec Keycloak, c'est que, en terms légal, indirectement la propriété et controllé par la pour-profit IBM.

  • Source about RedHat owned by the for-profit IBM since 2018:

    • https://www.itworldcanada.com/article/ibm-acquires-red-had-in-largest-software-acquisition-ever-for-34-billion-analysis/410878

      • https://archive.ph/smFLy

• Docker conteneur isolé à https://www.keycloak.org/getting-started/getting-started-docker

• Documentation à https://www.keycloak.org/documentation

• Télécharger à https://www.keycloak.org/downloads

• Page d'accueil à https://www.keycloak.org

Option 3 : TOTP

• Utiliser Keystone, activer « Time-based One-time Password (TOTP) »

• TOTP documentation https://docs.openstack.org/keystone/latest/admin/auth-totp.html

  • Archivé https://archive.md/w9ZfO

Option 4 : MFA

• Multi-Factor Authentication (MFA) documentation https://docs.openstack.org/keystone/latest/user/multi-factor-authentication.html

  • Archivé https://archive.md/qmrwZ

• Configurer MFA documentation https://docs.openstack.org/keystone/latest/admin/multi-factor-authentication.html#multi-factor-authentication

  • https://archive.md/9AdoK

• Code répertoire open source gratuit:

  • « PyOTP is a Python library for generating and verifying one-time passwords. It can be used to implement two-factor (2FA) or multi-factor (MFA) authentication methods in web applications and in other systems that require users to log in. » https://github.com/pyauth/pyotp

  • « This plugin adds a second factor to the Horizon Authentication facility using the TOTP protocol. » https://github.com/mcaimi/openstack-horizon-2factor-auth

  • « The purpose of this project is to develop a two factor authentication feature that integrates Twilio with OpenStack Keystone and Horizon » https://github.com/agileblaze/OpenStackTwoFactorAuthentication

Contribution

Si besoin, tout deux moi et l'équipe Ubertus sont intéréser de contribuer des tests et de la documentation

[mhurtrel]

Thanks for the very detailed feature request ! We need some time to review it and share our position, so for sure we can share that most of this aligns with current midterm projects. My colleagues will complete this answers in the upcoming weeks.

[MarcSN311]

Are there any updates on this? We are planning to move our entire Infrastructure to the cloud, but not having 2FA on Openstack will rule out OVH.

[Brut4lity]

Answering to this issue for visibility.

Our companies are also waiting for this feature. Critical accounts should always have MFA options.

[Francewhoa]

Hello @mhurtrel & all OVH enthusiats :)

This is a suggested resolution for the Two-Factor Authentification. For OVH review for interest & decision. I suggest using this free & open source LemonLDAP-NG.

Benefits with LemonLDAP-NG :

• Free & open source software. This means stronger security & stronger privacy. Because the software code is fully available for all to review and or contribute to https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng

• Cost reduction for OVH. Because no license fees to pay to LemonLDAP-NG.

• Docker container repository at https://github.com/LemonLDAPNG/lemonldap-ng-docker

• Screenshots at https://lemonldap-ng.org/screenshots

• LemonLDAP-NG is use by many organizations. One example is the "Document Foundation". Which facilitate the growth of LibreOffice. You can try LemonLDAP-NG for free at https://auth.documentfoundation.org

• Download at https://lemonldap-ng.org/download

• Homepage at https://lemonldap-ng.org/welcome/

---

English version above. Version française ci-bas.

Avantages avec LemonLDAP-NG :

• Logiciel libre & gratuit. Alors sécurité plus forte & vie privée plus forte. Parce que le code du logiciel est disponible pour tour pour évaluer et contribuer à https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng

• Réduction des coûts pour OVH. Parce qu'aucun frais de license à payer à LemonLDAP-NG.

• Docker conteneur isolé à https://github.com/LemonLDAPNG/lemonldap-ng-docker

• Capture d'écrans at https://lemonldap-ng.org/screenshots

• LemonLDAP-NG est utilisé par « Document Foundation ». Qui est l’organization qui facilite la croissance de LibreOffice. Essayé LemonLDAP-NG gratuitement à https://auth.documentfoundation.org

• Télécharger à https://lemonldap-ng.org/download

• Page d'accueil à https://lemonldap-ng.org/welcome/

[Francewhoa]

Good morning @Brut4lity and all :) For those interested in adding Two-Factor Authentication to OVH Public Cloud, I suggest checking your inbox for an email message about this survey at https://survey.ovh.com/index.php/594726 Which was sent today by OVH.

This email message is roughly titled:

• Are you satisfied with your Public Cloud solution?
• Êtes-vous satisfait·e de votre solution Public Cloud ?

Now is your opportunity to reply to this email and suggest adding Two-Factor Authentication to OVH Public Cloud or suggest anything else that meet your present needs

[Francewhoa]

Hello @Brut4lity, @MarcSN311, @mhurtrel, and all interested in adding 2FA for OVH :)

Today I updated my original post by adding a new option. About Keycloak. Which is for OVH review for interest and decision.

Benefits with Keycloak:

• Free & open source software. This means stronger security & stronger privacy. Because the software code is fully available for all to review and or contribute to https://github.com/keycloak/keycloak

• Cost reduction for OVH. Because no license fees to pay to Keycloak.

• The main challenge with Keycloak is that it is owned by RedHat. In turn, RedHat is owned by IBM. And IBM is a for-profit corporation. Legally speaking, this means that Keycloak is indirectly (proxy) CONTROLLED by IBM.

• Source about RedHat owned by the for-profit IBM since 2018:

  • https://www.itworldcanada.com/article/ibm-acquires-red-had-in-largest-software-acquisition-ever-for-34-billion-analysis/410878

    • https://archive.ph/smFLy

• Docker container repository at https://www.keycloak.org/getting-started/getting-started-docker

• Documentation at https://www.keycloak.org/documentation

• Download at https://www.keycloak.org/downloads

• Homepage at https://www.keycloak.org

Both products LemonLDAP-NG & Keycloak have strong security and strong privacy. Because they are open source :) My favorite is LemonLDAP-NG. Because, legally speaking, LemonLDAP-NG is owned and controlled by both you and a not-for-profit community. In comparison, Keycloak is, legally speaking, indirectly owned and controlled by the for-profit IBM.

[Francewhoa]

We receive this message from OVH. About their Public Cloud services. They may be in progress of implementing the ingredients they need to add Two-Factor Authentication (TFA).

---

Message

Upgrade of public cloud authentication Dear public cloud customer,

We'll upgrade public cloud authentication (Openstack Keystone) on the 28th of February between 6 am and 10 am UTC, no data will be altered, but it will be put in read-only for around four hours. Token creation will still work but beware of following the DNS entry auth.cloud.ovh.net without cache to ensure 0 downtimes during the migration.

The following endpoint will be impacted: auth.cloud.ovh.net

Status page of the planned maintenance

No major feature to expect for now except an upgrade to the last stable version of Keystone. It is the biggest requirement to enable identity federation for public cloud in the future.

---

What is Federated Keystone?

Our understanding and speculation is that this last stable version of Keystone is one of the required ingredients to add Two-Factor Authentication (2FA) to OVH Public Cloud services. In other words, OVH would have one of the essential ingredients to implement 2FA.

This OVH message above does not mean that OVH will add 2FA. It just means that they are maybe in progress of putting together the ingredient to cook 2FA for their Public Cloud services. Anyone from OVH has more information about this? Status on OVH's progress?

For those not familiar with Keystone, it is a component of OpenStack. Within Keystone is Federated Keystone. Which includes various services for 2FA. OpenStack is what powers OVH Public Cloud. OpenStack is a fully Libre Source (Open Source) software.

---

Contribute

For those interested to contribute to Federated Keystone, its documentation:

• Summary at https://docs.openstack.org/security-guide/identity/federated-keystone.html
• Details with visual diagram for developers at:
  • Dev release at https://docs.openstack.org/keystone/latest/admin/federation/introduction.html
  • Stable release, as of now February 2023, at https://docs.openstack.org/keystone/zed/admin/federation/introduction.html
• How to contribute to OpenStack at https://www.openstack.org/community/

[Francewhoa]

Hello @Brut4lity, @MarcSN311, @mhurtrel, and all interested in adding 2FA for OVH :)

It seems that OVH updated their OpenStack Keystone and connected it with OVH's single sign on. As the OVH Horizon log-in page now has three options to choose from:

1. OpenStack Keystone
2. OVHcloud EMEA
3. OVHcloud World

This screenshot show those three options

Both OVHcloud EMEA and OVHcloud World options include this free and optional TFA.

For those not familiar with OpenStack Keystone, it is a component of OpenStack. Keystone handles the permissions to access all OpenStack components. OpenStack powers OVH's Public Cloud.

Thanks to the OVH team for updating their Keystone :)

The remaining challenge is that, it seems that, by default, the OpenStack Keystone option does not have TFA activated by default by OVH. Anyone knows how to activate it, or how to remove it from the options to choose from? I tried the help link. But it presently does not include any information about TFA for the OpenStack Keystone option.