• Stars
    star
    181
  • Rank 212,110 (Top 5 %)
  • Language
    HTML
  • License
    BSD 3-Clause "New...
  • Created over 9 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

FreeIPA self-service account management portal

FreeIPA self-service account management tool

What is mokey?

mokey is web application that provides self-service user account management tools for FreeIPA. The motivation for this project was to implement the self-service account creation and password reset functionality missing in FreeIPA. This feature is not provided by default in FreeIPA, see here for more info and the rationale behind this decision. mokey is not a FreeIPA plugin but a complete standalone application that uses the FreeIPA JSON API. mokey requires no changes to the underlying LDAP schema and uses a MariaDB database to store access tokens. The user experience and web interface can be customized to fit the requirements of an organization's look and feel. mokey is written in Go and released under a modified BSD license.

Project status

mokey should be considered alpha software and used at your own risk. There are inherent security risks in providing features like self-service password resets and can make your systems vulnerable to abuse.

Features

  • Account Signup
  • Forgot/Change Password
  • Add/Remove SSH Public Keys
  • Add/Remove TOTP Tokens
  • Enable/Disable Two-Factor Authentication
  • Hydra Consent/Login Endpoint for OAuth/OpenID Connect
  • Easy to install and configure (requires no FreeIPA/LDAP schema changes)

Requirements

  • FreeIPA v4.5.0
  • Linux x86_64
  • Redis (optional)
  • Hydra v1.0.0 (optional)

Install

Note: mokey needs to be installed on a machine already enrolled in FreeIPA. It's also recommended to have the ipa-admintools package installed. Enrolling a host in FreeIPA is outside the scope of this document.

To install mokey download a copy of the pre-compiled binary here.

tar.gz archive:

$ tar xvzf mokey-VERSION-linux-x86_64.tar.gz 

deb, rpm packages:

$ sudo dpkg -i mokey_VERSION_amd64.deb

$ sudo rpm -ivh mokey-VERSION-amd64.rpm

Setup and configuration

Create a user account and role in FreeIPA with the "Modify users and Reset passwords" privilege. This user account will be used by the mokey application to reset users passwords. The "Modify Users" permission also needs to have the "ipauserauthtype" enabled. Run the following commands (requires ipa-admintools to be installed):

$ mkdir /etc/mokey/private
$ kinit adminuser
$ ipa role-add 'Mokey User Manager' --desc='Mokey User management'
$ ipa role-add-privilege 'Mokey User Manager' --privilege='User Administrators'
$ ipa user-add mokeyapp --first Mokey --last App
$ ipa role-add-member 'Mokey User Manager' --users=mokeyapp
$ ipa permission-mod 'System: Modify Users' --includedattrs=ipauserauthtype
$ ipa-getkeytab -s [your.ipa-master.server] -p mokeyapp -k /etc/mokey/private/mokeyapp.keytab
$ chmod 640 /etc/mokey/private/mokeyapp.keytab
$ chgrp mokey /etc/mokey/private/mokeyapp.keytab

Edit mokey configuration file and set path to keytab file. The values for token_secret and csrf_secret will be automatically generated for you if left blank. Set these secret values if you'd like sessions to persist after a restart. For other site specific config options see here:

$ vim /etc/mokey/mokey.toml
# Path to keytab file
keytab = "/etc/mokey/private/mokeyapp.keytab"

# Secret key for branca tokens. Must be 32 bytes. To generate run:
#    openssl rand -hex 32 
token_secret = ""

# CSRF token secret key. Should be a random string
csrf_secret = ""

It's highly recommended to run mokey using HTTPS. You'll need an SSL cert/private_key either using FreeIPA's PKI, self-signed, or from a commercial certificate authority. Creating SSL certs is outside the scope of this document. You can also run mokey behind haproxy or Apache/Nginx.

Start mokey service:

$ systemctl restart mokey
$ systemctl enable mokey

SSH Public Key Management

mokey allows users to add/remove ssh public keys. Servers that are enrolled in FreeIPA can be configured to have sshd lookup users public keys in LDAP by adding the following lines in /etc/ssh/sshd_config and restarting sshd::

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

Hydra Consent and Login Endpoint for OAuth/OpenID Connect

mokey implements the login/consent flow for handling challenge requests from Hydra. This serves as the bridge between Hydra and FreeIPA identity provider. For more information on Hydra and the login/consent flow see here.

To configure the Hydra login/consent flow set the following variables in /etc/mokey/mokey.toml:

[hydra]
admin_url = "http://127.0.0.1:4445"
login_timeout = 86400
fake_tls_termination = true

Any OAuth clients configured in Hydra will be authenticated via mokey using FreeIPA as the identity provider. For an example OAuth 2.0/OIDC client application see here.

Building from source

First, you will need Go v1.19 or greater. Clone the repository:

$ git clone https://github.com/ubccr/mokey
$ cd mokey
$ go build .

License

mokey is released under a BSD style license. See the LICENSE file.

More Repositories

1

coldfront

HPC Resource Allocation System
Python
100
star
2

hpc-toolset-tutorial

Tutorial for installing Open XDMoD, OnDemand, & ColdFront
Jupyter Notebook
84
star
3

xdmod

An open framework for collecting and analyzing HPC metrics.
PHP
73
star
4

stubl

SLURM Tools and UBiLities
Shell
60
star
5

grendel

Bare Metal Provisioning system for HPC Linux clusters
Go
51
star
6

kerby

Go wrapper for Kerberos GSSAPI
C
33
star
7

goipa

FreeIPA client library in Go
Go
30
star
8

genesysv

Gene Exploration System for Variance
HTML
20
star
9

terf

Go library for reading/writing TensorFlow TFRecords file format
Go
19
star
10

pinky

molecular fingerprint library
Python
11
star
11

supremm

SUPReMM Job-level summarization tools
Python
9
star
12

slurm-exporter

Slurm Exporter for Prometheus
Go
9
star
13

xdmod-supremm

The Job Performance (SUPReMM) module for Open XDMoD.
JavaScript
8
star
14

twitter

Various applications for interacting with the Twitter API and manipulating tweets
Python
6
star
15

iquota

Linux CLI tools for CCR Quota reporting
Go
5
star
16

akrr

Application Kernel Remote Runner
Python
5
star
17

grendel-images

Bare-metal OS Images for Grendel
Python
5
star
18

xdmod-appkernels

The Application Kernels module for Open XDMoD.
PHP
4
star
19

ubmod

UBMoD - Metrics on Demand
PHP
3
star
20

software-layer

CCR Software Layer
Python
3
star
21

xdmod-value-analytics

An optional module for XDMoD for collecting, processing, and displaying value analytics.
JavaScript
3
star
22

heorot

A custom Data Center Infrastructure Management solution
JavaScript
3
star
23

hsws

CCR High School Workshop
R
3
star
24

slurmrest

Go client for Slurm REST API
Shell
2
star
25

xdmod-federated

Federated XDMoD
Shell
2
star
26

besra

image classification for protein crystallization experiments
C++
2
star
27

xdmod-repo-manifest

A Repo manifest for the main modules of Open XDMoD.
2
star
28

xdmod-openstack-scripts

Openstack API patches to support cross-project reporting by administrative users
Python
2
star
29

simplesamlphp-module-authglobus

Globus auth module for simplesamlphp
PHP
1
star
30

denssweb

Web front end to DENSS
Go
1
star
31

xdmod-notebooks

Jupyter notebooks for XDMoD Data Analytics Framework
Jupyter Notebook
1
star
32

xdmod-jekyll-theme

Jekyll theme for various XDMoD sites.
CSS
1
star
33

v3oidcmokeyapikey

OpenStack Keystone plugin for Mokey API key authentication
Python
1
star
34

hpc-intro-tutorial

Vim Snippet
1
star
35

coldfront-site

Coldfront CCR custom templates
HTML
1
star
36

slurmdbrest

Go client for SlurmDB REST API
Shell
1
star
37

prometheus-grendel-sd

Grendel Service Discovery for Prometheus
Go
1
star
38

treat

Trypanosome RNA Editing Alignment Tool
R
1
star
39

ralph

A simple SPARQL client built on top of Guzzle.
PHP
1
star
40

harrier

screen to beam image targeting
Python
1
star