DOCSLIB.ORG

Nethserver Documentation Release 7 Final

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Nethserver Documentation Release 7 Final NethServer Documentation Release 7 Final Nethesis Sep 22, 2021 Release notes 1 Release notes 7 3 1.1 Major changes on 2020-11-26......................................3 1.2 Major changes on 2020-05-05......................................4 1.3 Major changes on 2019-10-07......................................5 1.4 Major changes on 2018-12-17......................................5 1.5 Major changes on 2018-06-11......................................6 1.6 Major changes on 2017-10-26......................................6 1.7 Major changes on 2017-07-31......................................7 1.8 Major changes on 2017-01-30......................................7 1.9 Deprecated features and packages....................................8 1.10 Upgrading NethServer 6 to NethServer 7................................9 2 Installation 11 2.1 Minimum requirements......................................... 11 2.2 Installation types............................................. 11 2.3 Installing from ISO............................................ 12 2.4 Install on CentOS............................................ 15 2.5 Next steps................................................ 15 3 Accessing the Server Manager 17 3.1 Login................................................... 17 3.2 Hints................................................... 17 3.3 Change the current password....................................... 18 3.4 Logout.................................................. 18 4 Subscription 19 4.1 Registering the system.......................................... 19 4.2 Removing a subscription......................................... 20 5 Base system 21 5.1 Network................................................. 22 5.2 Services.................................................. 25 5.3 Certificates................................................ 25 5.4 Storage.................................................. 26 5.5 Trusted networks............................................. 26 5.6 SSH.................................................... 26 5.7 Disk analyzer............................................... 27 i 5.8 Settings.................................................. 27 5.9 Logs................................................... 29 6 Applications 31 6.1 Shortcuts................................................. 31 6.2 Removing applications.......................................... 31 7 Authentication 33 7.1 Role delegation.............................................. 33 7.2 Two-factor authentication (2FA)..................................... 34 8 Software center 37 8.1 Applications installation......................................... 37 8.2 Software updates............................................. 37 9 Users and groups 41 9.1 Account providers............................................ 41 9.2 Users................................................... 46 9.3 Groups.................................................. 47 9.4 Admin account.............................................. 47 9.5 Password management.......................................... 47 9.6 Import and delete accounts from plain-text files............................. 49 10 DNS 51 10.1 Hosts................................................... 51 10.2 Alias................................................... 52 10.3 Domain redirection............................................ 52 11 DHCP and PXE server 53 11.1 DHCP configuration........................................... 53 11.2 Host IP reservation............................................ 54 11.3 Boot from network configuration.................................... 54 12 TLS policy 57 12.1 Policy 2020-05-10............................................ 57 12.2 Policy 2018-10-01............................................ 57 12.3 Policy 2018-06-21............................................ 58 12.4 Policy 2018-03-30............................................ 58 12.5 Default upstream policy......................................... 59 13 Backup 61 13.1 Settings.................................................. 61 13.2 Selective restore of files......................................... 63 14 Web server 65 14.1 Web server dashboard.......................................... 65 14.2 Settings.................................................. 66 14.3 Virtual hosts............................................... 66 14.4 Reverse proxy.............................................. 67 14.5 FTP server................................................ 69 15 Email 71 15.1 Domains................................................. 72 15.2 Filter................................................... 73 15.3 Mailboxes................................................ 76 15.4 Addresses................................................. 78 ii 15.5 Connectors................................................ 79 15.6 Synchronization............................................. 79 15.7 Queue................................................... 80 15.8 Relay................................................... 80 15.9 Settings.................................................. 82 15.10 Logs................................................... 82 15.11 Client configuration........................................... 83 15.12 Kerberos-based authentication...................................... 84 16 Webmail 85 16.1 Plugins.................................................. 85 16.2 Access.................................................. 86 16.3 Removing................................................ 86 17 Shared folders 87 17.1 Requirements............................................... 87 17.2 Authorizations.............................................. 88 17.3 Network access.............................................. 88 17.4 Network recycle bin........................................... 88 17.5 Hide a shared folder........................................... 89 17.6 Home share................................................ 89 17.7 Change resource permissions from Windows clients.......................... 89 17.8 Administrative access.......................................... 90 17.9 Auditing................................................. 90 18 Nextcloud 91 18.1 Installation................................................ 91 18.2 Configuration............................................... 92 19 Team chat (Mattermost) 95 19.1 Configuration............................................... 95 19.2 Authentication.............................................. 96 20 Chat 97 20.1 Configuration............................................... 97 20.2 Administrators.............................................. 98 20.3 Clients.................................................. 98 21 Antivirus 101 22 Firewall 103 22.1 Apply and revert............................................. 103 22.2 Policy................................................... 104 22.3 Settings.................................................. 104 22.4 Rules................................................... 105 22.5 WAN................................................... 107 22.6 Port forward............................................... 108 22.7 SNAT 1:1................................................. 110 22.8 Traffic shaping.............................................. 110 22.9 Firewall objects.............................................. 111 22.10 Connections............................................... 112 23 Web proxy 113 23.1 Authenticated mode........................................... 113 23.2 Client configuration........................................... 114 iii 23.3 SSL Proxy................................................ 114 23.4 Bypass.................................................. 114 23.5 Priority and divert rules......................................... 115 23.6 Content filter............................................... 115 23.7 Report.................................................. 116 23.8 Cache................................................... 116 23.9 Safe ports................................................. 117 23.10 Logs................................................... 117 24 Fail2ban 119 24.1 Configuration............................................... 119 24.2 Unban IP................................................. 120 24.3 Command line tools........................................... 120 25 VPN 123 25.1 OpenVPN................................................ 123 25.2 IPsec................................................... 126 26 IPS (Suricata) 127 26.1 Rule categories.............................................. 127 26.2 Bypass.................................................. 130 26.3 EveBox.................................................. 130 27 Threat shield 131 27.1 Configuration............................................... 131 27.2 Incident response............................................. 132 27.3 Statistics................................................. 132 27.4 Geo-blocking............................................... 132 28 Bandwidth monitor 135 28.1 Dashboard................................................ 135 28.2 Settings.................................................. 136 28.3 Logs................................................... 136 29 Hotspot (Dedalo) 137 29.1 How it works?.............................................. 137 29.2 How to install it............................................. 138 29.3 Configuration............................................... 138 30 FreePBX 141 30.1 Installation................................................ 141 30.2
Load more

Recommended publications
  • Monitoring Network Traffic Using Ntopng
    Monitoring Network Traffic using ntopng Luca Deri <[email protected]> © 2013 - ntop.org Outlook • What are the main activities of ntop.org ? • ntop’s view on network monitoring. • From ntop to ntopng. • ntopng architecture and design. • Using ntopng. • Advanced monitoring with ntopng. • Future roadmap items. "2 © 2013 - ntop.org About ntop.org [1/2] • Private company devoted to development of open source network traffic monitoring applications. • ntop (circa 1998) is the first app we released and it is a web-based network monitoring application. • Today our products range from traffic monitoring, high-speed packet processing, deep-packet inspection, and IDS/IPS acceleration. "3 © 2013 - ntop.org About ntop.org [2/2] • Our software is powering many commercial products... "4 © 2013 - ntop.org ntop Goals • Provide better, yet price effective, traffic monitoring solution by enabling users to have increased traffic visibility. • Go beyond standard metrics and increase traffic visibility by analysing key protocols in detail. • Provide users comprehensive and accurate traffic reports able to offer at a fraction of price what many commercial products do together. • Promote open-source software, while protecting selected IPRs. "5 © 2013 - ntop.org ntop’s Approach to Traffic Monitoring • Ability to capture, process and (optionally) transmit traffic at line rate, any packet size. • Leverage on modern multi-core/NUMA architectures in order to promote scalability. • Use commodity hardware for producing affordable, long-living (no vendor lock), scalable (use new hardware by the time it is becoming available) monitoring solutions. • Use open-source to spread the software, and let the community test it on unchartered places. "6 © 2013 - ntop.org Some History • In 1998, the original ntop has been created.
    [Show full text]
  • Mac OS X Includes Built-In FTP Support, Easily Controlled Within a fifteen-Mile Drive of One-Third of the US Population
    Cover 8.12 / December 2002 ATPM Volume 8, Number 12 About This Particular Macintosh: About the personal computing experience™ ATPM 8.12 / December 2002 1 Cover Cover Art Robert Madill Copyright © 2002 by Grant Osborne1 Belinda Wagner We need new cover art each month. Write to us!2 Edward Goss Tom Iov ino Editorial Staff Daniel Chvatik Publisher/Editor-in-Chief Michael Tsai Contributors Managing Editor Vacant Associate Editor/Reviews Paul Fatula Eric Blair Copy Editors Raena Armitage Ya n i v E i d e l s t e i n Johann Campbell Paul Fatula Ellyn Ritterskamp Mike Flanagan Brooke Smith Matt Johnson Vacant Matthew Glidden Web E ditor Lee Bennett Chris Lawson Publicity Manager Vacant Robert Paul Leitao Webmaster Michael Tsai Robert C. Lewis Beta Testers The Staff Kirk McElhearn Grant Osborne Contributing Editors Ellyn Ritterskamp Sylvester Roque How To Ken Gruberman Charles Ross Charles Ross Gregory Tetrault Vacant Michael Tsai Interviews Vacant David Zatz Legacy Corner Chris Lawson Macintosh users like you Music David Ozab Networking Matthew Glidden Subscriptions Opinion Ellyn Ritterskamp Sign up for free subscriptions using the Mike Shields Web form3 or by e-mail4. Vacant Reviews Eric Blair Where to Find ATPM Kirk McElhearn Online and downloadable issues are Brooke Smith available at http://www.atpm.com. Gregory Tetrault Christopher Turner Chinese translations are available Vacant at http://www.maczin.com. Shareware Robert C. Lewis Technic a l Evan Trent ATPM is a product of ATPM, Inc. Welcome Robert Paul Leitao © 1995–2002, All Rights Reserved Kim Peacock ISSN: 1093-2909 Artwork & Design Production Tools Graphics Director Grant Osborne Acrobat Graphic Design Consultant Jamal Ghandour AppleScript Layout and Design Michael Tsai BBEdit Cartoonist Matt Johnson CVL Blue Apple Icon Designs Mark Robinson CVS Other Art RD Novo DropDMG FileMaker Pro Emeritus FrameMaker+SGML RD Novo iCab 1.
    [Show full text]
  • Oldschool E-Mail Setup Eine Freakshow
    Oldschool E-mail Setup Eine Freakshow [email protected] Chemnitzer Linuxtage, 2016 (Screenshot GMX vor >15 Jahren: Waybackmachine zu www.gmx.net) (Screenshot GMX heute) (Screenshot Gmail heute) Lösungen? ● Claws ● Mutt ● Eudora ● Netscape Navigator ● Evolution ● Opera M2 ● GMX ● Outlook ● Gnus ● SquirrelMail ● Hotmail ● The Bat! ● Hushmail ● Thunderbird ● KMail ● … Flußgrafik Email Netz MTA MRA MDA MUA MSA MTA Netz Hipster! ● KISS ● YAGNI ● DRY ● NIH ● Divide And Conquer ● Everything is a file ● No vendor lock-in ● Mißtraue Autoritäten – fördere Dezentralisierung Netz Netz Emails Client, den ich Remote verwenden kann Leicht erweiterbar Emails lokal Filter Offenes Format Adressen Netz Netz Abholen Transportformat? Pull Subject 1 Email = 1 File Keine Spuren X-List-ID Mit Hierarchien am Server Beliebige Einfaches Suchen Header Verlässliches Suchen Verarbeitung mit Unix Tools Client, den ich Remote verwenden kann Leicht erweiterbar Emails lokal Filter Offenes Format Adressen Netz Netz Abholen Transportformat? Pull Subject 1 Email = 1 File Keine Spuren X-List-ID Mit Hierarchien am Server Beliebige Einfaches Suchen Header Verlässliches Suchen Verarbeitung mit Unix Tools mbox Maildir mh Client, den ich Remote verwenden kann Leicht erweiterbar Emails lokal Filter Offenes Format Adressen Netz Netz Abholen Transportformat? Pull Subject 1 Email = 1 File Keine Spuren X-List-ID Mit Hierarchien am Server Beliebige Einfaches Suchen Header Verlässliches Suchen Verarbeitung mit Unix Tools mbox Maildir mh tmp 1439306571.1269_0.elvis ~/Post/Technik/Wikitech new 1448267819.5940_0.spencer ... 1457079728.2000_0.spencer:2, cur 1456839383.9873_0.nepomuk:2,SR 1457166567.23654_0.spencer:2,S ... Client, den ich Remote verwenden kann Leicht erweiterbar Filter Adressen Netz Netz Abholen Pull Subject Maildir Keine Spuren X-List-ID am Server Beliebige Header Client, den ich Remote verwenden kann Leicht erweiterbar Filter Adressen Netz Netz Abholen Pull Subject Maildir Keine Spuren X-List-ID am Server Beliebige Header fetchmail getmail mpop ..
    [Show full text]
  • Nextcloud Desktop Client for Linux
    EOAS Help Desk Portal > Knowledgebase > Linux > NextCloud desktop client for Linux NextCloud desktop client for Linux Tom Yerex - 2020-02-19 - 0 Comments - in Linux Access to the EOAS NextCloud server can occur over several different protocols including WebDAV and over the web using a browser. The NextCloud desktop client synchronizes files and folders from your Linux workstation to the NextCloud server. Once the Linux desktop client is installed and you have it configured, the client will periodically check the server for updated files, as well as copy updated files from your workstation to the server. To begin to use the NextCloud Linux desktop client, visit the NextCloud web site at https://nextcloud.com/install/#install-clients, select Linux , on the same page below read the paragraph about Nextcloud Desktop client packages for your Linux distribution. Once you have downloaded the client specific to your operating system, you must follow the distribution-specific steps for installing the client. The desktop agent will prompt at launch for the server address, user name, password, and finally the files/folders that you wish to synchronize. Server: owncloud.eoas.ubc.ca User name: <your EOAS account> Password: <your EOAS password> Once the initial configuration is complete, the NextCloud desktop client will begin to synchronize files/folders with the server, pulling down any files that you may have on the server as well as uploading any new files you have on your local desktop. If you have any questions or concerns, please contact the EOAS IT Help Desk, by email at [email protected], or by using our contact form..
    [Show full text]
  • Ntopng User's Guide
    ! !!" ! ! ! ! ! ! ! ! ! ! ! ! ntopng User’s Guide" High-Speed Web-based Traffic Analysis and Flow Collection " ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! Version 1.2" August 2014!" ! ! © 1998-14 - ntop.org" ntopng User’s Guide v.1.2 1.Table of Contents" ! 1. What’s New?"......................................................................................3" 2.It’s time for a completely new ntop."............................................................5" 3. Introduction"..............................................................................................6" 3.1. The main design principles"................................................................7" 3.2. What ntopng can do for me?"..............................................................7" 3.3. ntopng Architecture"..........................................................................9" 3.4. Download ntopng"............................................................................10" 4.Using ntopng"...........................................................................................11" 4.1. Compiling ntopng Source Code".......................................................11" 4.2. Installing a Binary ntopng"................................................................11" 4.3. ntopng Command Line Options".......................................................11" 4.4. ntopng on Windows".........................................................................16" 5. API Scripting Lua".....................................................................................18"
    [Show full text]
  • Bleach Documentation Release 3.0.1 20181009
    Bleach Documentation Release 3.0.1 20181009 Will Kahn-Greene Oct 09, 2018 Contents 1 Reporting Bugs 3 2 Security 5 3 Installing Bleach 7 4 Upgrading Bleach 9 5 Basic use 11 6 Code of conduct 13 7 Contents 15 7.1 Sanitizing text fragments......................................... 15 7.2 Linkifying text fragments........................................ 23 7.3 Goals of Bleach............................................. 29 7.4 Bleach development........................................... 32 7.5 Bleach changes.............................................. 34 8 Indices and tables 43 i ii Bleach Documentation, Release 3.0.1 20181009 Bleach is an allowed-list-based HTML sanitizing library that escapes or strips markup and attributes. Bleach can also linkify text safely, applying filters that Django’s urlize filter cannot, and optionally setting rel attributes, even on links already in the text. Bleach is intended for sanitizing text from untrusted sources. If you find yourself jumping through hoops to allow your site administrators to do lots of things, you’re probably outside the use cases. Either trust those users, or don’t. Because it relies on html5lib, Bleach is as good as modern browsers at dealing with weird, quirky HTML fragments. And any of Bleach’s methods will fix unbalanced or mis-nested tags. The version on GitHub is the most up-to-date and contains the latest bug fixes. You can find full documentation on ReadTheDocs. Code https://github.com/mozilla/bleach Documentation https://bleach.readthedocs.io/ Issue tracker https://github.com/mozilla/bleach/issues IRC #bleach on irc.mozilla.org License Apache License v2; see LICENSE file Contents 1 Bleach Documentation, Release 3.0.1 20181009 2 Contents CHAPTER 1 Reporting Bugs For regular bugs, please report them in our issue tracker.
    [Show full text]
  • Empire News Spring 2009 (PDF 5733Kb)
    STATE UNIVERSITY OF NEW YORK Empire State College ALUMNI AND STUDENT NEWS VOLUME 34 • NUMBER 2 • SPRING 2009 Green Matters Cleansing Global Waters Marine Conservation in Alaska Energy in the Sunshine State Learners First Campaign Highlights Please recycle after reading Empire State College ALUMNI AND STUDENT NEWS C o n t e n t s VOLUME 34 • NUMBER 2 • SPRING 2009 Alan R. Davis President Mary Caroline Powers FEATURES Associate Vice President for Communications and Upfront . 1 Government Relations Publisher A Clear Initiative . 2 Maureen Winney Director of Alumni and Student Relations Water Woman . 3 Managing Editor Hope Ferguson Empire State College’s Adirondack Residency . 4 Community Relations Associate Editor A Planetary View from Alaska . 6 Gael Fischer Director of Publications/Designer Green Makeover: Home Edition . 8 Debra Park Secretary, Office of Communications and Recycling Electronics Could Create “Green Collar” Jobs. 10 Government Relations Alison’s Art . 11 Alumni News and Copy Editor Helping Haiti While So Far from Home . 12 CONTRIBUTORS Hugh Hammett The Jolly Green Garbage Man . 13 Vice President for External Affairs Evelyn Buchanan ‘99 Can a Mother’s Cause Have an Effect? . 15 Executive Director of the Foundation Diane Thompson Empire State College Going Green . 16 Director of Annual Giving Alta Schallehn Director of Gift Planning David Regan White ‘05 AROUND EMPIRE STATE COLLEGE Coordinator of Alumni Services Rebecca Smith LaVallee College News . 17 Assistant Director of Alumni and Student Relations Alumni News . 18 WRITERS Back to You . 21 William Ehmann, Rick Iuli, Day at the Races . 24 Liz W. Armtun, Kathryn Gallien, Kirk Starczewski, Tom Dimopoulos, Marie Morrison ‘06, Barbara Fischkin PHOTOGRAPHY On the cover Cover: Lake George and The Narrows from First Peak, Adirondacks N.Y.
    [Show full text]
  • Server Administration Manual Release Latest
    Nextcloud Server Administration Manual Release latest The Nextcloud developers Oct 01, 2021 CONTENTS 1 Introduction 1 1.1 Videos and blogs.............................................1 1.2 Target audience..............................................1 2 Release notes 3 3 Maintenance and release schedule5 3.1 Major releases..............................................5 3.2 Maintenance releases...........................................5 3.3 Older versions..............................................6 4 Installation and server configuration7 4.1 System requirements...........................................7 4.2 Deployment recommendations......................................9 4.3 Installation on Linux...........................................9 4.4 Installation wizard............................................ 17 4.5 Installing from command line...................................... 21 4.6 Supported apps.............................................. 22 4.7 SELinux configuration.......................................... 24 4.8 NGINX configuration.......................................... 27 4.9 Hardening and security guidance.................................... 36 4.10 Server tuning............................................... 40 4.11 Example installation on Ubuntu 20.04 LTS............................... 42 4.12 Example installation on CentOS 8.................................... 44 4.13 Example installation on OpenBSD.................................... 48 5 Nextcloud configuration 53 5.1 Warnings on admin page........................................
    [Show full text]
  • Diplomarbeit Kalenderstandards Im Internet
    Diplomarbeit Kalenderstandards im Internet Eingereicht von Reinhard Fischer Studienkennzahl J151 Matrikelnummer: 9852961 Diplomarbeit am Institut für Informationswirtschaft WIRTSCHAFTSUNIVERSITÄT WIEN Studienrichtung: Betriebswirtschaft Begutachter: Prof. DDr. Arno Scharl Betreuender Assistent: Dipl.-Ing. Mag. Dr. Albert Weichselbraun Wien, 20. August 2007 ii Inhaltsverzeichnis Abbildungsverzeichnis vi Abkürzungsverzeichnis vii 1 Einleitung 1 1.1 Problemstellung . 1 1.2 Inhalt und Vorgehensweise . 3 2 Standards für Kalender im Internet 5 2.1 iCalendar und darauf basierende Standards . 6 2.1.1 iCalendar und vCalendar . 6 2.1.2 Transport-Independent Interoperability Protocol (iTIP) . 8 2.1.3 iCalendar Message-Based Interoperability Protocol (iMIP) . 8 2.1.4 iCalendar über WebDAV (WebCAL) . 10 2.1.5 Storage of Groupware Objects in WebDAV (GroupDAV) . 11 2.1.6 Calendaring and Scheduling Extensions to WebDAV (CalDAV) . 12 2.1.7 IETF Calendar Access Protocol (CAP) . 13 2.2 XML-basierte Formate . 15 2.2.1 XML iCalendar (xCal) . 15 2.2.2 RDF Calendar (RDFiCal) . 16 2.2.3 RDFa (RDF/A) . 16 2.2.4 OWL-Time . 17 2.3 Mikroformate (hCalendar) . 18 2.4 SyncML . 20 2.5 Weitere Formate . 21 2.6 Zusammenfassung . 22 iii 3 Offene Kalenderanwendungen im Internet 24 3.1 Server . 24 3.1.1 Citadel/UX . 24 3.1.2 Open-Xchange . 26 3.1.3 OpenGroupware.org . 26 3.1.4 Kolab2 . 27 3.1.5 Weitere Server . 28 3.2 Clients . 29 3.2.1 Mozilla Calendar Project . 29 3.2.2 KDE Kontact . 30 3.2.3 Novell Evolution . 30 3.2.4 OSAF Chandler . 31 3.2.5 Weitere Open-Source- und Closed-Source-Clients .
    [Show full text]
  • Trend Micro Worry-Free Business Security 9.0 SP1 Administrator's
    Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release notes, and/or the latest version of the applicable documentation, which are available from the Trend Micro website at: http://docs.trendmicro.com/en-us/smb/worry-free-business-security.aspx Trend Micro, the Trend Micro t-ball logo, TrendProtect, TrendSecure, Worry-Free, OfficeScan, ServerProtect, PC-cillin, InterScan, and ScanMail are trademarks or registered trademarks of Trend Micro Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Copyright © 2014. Trend Micro Incorporated. All rights reserved. Document Part No.: WFEM96626/140825 Release Date: September 2014 Protected by U.S. Patent No.: 5,951,698 and 7,188,369 This documentation introduces the main features of the product and/or provides installation instructions for a production environment. Read through the documentation before installing or using the product. Detailed information about how to use specific features within the product may be available at the Trend Micro Online Help Center and/or the Trend Micro Knowledge Base. Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro document, please contact us at [email protected]. Evaluate this documentation on the following site: http://www.trendmicro.com/download/documentation/rating.asp Table
    [Show full text]
  • Captive Portal Authentication Via Twitter
    Grandstream Networks, Inc. Captive Portal Authentication via Twitter Table of Content SUPPORTED DEVICES ................................................................................................. 4 INTRODUCTION ............................................................................................................. 5 CAPTIVE PORTAL SETTINGS ...................................................................................... 6 Policy Configuration Page .................................................................................................................... 6 Landing Page Redirection ............................................................................................................... 10 Pre-Authentication Rules ................................................................................................................ 10 Post-Authentication Rules ............................................................................................................... 10 Guest Page ........................................................................................................................................ 10 CONFIGURATION STEPS............................................................................................ 12 Create Twitter App .............................................................................................................................. 12 Configure Captive Portal Policy with Twitter Authentication ................................................................. 15 Assign
    [Show full text]
  • Threats and Vulnerabilities in Federation Protocols and Products
    Threats and Vulnerabilities in Federation Protocols and Products Teemu Kääriäinen, CSSLP / Nixu Corporation OWASP Helsinki Chapter Meeting #30 October 11, 2016 Contents • Federation Protocols: OpenID Connect and SAML 2.0 – Basic flows, comparison between the protocols • OAuth 2.0 and OpenID Connect Vulnerabilities and Best Practices – Background for OAuth 2.0 security criticism, vulnerabilities related discussion and publicly disclosed vulnerabilities, best practices, JWT, authorization bypass vulnerabilities, mobile application integration. • SAML 2.0 Vulnerabilities and Best Practices – Best practices, publicly disclosed vulnerabilities • OWASP Top Ten in Access management solutions – Focus on Java deserialization vulnerabilites in different commercial and open source access management products • Forgerock OpenAM, Gluu, CAS, PingFederate 7.3.0 Admin UI, Oracle ADF (Oracle Identity Manager) Federation Protocols: OpenID Connect and SAML 2.0 • OpenID Connect is an emerging technology built on OAuth 2.0 that enables relying parties to verify the identity of an end-user in an interoperable and REST-like manner. • OpenID Connect is not just about authentication. It is also about authorization, delegation and API access management. • Reasons for services to start using OpenID Connect: – Ease of integration. – Ability to integrate client applications running on different platforms: single-page app, web, backend, mobile, IoT. – Allowing 3rd party integrations in a secure, interoperable and scalable manner. • OpenID Connect is proven to be secure and mature technology: – Solves many of the security issues that have been an issue with OAuth 2.0. • OpenID Connect and OAuth 2.0 are used frequently in social login scenarios: – E.g. Google and Microsoft Account are OpenID Connect Identity Providers. Facebook is an OAuth 2.0 authorization server.
    [Show full text]