[openstack-dev] [Keystone] Multi-factor Auth with Keystone and TOTP

Adrian Turjak adriant at catalyst.net.nz
Mon Jul 18 04:20:43 UTC 2016


I've been looking at options for doing multi-factor auth (MFA) on our
infrastructure and I'm just wanting to know if the option I've decided
to go with seems sensible.

As context, we are running stock Keystone (to be backed by LDAP), we
wanted to be able to enable MFA on a per user basis, and a user with MFA
enabled should either be blocked from using the APIs or required MFA to
use the APIs.

I was looking at the current TOTP module in keystone, but seeing as that
simply adds another optional Auth method to keystone it seems fairly
useless for our needs. Unless I'm missing something, there seems to be
no way in Keystone to enforce "use these two auth methods together". Is
that the case? If not, it is something that has been considered? Or it
is assumed people will write their own auth plugins rather than
combining existing ones?

>From there I went toward writing our own Keystone Auth plugin and had a
lot of success with that. The current iteration is a combination of the
password and totp plugins where for users with TOTP credentials we
expect a 6 digit password appended to the password. In the config I then
replace the default password plugin with my own.

In testing this seems to work as intended. All normal users are
unaffected while users with a TOTP credential now must append their
passcode to their password.

I've made a blueprint for this plugin:

and the code I am currently testing is in the associated review:

If this plugin is useful to others, and this seemed like a sensible
solution, I will write some unit tests and work on getting it merged.

So, my main question, does this plugin seem like a sensible solution to
MFA in OpenStack in the way we needed or are there other paths I should
be going down?

-Adrian Turjak

More information about the OpenStack-dev mailing list