x509 SSO Authentication

[nayr]

awesome! thanks for the feedback

looks like I got some more wiking to do

[Fred78]

Great job!!
Thanks for the Wiki. I easily secured my Domoticz behing nginx, but I'm still waiting to activate x509 authentication.
The configuration parameters aren't in Domoticz's stable release yet and there is not android application that supports this kind of authentication (I didn't manage to find the Domoticz Lite conf params).
But I still think that this should be the prefered authentication method since we're exposing our homes to the Internet. Strong authentication should be mandatory.
Just one thing : I had to create my server certificate using the https_server template. Otherwise, there are missing extensions and Chrome browser on my Nexus5 just didn't want to accept the certificate.

[nayr]

Thanks for the feedback, Ive updated that screenshot in the Wiki (force refresh) so people use the https_server template.

What configuration parameters? There are none. You can enable x509 in the current stable, the only thing thats been added since then is SSO.. all that does is associate certificates with user accounts. Until the next stable (coming soon I believe) you can just disable domoticz auth and rely on Nginx, unless you really need the user accounts.. then you can still enable the built in auth and do it after providing a cert, still works just not automatically.

the next stable release will simply detect when nginx's x509 token and associate it with any matching users.. all configuration is done in nginx really.

I've been using x509 for a couple years like this, I decided to add a shared tablet to the house I wanted to lock it down so it could not access protected switches/configs.. then it just took a few lines of code to get Domoticz to accept a x509 commonName for credentials.

ProTip: Get a battery backed up RTC if you setup x509 on a Pi.. guess what you cant do when the system time is set to zero, well before your cert was issued.. yeah, it just throws errors until you fix the time... your Pi will likely recover before your network and internet after a long power outage.

[Fred78]

Yeah, I misspoke about the x509 authentication.
I was taking about the SSO parameters in domoticz (these ones are missing in the stable release).
I did manage to setup x509 authentication through nginx, but I had to go backwards since no Android app supports this authentication method.

Thanks for the battery tip.
I didn't think of that potential issue...

[BakSeeDaa]

awesome! thanks for the feedback

looks like I got some more wiking to do

Thanks for this @nayr

I'm running Domoticz on a Raspberry Pi2 model B. I'm a bit confused after reading the wiki

Prerequisites
Debian derived Linux Server (Debian/Rasbian/Ubuntu/etc)
Running Domoticz installation

Sometimes the domoticz installation is referred to as the "Domoticz Server"

Do I need a separate web server or can I run everything on my single RPi2?

Shall nginx-full always be installed on the machine running Domoticz?

I'll buy an additional web server if adivised by You.

Thanks!

[nayr]

run it on same as your Pi right along side it.. unless you already have a webserver on the edge of your network you can use there is no reason not to.

[BakSeeDaa]

run it on same as your Pi right along side it.. unless you already have a webserver on the edge of your network you can use there is no reason not to.

OK, thanks!

[BakSeeDaa]

I followed your excellent wiki. I believe there is no reference to how to create the file /etc/ssl/ca/ca.crt on the server. I figured it out though. Since I'm running my Domoticz on the same machine, I had to disable Domoticz from using port 443.

[BakSeeDaa]

Things are working quite well here now. I just need to set up a NAT Hairpin (Nat Inside-to-Inside / Loopback / Reflection).

Anyway, first I made my own certificates using XCA. I spent a day or so first trying to get rid of the pescy warnings on my Android device. Then I decided to try out to generate certs on CACert. That worked fine and installed on the Android as expected by I couldn't generate client certificates to log in to Domotics with a username and password (e-mail). So I'm back using the XCA certs that are valid for the next 100 years. EgiGeoZone seems to work fine, I will test it further but it seems to be able to log in using X509 without user intervention. I'd like to thank You very much once again @nayr for your work to document this. Without You I couldn't have done it.

[BakSeeDaa]

@nayr, now I need to find out a way to access my domoticz server via API/JSON URL's using Tasker. (Tasker seems to lack support for X.509 authentication). Do You have any ideas how to do that?

[nayr]

tasker have a ssh plugin? mebe u can ssh w/a key and do a http get to localhost..

install fail2ban and/or configure ssh to only use keys if your going to also expose it to the internet.

[BakSeeDaa]

According to this web page here tasker should be able to do it:
http://tinsley.io/2015/03/openhab-tasker-android-phone/

Thanks! I don't want to hi-jack this thread so I started a new thread: Accessing Domoticz with X.509 client certificate using RESTask for Tasker

[woody4165]

Hi all

very nice job for security!

I'm trying to follow the wiki, but I'm stuck at

Code: Select all

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

My RPi 3 goes in timeout and I never get the dhparam.pem
As far as I understood, it should take something like more than 12hours to complete or am I wrong?

I've tried with 2048 and it takes 5 minutes, but is it secure?

How can I solve it?

Thanks

[nayr]

This should help alot:
apt-get install haveged

Code: Select all

Description-en: Linux entropy source using the HAVEGE algorithm
 haveged is a userspace entropy daemon which is not dependent upon the
 standard mechanisms for harvesting randomness for the system entropy
 pool. This is important in systems with high entropy needs or limited
 user interaction (e.g. headless servers).
 .
 haveged uses HAVEGE (HArdware Volatile Entropy Gathering and Expansion)
 to maintain a 1M pool of random bytes used to fill /dev/random
 whenever the supply of random bits in dev/random falls below the low
 water mark of the device.

[woody4165]

I have already installed

With 2048 it takes less than 5 minutes...

[nayr]

2048 is secure, I havent tried on a RPi3, but my CuBox made it within 20mins..

[woody4165]

I've tried to follow your guide, but I got lost.
My fault, I'm not so techy to understand all the steps.
I followed the guide, easy from a step-by-step point of view, but I don't know how to check if everything on the RPi, server side, has went well, and most of my doubts are from the client side.

Can you help me understand if on the server side everything is ok?

It seems to me that nginx is ok

Code: Select all

xx@xxxxxx:~$ sudo service nginx status
● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled)
   Active: active (running) since Wed 2016-04-20 12:48:09 CEST; 11min ago
  Process: xxx ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
  Process: xxx ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
 Main PID: xxx (nginx)
   CGroup: /system.slice/nginx.service
           ├─xxx nginx: master process /usr/sbin/nginx -g daemon on; master_p...
           ├─xxx nginx: worker process
           ├─xxx nginx: worker process
           ├─xxx nginx: worker process
           └─xxx nginx: worker process

Is there anything else I should check?

First question is if from now on I have to go thru nginx also from my internal network doing something on the computers and tablet that will always remain home.

And, main thing is what I have to do and how on tablet/smartphone/Computers I will use externally.

Thanks in advance

Ps: at this moment I have activated a VPN within my router, Fritzbox, so I do not open any port on domoticz and go thru it.
But probably is more secure this way.

[indy]

2048 is secure, I havent tried on a RPi3, but my CuBox made it within 20mins..

I appologize for my post here , but I wanted to try and contact you about your zwave thermostat controlling a swamp cooler and could't find any contact info. My email address is my post name with a 747 at the end @gmail.com - would really love to see your circuit, looks like you have done a lot of cool stuff with automation and cameras.

Thanks! Indy

[anasazi]

Hi and thanks for a great Wiki guide!

I'm just wondering about a thing in the nginx configuration.
See the attached image, what kind of CA cert are you referring to?
The one I previous created in the guide?

Is it still not possible to use x509 certificate with other iOS apps?
I would like to use the app Locative to send URL request and also use the x509 authentication...

Thanks!

[lightman]

when does the App going to support x509?