Rev 1
Two-factor authentication w/ privacyIDEA and YubiKeyprivacyIDEA is a modular authentication server that can be used to enhance the security of your existing applications like local login, VPN, remote access, SSH connections, access to web sites or web portals with two-factor authentication.
privacyIDEA website GitHub
Yubico website affiliate links
Setup and configuration has been tested on the following operating systems:
- Ubuntu 20.04 (Focal Fossa)
- privacyIDEA- 3.5.2
- YubiKey 5 NFC
Prerequisites
- YubiKey 5 NFC (optional)
- YubiKey Personalization Tool (optional)
Configuration files
Install community edition
We will use privacyIDEA and their FreeRADIUS plugin together with YubiKey 5 NFC (from Yubico) to enforce two-factor authentication and apply an role-based access control approach (RBAC). We will simplify the user accounting by fetching the users from the local /etc/passwd
file and use it as the privacyIDEA resolver (instead of e.g. LDAP, SQL. You can read more about resolvers here). To get an hands-on experience we will use the privacyIDEA authentication server to access the Greenbone Vulnerability Manager's user interface.
TIP
This is the first revision for privacyIDEA. We will write more about the different modular options e.g. LDAP as resolver in future releases. If there's any particular configuration you would like us to cover feel free to create a new Feature request.
To get started download the signed key.
server@ubuntu:~$ wget https://lancelot.netknights.it/NetKnights-Release.asc
Next import the signed key.
server@ubuntu:~$ sudo gpg --import --import-options show-only --with-fingerprint NetKnights-Release.asc
pub rsa4096 2017-05-16 NetKnights GmbH <[email protected]>
Key fingerprint = 0940 4ABB EDB3 586D EDE4 AD22 00F7 0D62 AE25 0082
Continue by adding the key to our system.
server@ubuntu:~$ sudo apt-key add NetKnights-Release.asc
OK
Now we need to add the repository for the specific release (in this case Ubuntu 20.04).
server@ubuntu:~$ sudo add-apt-repository http://lancelot.netknights.it/community/focal/stable
server@ubuntu:~$ sudo apt-get update
TIP
If you prefer to use the nginx version you can install apt-get privacyidea-nginx
Once we updated the package manager we can install PrivacyIDEA.
server@ubuntu:~$ sudo apt-get update
server@ubuntu:~$ sudo apt-get install privacyidea-apache2
_ _______ _______
___ ____(_) _____ _______ __/ _/ _ \/ __/ _ |
/ _ \/ __/ / |/ / _ `/ __/ // // // // / _// __ |
/ .__/_/ /_/|___/\_,_/\__/\_, /___/____/___/_/ |_|
/_/ /___/
Running online
Let's create the administration account.
server@ubuntu:~$ sudo pi-manage admin add admin -e admin@localhost
Admin admin was registered successfully.
Once you've added the administrator account and followed the firewall settings you should be able to reach the web interface from https://192.168.0.1
and login as the admin user with your password.

privacyIDEA FreeRADIUS plugin
Now we will install the privacyIDEA freeRADIUS plugin, which we will be using to enable RADIUS for Greenbone Vulnerability Manager.
server@ubuntu:~$ sudo apt-get install privacyidea-radius
In the clients.conf
we will add our client(s), which in this case is our Greenbone Vulnerability Manager. Define the IP address of the Greenbone Vulnerability Manager and set the secret (do not use the default secret).
server@ubuntu:~$ sudo -i
root@ubuntu:~$ sudo nano /etc/freeradius/3.0/clients.conf
#client example.org {
# ipaddr = radius.example.org
# secret = testing123
#}
client GVM {
ipaddr = 192.168.0.3
secret = testing123
}
In the sites-enabled
folder you will find the default authentication settings for privacyIDEA. Leave the default perl-privacyidea
type.
root@ubuntu:~$ cd /etc/freeradius/3.0/sites-enabled/
root@ubuntu:~$ cat privacyidea
server {
authorize {
#files
perl-privacyidea
if (ok || updated) {
update control {
Auth-Type := Perl
}
}
}
listen {
type = auth
ipaddr = *
port = 0
}
authenticate {
Auth-Type Perl {
perl-privacyidea
}
}
}
The authentication type which is an enabled mod is located in the mods-enabled
directory and you will see the privacyidea_radius.pm
module file. Leave the default settings.
root@ubuntu:~$ cd /etc/freeradius/3.0/mods-enabled/
root@ubuntu:~$ cat mods-perl-privacyidea
perl perl-privacyidea {
filename = /usr/share/privacyidea/freeradius/privacyidea_radius.pm
}
Configure privacyIDEA
As we configured the local freeRADIUS plugin and added Greenbone Vulnerability Manager as a client we will now configure the privacyIDEA authentication server. The freeRADIUS plugin doesn't have to be installed on the same server as privacyIDEA. You can define this in the rlm_perl.ini
file. In this tutorial we will leave the default localhost as our domain.
root@ubuntu:~$ exit
server@ubuntu:~$ sudo nano /etc/privacyidea/rlm_perl.ini
[Default]
URL = https://localhost/validate/check
#REALM = someRealm
#RESCONF = someResolver
SSL_CHECK = false
#DEBUG = true
Configure YubiKey for privacyIDEA
WARNING
privacyIDEA requires YubiKey 5 NFC.
Start YubiKey Personalization Tool. Go to Settings. In the Logging Settings
select Flexible format
and add {serial}, {secretKeyTxt}
variables in the form field.

Next click the OATH-HOTP
tab. Select which slot you wish to write your configuration to. Uncheck OATH Token Identifier
and create the secret key by pressing the Generate
button. Complete the build by clicking the Write Configuration
button and save the CSV file.

Enroll token w/ YubiKey
Before we enroll the token with YubiKey we will create a resolver and realm and select the first user. Login to privacyIDEA at e.g. https://192.168.0.1
. In the top menu click Config
. Next click the Users
tab and select New passwdresolver
. Once you've given the resolver a name click the Save Resolver
button.

Next we will create the realm. Click the tab Realms
. Give the realm a name and check the passwdresolver we just created. Click Create Realm
.

Now lets select the first user. In the top menu click Users
. Select the realm we just created in the left dropdown menu. This will show the list of all users from the /etc/passwd
file. You can select any user from the list. We will go with the user mail
for this example.

Once you've decided which user you will connect to the YubiKey you can now assign your first token to a user. In the top menu click Token
and select Import Tokens
in the left menu. Select authentication method OATH CSV
and realm. Click the Select file and import
button and upload the file that you created earlier from the YubiKey configuration.

Go back to All tokens
in the left menu and you will see your newly enrolled token. Click the serial number for further details.

Here you will see the specific settings and details for the newly enrolled token. Now we will assign this token to the user. In the Assign User
section select the Realm
, fill in the Username
you selected from the resolver list and finally set a PIN
(in this example we used mail
as the PIN). Click the Assign User
button.

Next lets test if the token works. Above the Assign User
section, in the form field next to the test token button, type your selected PIN
and click your YubiKey 5 NFC button and hit the Test token
button.

You can also test if privacyIDEA grants access to the freeRADIUS client directly from the command-line. Fill in your User-Name
, insert your PIN
within the User-Password
variable and hit your YubiKey button to output the token. Make sure to also define your secret.
server@ubuntu:~$ echo "User-Name=mail, User-Password=mail123456" | radclient -x -s localhost auth testing123
Sent Access-Request Id 61 from 0.0.0.0:59998 to 127.0.0.1:1812 length 44
User-Name = "mail123456"
User-Password = "mail123456"
Cleartext-Password = "mail123456"
Received Access-Accept Id 61 from 127.0.0.1:1812 to 127.0.0.1:59998 length 48
Reply-Message = "privacyIDEA access granted"
Packet summary:
Accepted : 1
Rejected : 0
Lost : 0
Passed filter : 1
Failed filter : 0
Now go to the Config
menu and select the System
tab. In the System Config
add 127.0.0.1
in the Override Authorization Clients
field to enable the validation check against the local subnet (e.g. 192.168.0.3
). Click the Save System Config
button.

Enable 2FA for Greenbone Vulnerability Manager
Login to your Greenbone Security Assistant at e.g. https://192.168.0.3/login
. Once you've logged in select Administration
and RADIUS
in the top menu. Click the Edit Radius Authentication
button. Check the Enabled
box, add the RADIUS host IP address e.g. 192.168.0.1
and your secret key. Click the Save
button.

Next lets add the user to the Greebone Security Assistant (GSA). Select Administration
and Users
in the top menu. Click the New User
button. Check RADIUS Authentication Only
, select preferred user role and/or group. Add the privacyIDEA IP address in the Host Access
field (e.g. 192.168.0.1
) and check Deny all and allow
. If you want to lock access for the local subnet to GSA you can check Deny all and allow
in the Interface Access
and enter 192.168.0.0/24
. Once done click the Save
button.

Logout as administrator from the Greenbone Security Assistant. Add the Username
of your newly created user. In the Password
field type the PIN
and hit the YubiKey button (do not click the Sign In button) and you should successfully be authenticated.

Firewall settings
The firewall being used is UFW (Uncomplicated Firewall). It is set by default to deny incoming traffic, allow outgoing traffic and allow port 22 (OpenSSH). Read more about UFW here.
UFW Settings
server@ubuntu:~$ sudo ufw default deny incoming
server@ubuntu:~$ sudo ufw default allow outgoing
server@ubuntu:~$ sudo ufw allow 22
server@ubuntu:~$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
server@ubuntu:~$ sudo ufw allow 443 comment "privacyIDEA"
Command-line
Command | Description |
---|---|
pi-manage admin | Add or edit existing admin account |
Troubleshooting
If you encounter any issue or having questions regarding privacyIDEA I recommend using their very helpful community forum.
non-sponsored
Enterprise solutionsNetKnights privacyIDEA Enterprise Edition
privacyIDEA is a modular solution for two factor authentication especially with OTP tokens. It is multi-tenency- and multi-instance-capable. Due to the modular structure privacyIDEA can be quickly and easily adapted and enhanced. E.g. adding new token types is as simple as writing a new lean python module. You do not need to modify your network for privacyIDEA, it does not write to existing databases or user stores. It only needs read access to your user stores like LDAP, Active Directory, SQL, SCIM-service or flat files. Existing workflows can be enhanced without the need to modify them. Using its simple REST like API it can be automated and smoothly be integrated.
affiliate links
YubiEnterpriseYubico offers enterprise solutions and can easily procure and distribute YubiKey authentication solutions for employees at scale.