Access to Cloud Apps with Conditional Access requirements.

[toby1knby]

naisdevice will soon be the de facto mechanism for connectivity and we need to come up with a strategi for how to access services that are behind General MFA / Conditional Access rules. Things to think about:

• Turning off compliant device is not an option.
• Excluding user/user groups from rules is not an option.
• Should we revisit naisdevice-gateway for authentication flow strategi?
  • If so can/should we tear down tunnel on successfull auth?
• Is it possible to build an intermediary mechanism that can bypass rules "on behalf of"?
• Is it possible to set a custom factor that can function "instead of" MS-Workplace-Join cert?
  • Will bring this up with M$ representative (19.10.2020 13:30)

[toby1knby]

According to azure powers that be "conditional access/compliant device protected" sites will be accessible from "anywhere" through Microsoft Edge. This means that all "NAV-activity" in terms of HR/Organisational functions + M$ Teams can be accessed from BYOD/naisdevice/whatever. I was not able to gauge a timeframe but the work has started. IMHO this would be good enough when paired with naisdevice.

[toby1knby]

We are testing certificates from gcp KMS and M$ Cloudapp Security.

[github-actions[bot]]

Nothing has happened here for a while (60 days), marking as stale. Add preserve label to avoid deletion

[mortenlj]

Found some possibly useful links:

Firefox: https://wiki.mozilla.org/CA/AddRootToFirefox https://github.com/mozilla/policy-templates/blob/master/README.md

Linux in general (probably also Chrome): https://blog.confirm.ch/adding-a-new-trusted-certificate-authority/

[mortenlj]

In Chrome, it might be possible to write an extension that can import client certificates using this API: https://developer.chrome.com/docs/extensions/reference/enterprise_platformKeys/#method-importCertificate

Haven't found anything similar for FireFox.

[sechmann]

The following works for Firefox: pk12util -d "$HOME/.mozilla/firefox/aft1nwwy.default-release/" -i naisdevice-client-and-key.p12 however, i haven't found a way to set the preferred certificate for Microsoft domains to be this imported certificate, so the user gets prompted a lot. Also it seems like the "remember decision" tickbox is broken when the cert is imported this way, because i get popups asking for cert for the same domain even after ticking "remember decision".

[sechmann]

Also worth noting: mozilla refers to OpenSC as the alternative to using system keychain: https://blog.mozilla.org/security/2020/04/14/expanding-client-certificates-in-firefox-75/

[mortenlj]

Might also be interesting to look at (alternate approach): A software "smartcard" implementation which can then possibly be integrated into NSS (used by both Firefox and Chrome to get certificates) as a PKCS#11 module. https://www.opendnssec.org/softhsm/

[mortenlj]

This allows us to make chrome/chromium autoselect a certificate for matching URLs (testet to work on xubuntu with Google Chrome). https://cloud.google.com/docs/chrome-enterprise/policies/?policy=AutoSelectCertificateForUrls

[mortenlj]

Not as direct, but using policies on Firefox, we can set Firefox to automatically select a certificate, and load certificates from the OS store (same as chrome uses). https://github.com/mozilla/policy-templates/blob/master/README.md#preferences

Specifically security.default_personal_cert and security.osclientcerts.autoload.

Tested on xubuntu with Firefox and policies in in /etc/firefox/policies/policies.json. Seems to work, I was not requested to select certificate, and no need to import certificate into Firefox (since it is already present in the OS-level database I presume).

This does still rely on the server asking for "correct" certificate, but I managed to get firefox to select the correct one out of two for both private testsite and sharepoint.

[mortenlj]

This might be useful for setting up chrome policies: https://www.chromium.org/administrators/linux-quick-start

[sechmann]

#!/usr/bin/env bash
set -e

export CLOUDSDK_PYTHON=python
cn="$(hostname) is a naisdevice"
gcloud beta privateca certificates create \
  --project nais-device \
  --generate-key  \
  --dns-san "$USER" \
  --subject "CN=$cn" \
  --extended-key-usages="client_auth" \
  --key-usages="digital_signature" \
  --issuer-location europe-west1 \
  --issuer naisdevice \
  --key-output-file=client-key.pem \
  --cert-output-file=full-chain.pem
  #--validity=10

awk 'BEGIN { of="client-cert.pem" } { print >of } /^-----END/ { of="naisdevice-ca.crt" }' < full-chain.pem

openssl pkcs12 -export -out naisdevice-client-and-key.p12 -in client-cert.pem -inkey client-key.pem

profile="$HOME/.mozilla/firefox/407fcmhs.default-release/"
(certutil -d "$profile" -F -n "$cn" || true)
pk12util -d "$profile" -i naisdevice-client-and-key.p12

rm -f naisdevice-client-and-key.p12
rm -f full-chain.pem
rm -f client-key.pem
rm -f client-cert.pem
rm -f naisdevice-ca.crt

Script I've been using a while for Firefox. Works as long as i let previous cert expire before i run again.

[sechmann]

implemented a long time ago, forgot to close issue