Difference between revisions of "Panel authentication"

From Luna Node
Jump to: navigation, search
(Created page with "Luna Node Dynamic supports two panel authentication methods: password and client-side certificate. * Password: this is your standard login functionality, where you enter your...")
 
Line 1: Line 1:
 
Luna Node Dynamic supports two panel authentication methods: password and client-side certificate.
 
Luna Node Dynamic supports two panel authentication methods: password and client-side certificate.
  
* Password: this is your standard login functionality, where you enter your e-mail address and password, and then get access to the panel.
+
* '''Password''': this is your standard login functionality, where you enter your e-mail address and password, and then get access to the panel.
* Client-side certificate: this uses client-side SSL certificates that are signed by the Luna Node Dynamic certificate authority. You register the certificate and your key into your computer, and then the server will be able to authenticate your certificate via SSL.
+
* '''Client-side certificate''': this uses client-side SSL certificates that are signed by the Luna Node Dynamic certificate authority. You register the certificate and your key into your computer, and then the server will be able to authenticate your certificate via SSL.
  
 
== Authentication policies ==
 
== Authentication policies ==
Line 8: Line 8:
 
There are three available authentication policies to determine how strict the server will be with logins for your account. These are configurable from the [https://dynamic.lunanode.com/panel/account.php Account] tab in the top right of the panel.
 
There are three available authentication policies to determine how strict the server will be with logins for your account. These are configurable from the [https://dynamic.lunanode.com/panel/account.php Account] tab in the top right of the panel.
  
* Any authentication method: if you enter your password successfully or client-side SSL certificate authentication succeeds, you will have access to the panel.
+
* '''Any authentication method''': if you enter your password successfully or client-side SSL certificate authentication succeeds, you will have access to the panel.
* Both password and certificate: you will need to enter your password, and then also authenticate via SSL certificate in order to gain access.
+
* '''Both password and certificate''': you will need to enter your password, and then also authenticate via SSL certificate in order to gain access.
* Certificate, with password for unrecognized IPs: use client-side SSL certificate authentication only by default; however, if you attempt to login from an unrecognized IP address (i.e., one that you've not logged in from before), then you will need to also verify your password.
+
* '''Certificate, with password for unrecognized IPs''': use client-side SSL certificate authentication only by default; however, if you attempt to login from an unrecognized IP address (i.e., one that you've not logged in from before), then you will need to also verify your password.
  
 
== Setting up client-side SSL certificate ==
 
== Setting up client-side SSL certificate ==
Line 18: Line 18:
 
You will need OpenSSL or a similar tool installed in order to do this. These instructions are based on [https://gist.github.com/mtigas/952344 a gist by mtigas found on Github].
 
You will need OpenSSL or a similar tool installed in order to do this. These instructions are based on [https://gist.github.com/mtigas/952344 a gist by mtigas found on Github].
  
First, create a key and a CSR. We use 4096-bit key below for extra security since it doesn't hurt (and also since the guide used it).
+
First, create a key and a CSR. We use 4096-bit key below for extra security since it doesn't hurt (and also since the guide used it). When generating the certificate signing request, make sure to enter your panel e-mail address (case sensitive) for the organization, organization unit, and common name fields, or else the CSR will be rejected. For the other fields, you can enter whatever you want.
  
 
  <nowiki>openssl genrsa -des3 -out client.key 4096
 
  <nowiki>openssl genrsa -des3 -out client.key 4096
 
openssl req -new -key client.key -out client.csr</nowiki>
 
openssl req -new -key client.key -out client.csr</nowiki>
  
Now, copy the contents of client.csr. Go to the Account tab, and under "Client-side certificates", paste the CSR and hit "Add client-side certificate".  
+
Now, copy the contents of client.csr. Go to the Account tab, and under "Client-side certificates", paste the CSR and hit "Add client-side certificate". This will cause the server to verify the CSR and then, if verification succeeds, sign it. If signed successfully, the newly produced certificate will be available. You should copy and paste this into client.crt in the same directory where you made client.key and client.csr. Once client.crt exists, run:
 +
 
 +
<nowiki>openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
 +
rm client.crt client.key client.csr</nowiki>
 +
 
 +
Finally, go to your web browser and import the certificate. In Firefox, this is available from Edit, then Preferences, then Advanced, then Certificates tab. Select "View certificates", go to "Your certificates" tab, and hit import, and then find client.p12.
  
 
=== Other operating systems ===
 
=== Other operating systems ===
  
 
We currently don't have information for other operating systems. UNIX-based OS might work with the Linux instructions.
 
We currently don't have information for other operating systems. UNIX-based OS might work with the Linux instructions.

Revision as of 05:15, 29 June 2014

Luna Node Dynamic supports two panel authentication methods: password and client-side certificate.

  • Password: this is your standard login functionality, where you enter your e-mail address and password, and then get access to the panel.
  • Client-side certificate: this uses client-side SSL certificates that are signed by the Luna Node Dynamic certificate authority. You register the certificate and your key into your computer, and then the server will be able to authenticate your certificate via SSL.

Authentication policies

There are three available authentication policies to determine how strict the server will be with logins for your account. These are configurable from the Account tab in the top right of the panel.

  • Any authentication method: if you enter your password successfully or client-side SSL certificate authentication succeeds, you will have access to the panel.
  • Both password and certificate: you will need to enter your password, and then also authenticate via SSL certificate in order to gain access.
  • Certificate, with password for unrecognized IPs: use client-side SSL certificate authentication only by default; however, if you attempt to login from an unrecognized IP address (i.e., one that you've not logged in from before), then you will need to also verify your password.

Setting up client-side SSL certificate

Linux

You will need OpenSSL or a similar tool installed in order to do this. These instructions are based on a gist by mtigas found on Github.

First, create a key and a CSR. We use 4096-bit key below for extra security since it doesn't hurt (and also since the guide used it). When generating the certificate signing request, make sure to enter your panel e-mail address (case sensitive) for the organization, organization unit, and common name fields, or else the CSR will be rejected. For the other fields, you can enter whatever you want.

openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr

Now, copy the contents of client.csr. Go to the Account tab, and under "Client-side certificates", paste the CSR and hit "Add client-side certificate". This will cause the server to verify the CSR and then, if verification succeeds, sign it. If signed successfully, the newly produced certificate will be available. You should copy and paste this into client.crt in the same directory where you made client.key and client.csr. Once client.crt exists, run:

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
rm client.crt client.key client.csr

Finally, go to your web browser and import the certificate. In Firefox, this is available from Edit, then Preferences, then Advanced, then Certificates tab. Select "View certificates", go to "Your certificates" tab, and hit import, and then find client.p12.

Other operating systems

We currently don't have information for other operating systems. UNIX-based OS might work with the Linux instructions.