Panel authentication

From Luna Node
Revision as of 14:51, 26 August 2016 by Favyen Bastani (Talk | contribs)

Jump to: navigation, search

Luna Node Dynamic supports three panel authentication methods: password, client-side certificate, and two-factor authentication.

  • Password: this is your standard login functionality, where you enter your e-mail address and password, and then get access to the panel.
  • Client-side certificate: this uses client-side SSL certificates that are signed by the Luna Node Dynamic certificate authority. You register the certificate and your key into your computer, and then the server will be able to authenticate your certificate via SSL.
  • Two-factor authentication: verify with a two-factor authentication method. Available methods include e-mail to the account e-mail address, SMS to a specified phone number, and time-based one-time password (TOTP).

Authentication policies

There are several available authentication policies to determine how strict the server will be with logins for your account. These are configurable from the Account page in the top right of the panel, under the "Policies" tab.

  • Password or certificate: if you enter your password successfully or client-side SSL certificate authentication succeeds, you will have access to the panel.
  • Password and certificate: you will need to enter your password, and then also authenticate via SSL certificate in order to gain access.
  • Password and two-factor authentication: you will need to enter your password, and then complete two-factor authentication.
  • Password, and either certificate or two-factor authentication: after entering your password, you can choose whether to authenticate with a certificate or with two-factor authentication.
  • Certificate, also password for new devices: use client-side SSL certificate authentication only by default; however, if you attempt to login from an unrecognized IP address (i.e., one that you've not logged in from before), then you will need to also verify your password.
  • Password, also two-factor authentication for new devices: like above, but with password by default and two-factor authentication for unrecognized IP addresses.
  • Password and certificate, also two-factor authentication for new devices: you will always need to authenticate with both your password and a certificate; for unrecognized IP addresses, you will additionally need to pass two-factor authentication.


If you choose an authentication policy that involves two-factor authentication, be sure to configure two-factor authentication from the Account page under the "Two-factor authentication" tab.

Setting up client-side SSL certificate

Once your certificate is set up, you will be able to login via https://dynamic.lunanode.com/secure/ (or select "Authenticate with client-side certificate" on login screen).

You have two options when setting up a certificate: using your modern browser (won't work with Internet Explorer; Firefox/Chrome both work fine) via the keygen tag, or manually generating and submitting a CSR. The first way is much easier, it should only take you sixty seconds!

Note: we recommend that you set up a master password in your browser if you do not have one already, this will ensure your certificates (as well as any saved passwords) are stored encrypted.

Generate certificate via browser

Make sure you are using Firefox or Chrome, or a similar non-IE modern browser that supports the keygen tag.

Head to the Account tab and select Client-side certificates tab. Under "Add certificate via browser", configure any certificate key options that your browser provides, enter a number of days to sign for (between 5 and 730 days), and hit the generate option. Your browser should display a brief dialog about generating a keypair, and then after a bit more time you'll be prompted to add the certificate to your browser.

Once added, you can login via https://dynamic.lunanode.com/secure/.

Manually generate a CSR

If you decided you want to manually generate a CSR, follow the instructions below.

Linux

You will need OpenSSL or a similar tool installed in order to do this. These instructions are based on a gist by mtigas found on Github.

First, create a key and a CSR. We use 4096-bit key below for extra security since it doesn't hurt (and also since the guide used it). When generating the certificate signing request, make sure to enter your panel e-mail address (case sensitive) for the organization, organization unit, and common name fields, or else the CSR will be rejected. For the other fields, you can enter whatever you want.

openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr

Now, copy the contents of client.csr. Go to the Account tab, and under "Client-side certificates", paste the CSR and hit "Add client-side certificate". This will cause the server to verify the CSR and then, if verification succeeds, sign it. If signed successfully, the newly produced certificate will be available. You should copy and paste this into client.crt in the same directory where you made client.key and client.csr. Once client.crt exists, run:

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
rm client.crt client.key client.csr

Finally, go to your web browser and import the certificate. In Firefox, this is available from Edit, then Preferences, then Advanced, then Certificates tab. Select "View certificates", go to "Your certificates" tab, and hit import, and then find client.p12.

Other operating systems

We currently don't have information for other operating systems. UNIX-based OS might work with the Linux instructions. If you get information, do let us know and we can add it here.

Alternatively, you can complete the steps to create client.p12 on any Linux machine, and then copy the resulting file to your machine that has some other OS, and import it to your browser.