Today I am pleased to announce the Nauthilus software.

Nauthilus (N-Auth-ilus) is a centralized authentication server with a comprehensive policy engine. The idea behind this project is to connect services centrally in one place and perform extensive tests during authentication.

# What can Nauthilus do and what problems does it solve?

Many services on the Internet require authentication. Each application must then be connected to databases and must implement its own protective measures to ward off attackers. Every installation carries the risk of compromisation and therefore also access to the databases. With Nauthilus, the task is centralized in one place. Nauthilus is essentially an HTTP REST server that can be accessed by any application. It takes on the role of a guardian.

Nauthilus integrates very well with Dovecot and Postfix.

# Authentication process

Nauthilus uses several authentication steps:

## 1. features

Features include tests such as TLS verification, relay domains (is the system even responsible for the requested domain?), blocklists, RBLs and freely definable Lua features.

Nauthilus has a powerful brute force concept with buckets to detect even slow attacks over days and weeks. It offers a bucket system for this purpose.

## 2. backend authentication

Nauthilus includes LDAP support and Lua to perform the authentication itself. A large library of predefined functions is available in Lua, including SQL support.

## 3 Policies

Policies are run through after authentication. Despite a successful login, the system can reject the login (or, conversely, allow it!).

There is also space here for GeoIP lookups, etc.

## 4. Post-processing

After the 3rd point, authentication has been completed, but at this point further tests can run in the background such as:

• Check password policy and take action
• Consult the Haveibeenpwnd network
• GeoIP tracking across national borders

and much more.

## Miscellaneous

Nauthilus allows the free definition of so-called hooks. Each hook listens for a specific URI (callback) in the HTTP request. These callbacks are written by the administrator in Lua.

In an initial proof of concept, Nauthilus can take on the role of a Dovecot director. This has already been tested with version 2.4.0. Currently, Nauthilus can dynamically delegate incoming connections to backends. The hooks concept is used here as an example.

# Final words

By integrating a Lua VM into the server, Nauthilus can be integrated and customized in almost any setup. See also the other Nauthilus-related projects listed in the appendix.

To enable single sign-on (SSO), it can be operated with an Ory-Hydra server or the sister project nauthilus-keycloak can be used as a custom authenticator in Keycloak.

100% Open-Source 100% Community

# Project

https://github.com/croessner/nauthilus

# Sub projects

https://github.com/croessner/nauthilus-demo https://github.com/croessner/nauthilus-keycloak https://github.com/croessner/pfxhttp https://github.com/croessner/geoip-policyd

# Mailing lists:

https://lists.nauthilus.org

N.B.: In the future, announcements are sent over the nauthilus-announce ML. This is just a hello world!

Christian Rößner

Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Marburger Str. 70a, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5