MyTOTP, pronounced "My TOTP or (Mighty OTP)", provides centralized two-factor authentication (2FA) via integration into FreeRADIUS. MyTOTP can work with any soft-token that generates unique TOKENCODES via the TOTP (RFC-6238) algorithm. Google-Authenticator is probably the most recognisable and common client though there are others.
DOWNLOAD
GitHub https://github.com/foolean/mytotpTWO-FACTOR AUTHENTICATION
Authentication factors are generally thought of as "something you know", "something you have", and "something you are". Multi-factor authentication is when two or more factors are in use. Typically, two-factor authentication is comprised of something you know (e.g. your password) and something you have (e.g. your token). It is debated in some circles whether or not using PIN+TOKENCODE is actually two-factor in itself. Technically it is as the PIN is something you know and the TOKENCODE is something you have. However, the PIN can also be thought of as protecting the TOKENCODE. Thus it is not uncommon to use the entire PASSCODE as the "something you have" and the Password as the "something you know". Ultimately the choice is up to the system's administrator how much or how little to enforce.
FEATURES
- Integrates with FreeRADIUS via rlm_perl
- Uses Google-Authenticator, or anyother TOTP(RFC-6238) app, as the soft-token
- Uses PIN+TOKENCODE for authentication
- Failure based account lockout
- Set account expiration
- Administratively lock/unlock accounts
- Encrypts the account's PIN for storage in the account database
- Encrypts the account's shared secret with the account's PIN
- Supports LDAP and DB based backends (sqlite is used for local-only storage)
- Distinct SYSLOG messages for ease of monitoring and tracking
- CGI script to generate QR codes
FreeRADIUS
There are multiple options when configuring FreeRADIUS, which depend primarily on your needs and your environment. Below are basic configuration snippets that should help get you to a working Two-Factor authentication server.
Ref: http://wiki.freeradius.org/modules/Rlm_perl#config
# /etc/freeradius/modules/perl perl { module = /usr/sbin/mytotp_freeradius.pl } # /etc/freeradius/users DEFAULT Auth-Type = Perl # /etc/freeradius/sites-enabled/default authenticate { Auth-Type Perl { perl } }
PAM RADIUS AUTH
The most common way have Linux systems authenticate against MyTOTP is with PAM Radius Auth. If you will be using MyTOTP along with another authentication method (e.g. LDAP or UNIX passwd) you will want to make sure that you have a version >= 1.3.17 as it allows the prompt to be changed. In prior versions, the prompt is hard-coded to "Password: " which tends to lead to confusion when users aren't sure if they are to enter their PASSCODE or their Password.
To use MyTOTP via pam_radius_auth, place the following line in the relevant files in /etc/pam.d. The line will generally go before any other authentication methods.
# Require two-factor authentication auth requisite pam_radius_auth.so prompt=PASSCODE
ref: http://freeradius.org/pam_radius_auth/
LOG MESSAGES
MyTOTP will generate several types of log messages. Messages related to the authentication process begin with AUTH_ to facilitate ease of monitoring and tracking.
AUTH_ACCOUNT_LOCKED: The account is administratively locked AUTH_EXPIRED_TOKEN: The account's token has expired AUTH_INVALID_PIN: The user entered an invalid PIN AUTH_INVALID_SECRET: The system was unable to decrypt the shared secret AUTH_INVALID_TOKENCODE: The user entered an invalid TOKENCODE AUTH_TOKENCODE_REUSE: The user entered attempted to reuse a TOKENCODE AUTH_USERNAME_NOT_FOUND: The requested user could not be found AUTH_VALID_TOKENCODE: The user successfully authenticated error: Processing error messages fatal: Non-recoverable processing error messages debug: Debugging messages