On Fri, Jun 3, 2016 at 11:28 AM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On Jun 2, 2016, at 6:22 PM, Peter Lambrechtsen <peter@crypt.nz> wrote:
I've been looking at the TOTP open standard and there is a perl script written for FreeRadius.
I looked at one point, and figured out you could implement it in unlang policies without too much trouble :)
I really don't understand that whole fascination people have with OTP though. I think it's a cruel and unusual punishment to force on users (unless it's Yubikey, which is lovely).
While I agree with you philosophically on OTP in general being a bit of a painful experience. And plugging a Yubikey into a USB Port hitting a button and getting a bit long string makes for a pleasant end user experience. I do see there are multiple sites now support TOTP where the enrollment is seamless for end-users. Login to a web site, use Google Authenticator or Authy or any other myriad of TOTP clients to scan the QR code. The enrollment experience is awesome when you're armed with your smart phone using a browser on a desktop and consistent across multiple sites / cloud providers as everyone is doing TOTP multi-factor authentication. If you go into the Yubikey world, even though it's awesome you are still locked into that vendor. The pain is when using the OTP when logging in, granted it's not much fun on a phone if you are logging into a site and you need to copy & paste inside the time limit from the TOTP client into the phone browser. When they are different devices it's pretty simple. The Fortinet FortiToken-200 is a pretty good build quality physical token yet it still conforms to the RFC6238 / OATH standard. I really like this site www.xanxys.net/totp/ as it's super easy to implement a full client side browser based enrollment process all in a single dumb html page. Preaching to the choir here. But I am a big advocate for the open standard RFC compliant token solution rather than locking you into any particular vendor. Some people say Open Standards gives you the ultimate flexibility. :) This blog entry: https://blog.evernote.com/tech/2013/06/18/freeradius-openldap-totp-part-2/ Covers how to do it all using Perl. It's a little dodgy since they use perl to query ldap to get the hash which seems a very complex way to go about it IMHO. Was thinking an rlm_totp would be awesome. Pull out the TOTP hex string key from the database of your choice during Authorize putting it into a control VSA and then during Authenticate make sure it matches up with an option in the module config to support how many cycles + / - the current time to support. I'm sure you will say patches welcome :), which is something I plan to do once one other things is off my plate.