smsotpd

[Thomas Glanzmann]

Hello Franks,

* Franks Andy (RLZ) IT Systems Engineer <Andy.Franks at sath.nhs.uk> [2012-09-09 01:19]:
> The first thing I'm not clear on is the function of the "users" file
> that's related to the Berkeley_db script. I'm not sure I understand why
> it's needed. Is this a database of acceptable users that have access to
> the OTP function?

exactly that function has two purposes:

        - The list of persons that can authenticate via Kerberos for the
          first stage of the authentication if you exchange it with
          somewthing else

        - The Number lookup

> Could this be set during an ldap group lookup perhaps, using an
> inbuilt freeradius attribute?

Exactly. You could do a ldap lookup in FreeRadius and pass that as
variable to the module, so that it could use that.

> The module seems to implement its own Kerberos authentication lookup -
> is this correct?

It's not implementing it's own but using a perl Kerberos library, but
you're correct that it does it's own Kerberos authentication and not in
FreeRadius. The only reason it does so, is that I can account how many
logins went wrong and than block authentication requests to the active
directory, because in my case the active directory would lock the
account which would make a deny of service attack possible if you know a
username.

> Would an ntlm lookup also be possible by messing with the perl code
> and using the ntlm include instead of authen-krb5?

Yes, that is possible, you can exchange it basically with everything you
want, you can also do the first stage of the authentication in
FreeRadius and use the perl module soley for smsotp.

> Do you have any plans to write something more "generic", i.e. without
> the hard coded users file or file paths for other functions?

At the moment I do not have the intention, however I probably will
release a much more generic version without the password locking and
that does the first stage of the authentication in FreeRadius

> Or is it just a proof of concept?

I actually run it in pre production environment for 1500 users.

> Also do you plan some in-depth documentation?

I also started in the wiki for the C-Implementation, but for anyone who
understands PAP and PAP access challenge and Radius it is basically self
explenatory, however this process took me almost 5 workdays myself. My
FreeRadius knowlegde is limited, I used FreeRadius with eap-tls, 802.1q,
802.1x, Cisco ASA, Cisco 3560G, Cisco 2910, VMware View, Linux embedded
devices and Citrix Netscaler.

> This module tied to freeradius could be extremely useful to our
> organisation but I'm not sure if at this point I understand it well
> enough or whether it will be robust in use.

In production I had no problems and approx. 285 authentication requests
already. I also ran an automated self test against it, both for the C
and perl implementation for 24 hours and saw no problems. However in
your case I would first to try to make it work, than develop an
automated self test and if you feel comfortably enough to use, use it.

> I'd like ideally to use freeradius to do an ldap lookup, cross
> reference a group of users with access to OTP, bring back an
> email/phone number attribute through the ldap module and then use this
> in the OTP processing, whilst also doing some mysql / other sql
> storage of users' authentication details using OTP to fault find/audit
> from.

I'll not implement it, but if I would do that, it would take me less
than 4 hours. Basically what you need is to modify the rlm_perl
implementation to only handle the pap access challenge and pass the
information it needs using the already existing interface of rlm_perl
(which is super powerful).

> Is this the kind of thing you might look at in the future or should I
> go and get linotp / rcdevs product?

I'm quite busy for the next 5 days, if you want to wait 5 days, I could
make something generic available and also document it. Of course, if you
don't feel comfortable with it at the moment, go for another solution.

Cheers,
        Thomas