PHP script for TFA login
95 views
Skip to first unread message
MKS
Jan 19, 2016, 12:06:18 PM1/19/16
to privacyidea
Hello,
During privacyIDEA testing for our environment I'm trying to write test PHP script based on checkOtp function from https://github.com/privacyidea/privacyidea/blob/master/authmodules/ownCloud/user_privacyidea/lib/otp_privacyidea.php
I'm trying to get this basic functionality:
1. Show submit form with such fields:
- Login
- Password
- PIN
2. When 'Login' and 'Password' fields are filled, button GetPIN became active so it would allow user to get PIN via SMS and put it into PIN field. Also user able to fill PIN field using own pin generator.
In privacyIDEA I have configured LDAP realm, test user has two tokens assigned to him - sms and hotp.
Maybe I used to look at FreeIPA+OTP too long, but please correct me if I wrong.
I could pass check at /validate/check when I use username with LDAP_password, or username with PIN. But I can't use username with LDAP_Password+PIN, so in current situation guessing 6 digits passes all checks, but how to check both factors with /validate/check at once?
Thank you.
During privacyIDEA testing for our environment I'm trying to write test PHP script based on checkOtp function from https://github.com/privacyidea/privacyidea/blob/master/authmodules/ownCloud/user_privacyidea/lib/otp_privacyidea.php
I'm trying to get this basic functionality:
1. Show submit form with such fields:
- Login
- Password
- PIN
2. When 'Login' and 'Password' fields are filled, button GetPIN became active so it would allow user to get PIN via SMS and put it into PIN field. Also user able to fill PIN field using own pin generator.
In privacyIDEA I have configured LDAP realm, test user has two tokens assigned to him - sms and hotp.
Maybe I used to look at FreeIPA+OTP too long, but please correct me if I wrong.
I could pass check at /validate/check when I use username with LDAP_password, or username with PIN. But I can't use username with LDAP_Password+PIN, so in current situation guessing 6 digits passes all checks, but how to check both factors with /validate/check at once?
Thank you.
MKS
Jan 19, 2016, 12:41:26 PM1/19/16
to privacyidea
Looks like setting authentication policy with otppin=userstore moves me forward. Am I on right path? )
Cornelius Kölbel
Jan 19, 2016, 2:02:40 PM1/19/16
to priva...@googlegroups.com
Yes
you can either use
(LDAP-password) + (OTP VALUE)
or
(OTP PIN) + (OTP VALUE)
Kind regards
Cornelius
Am Dienstag, den 19.01.2016, 09:41 -0800 schrieb MKS:
> Looks like setting authentication policy with otppin=userstore moves
> me forward. Am I on right path? )
>
> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/b5a2b94c-8e10-46f4-a1c8-22819eae058e%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
you can either use
(LDAP-password) + (OTP VALUE)
or
(OTP PIN) + (OTP VALUE)
Kind regards
Cornelius
Am Dienstag, den 19.01.2016, 09:41 -0800 schrieb MKS:
> Looks like setting authentication policy with otppin=userstore moves
> me forward. Am I on right path? )
>
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/b5a2b94c-8e10-46f4-a1c8-22819eae058e%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
MKS
Jan 21, 2016, 5:59:53 AM1/21/16
to privacyidea
Thank you, I moved one step forward.
Now I'm trying to check is user really has SMS token configured when he press "Get SMS" button (which uses /validate/check url ).
For user with disabled SMS token I'm still getting:
"detail": {"message": "Enter the OTP from the SMS:"}, "versionnumber": "2.9", "version": "privacyIDEA
2.9", "result": {"status": true, "value": false}, "time": 1453372931.413365, "id": 1}
For user without SMS tokens response are same as for user with wrong password:
"detail": {"message": "wrong otp pin"}, "versionnumber": "2.9", "version": "privacyIDEA 2.9", "result"
: {"status": true, "value": false}, "time": 1453373017.457972, "id": 1}
As far as I understand I should stick on status-value pairs for all checks via API, but what condition should be used to tell that user has no option to get SMS and hide "Get SMS" button for him after first try?
Now I'm trying to check is user really has SMS token configured when he press "Get SMS" button (which uses /validate/check url ).
For user with disabled SMS token I'm still getting:
"detail": {"message": "Enter the OTP from the SMS:"}, "versionnumber": "2.9", "version": "privacyIDEA
2.9", "result": {"status": true, "value": false}, "time": 1453372931.413365, "id": 1}
For user without SMS tokens response are same as for user with wrong password:
"detail": {"message": "wrong otp pin"}, "versionnumber": "2.9", "version": "privacyIDEA 2.9", "result"
: {"status": true, "value": false}, "time": 1453373017.457972, "id": 1}
As far as I understand I should stick on status-value pairs for all checks via API, but what condition should be used to tell that user has no option to get SMS and hide "Get SMS" button for him after first try?
Cornelius Kölbel
Jan 25, 2016, 3:45:53 AM1/25/16
to priva...@googlegroups.com
Am Donnerstag, den 21.01.2016, 02:59 -0800 schrieb MKS:
> Thank you, I moved one step forward.
> Now I'm trying to check is user really has SMS token configured when
> he press "Get SMS" button (which uses /validate/check url ).
>
> For user with disabled SMS token I'm still getting:
> "detail": {"message": "Enter the OTP from the SMS:"}, "versionnumber":
> "2.9", "version": "privacyIDEA
> 2.9", "result": {"status": true, "value": false}, "time":
> 1453372931.413365, "id": 1}
If the SMS token is disabled the SMS should not be sent. Since
> Thank you, I moved one step forward.
> Now I'm trying to check is user really has SMS token configured when
> he press "Get SMS" button (which uses /validate/check url ).
>
> For user with disabled SMS token I'm still getting:
> "detail": {"message": "Enter the OTP from the SMS:"}, "versionnumber":
> "2.9", "version": "privacyIDEA
> 2.9", "result": {"status": true, "value": false}, "time":
> 1453372931.413365, "id": 1}
authentication will not work anyway. Do you receive an SMS?
Maybe we might have to do a small fix here.
>
> For user without SMS tokens response are same as for user with wrong
> password:
> "detail": {"message": "wrong otp pin"}, "versionnumber": "2.9",
> "version": "privacyIDEA 2.9", "result"
> : {"status": true, "value": false}, "time": 1453373017.457972, "id":
> 1}
I assume the user has another token and thus you get this response.
> For user without SMS tokens response are same as for user with wrong
> password:
> "detail": {"message": "wrong otp pin"}, "versionnumber": "2.9",
> "version": "privacyIDEA 2.9", "result"
> : {"status": true, "value": false}, "time": 1453373017.457972, "id":
> 1}
>
> As far as I understand I should stick on status-value pairs for all
> checks via API, but what condition should be used to tell that user
> has no option to get SMS and hide "Get SMS" button for him after first
> try?
In fact it would leak information for the attacker, wouldn't it?
Kind regards
Cornelius
>
> On Tuesday, January 19, 2016 at 9:02:40 PM UTC+2, Cornelius Kölbel
> wrote:
> Yes
>
> you can either use
>
> (LDAP-password) + (OTP VALUE)
>
> or
>
> (OTP PIN) + (OTP VALUE)
>
> Kind regards
> Cornelius
>
>
> On Tuesday, January 19, 2016 at 9:02:40 PM UTC+2, Cornelius Kölbel
> wrote:
> Yes
>
> you can either use
>
> (LDAP-password) + (OTP VALUE)
>
> or
>
> (OTP PIN) + (OTP VALUE)
>
> Kind regards
> Cornelius
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/7fab8416-20ea-42e1-9175-784c50d2f0de%40googlegroups.com.
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
MKS
Jan 25, 2016, 4:28:18 AM1/25/16
to privacyidea
Hello, Cornelius
On Monday, January 25, 2016 at 10:45:53 AM UTC+2, Cornelius Kölbel wrote:
Am Donnerstag, den 21.01.2016, 02:59 -0800 schrieb MKS:
> Thank you, I moved one step forward.
> Now I'm trying to check is user really has SMS token configured when
> he press "Get SMS" button (which uses /validate/check url ).
>
> For user with disabled SMS token I'm still getting:
> "detail": {"message": "Enter the OTP from the SMS:"}, "versionnumber":
> "2.9", "version": "privacyIDEA
> 2.9", "result": {"status": true, "value": false}, "time":
> 1453372931.413365, "id": 1}
If the SMS token is disabled the SMS should not be sent. Since
authentication will not work anyway. Do you receive an SMS?
Maybe we might have to do a small fix here.
No SMS were not send. But our login script would be confusing for users during login process, with this message from privacyIDEA )
>
> For user without SMS tokens response are same as for user with wrong
> password:
> "detail": {"message": "wrong otp pin"}, "versionnumber": "2.9",
> "version": "privacyIDEA 2.9", "result"
> : {"status": true, "value": false}, "time": 1453373017.457972, "id":
> 1}
I assume the user has another token and thus you get this response.
Yes.
>
> As far as I understand I should stick on status-value pairs for all
> checks via API, but what condition should be used to tell that user
> has no option to get SMS and hide "Get SMS" button for him after first
> try?
There is no simple way to receive this information.
In fact it would leak information for the attacker, wouldn't it?
Well, since privacyIDEA has polices may be it would be possible to has some trusted subnet for internal users or something like this.
BTW, is it possible to have additional key for API to specify real user IP? Same thing as mod_rpaf for Apache do, when it sitting behind Nginx. In current configuration I'm planning to hide privacyIDE check url and restrict it for all, except server with TFA login page. So all requests to check would be arrive from single IP address.
BTW, is it possible to have additional key for API to specify real user IP? Same thing as mod_rpaf for Apache do, when it sitting behind Nginx. In current configuration I'm planning to hide privacyIDE check url and restrict it for all, except server with TFA login page. So all requests to check would be arrive from single IP address.
Cornelius Kölbel
Jan 25, 2016, 11:16:47 AM1/25/16
to priva...@googlegroups.com
Am Montag, den 25.01.2016, 01:28 -0800 schrieb MKS:
> Hello, Cornelius
>
> On Monday, January 25, 2016 at 10:45:53 AM UTC+2, Cornelius Kölbel
> wrote:
> Am Donnerstag, den 21.01.2016, 02:59 -0800 schrieb MKS:
> > Thank you, I moved one step forward.
> > Now I'm trying to check is user really has SMS token
> configured when
> > he press "Get SMS" button (which uses /validate/check url
> ).
> >
> > For user with disabled SMS token I'm still getting:
> > "detail": {"message": "Enter the OTP from the SMS:"},
> "versionnumber":
> > "2.9", "version": "privacyIDEA
> > 2.9", "result": {"status": true, "value": false}, "time":
> > 1453372931.413365, "id": 1}
>
> If the SMS token is disabled the SMS should not be sent.
> Since
> authentication will not work anyway. Do you receive an SMS?
> Maybe we might have to do a small fix here.
> No SMS were not send. But our login script would be confusing for
> users during login process, with this message from privacyIDEA )
You may check for the transaction_id.
> Hello, Cornelius
>
> On Monday, January 25, 2016 at 10:45:53 AM UTC+2, Cornelius Kölbel
> wrote:
> Am Donnerstag, den 21.01.2016, 02:59 -0800 schrieb MKS:
> > Thank you, I moved one step forward.
> > Now I'm trying to check is user really has SMS token
> configured when
> > he press "Get SMS" button (which uses /validate/check url
> ).
> >
> > For user with disabled SMS token I'm still getting:
> > "detail": {"message": "Enter the OTP from the SMS:"},
> "versionnumber":
> > "2.9", "version": "privacyIDEA
> > 2.9", "result": {"status": true, "value": false}, "time":
> > 1453372931.413365, "id": 1}
>
> If the SMS token is disabled the SMS should not be sent.
> Since
> authentication will not work anyway. Do you receive an SMS?
> Maybe we might have to do a small fix here.
> No SMS were not send. But our login script would be confusing for
> users during login process, with this message from privacyIDEA )
Meanwhile, I will see to not return detail->message if the token is
inactive.
>
>
> >
> > For user without SMS tokens response are same as for user
> with wrong
> > password:
> > "detail": {"message": "wrong otp pin"}, "versionnumber":
> "2.9",
> > "version": "privacyIDEA 2.9", "result"
> > : {"status": true, "value": false}, "time":
> 1453373017.457972, "id":
> > 1}
>
> I assume the user has another token and thus you get this
> response.
>
> Yes.
That is the reason why.
>
> >
> > For user without SMS tokens response are same as for user
> with wrong
> > password:
> > "detail": {"message": "wrong otp pin"}, "versionnumber":
> "2.9",
> > "version": "privacyIDEA 2.9", "result"
> > : {"status": true, "value": false}, "time":
> 1453373017.457972, "id":
> > 1}
>
> I assume the user has another token and thus you get this
> response.
>
> Yes.
>
>
> >
> > As far as I understand I should stick on status-value pairs
> for all
> > checks via API, but what condition should be used to tell
> that user
> > has no option to get SMS and hide "Get SMS" button for him
> after first
> > try?
>
> There is no simple way to receive this information.
> In fact it would leak information for the attacker, wouldn't
> it?
>
> Well, since privacyIDEA has polices may be it would be possible to has
> some trusted subnet for internal users or something like this.
> BTW, is it possible to have additional key for API to specify real
> user IP? Same thing as mod_rpaf for Apache do, when it sitting behind
> Nginx. In current configuration I'm planning to hide privacyIDE check
> url and restrict it for all, except server with TFA login page. So all
> requests to check would be arrive from single IP address.
You did not explain your setup and I do not understand it.
>
> >
> > As far as I understand I should stick on status-value pairs
> for all
> > checks via API, but what condition should be used to tell
> that user
> > has no option to get SMS and hide "Get SMS" button for him
> after first
> > try?
>
> There is no simple way to receive this information.
> In fact it would leak information for the attacker, wouldn't
> it?
>
> Well, since privacyIDEA has polices may be it would be possible to has
> some trusted subnet for internal users or something like this.
> BTW, is it possible to have additional key for API to specify real
> user IP? Same thing as mod_rpaf for Apache do, when it sitting behind
> Nginx. In current configuration I'm planning to hide privacyIDE check
> url and restrict it for all, except server with TFA login page. So all
> requests to check would be arrive from single IP address.
Please take a look at the services for specific consultancy.
https://netknights.it/en/leistungen/support/
Kind regards
Cornelius
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
MKS
Jan 25, 2016, 11:50:48 AM1/25/16
to privacyidea
On Monday, January 25, 2016 at 6:16:47 PM UTC+2, Cornelius Kölbel wrote:
You may check for the transaction_id.
Meanwhile, I will see to not return detail->message if the token is
inactive.
Thank you, will try it.
You did not explain your setup and I do not understand it.
Please take a look at the services for specific consultancy.
https://netknights.it/en/leistungen/support/
I have no budget for support yet (maybe in future if it would be suitable), since I'm just looking at features of privacyIDEA. :)
Explanation of setup is qute simple:
1. Two servers: Server-1 - privacyIDEA, Server-2 - webserver with PHP
2. User opens webpage from Server-2 and see login prompt + PIN field. Also he able to request PIN via SMS on same page.
3. PHP script on Server-2 take all variables from user, check them and sends to Server-1, to /check url of privacyIDEA. Depending on response from Server-1 user would get redirect to internal portal or would get error message.
Since user didn't communicate directly with privacyIDEA, Server-1 didn't know real IP address of user, so it would be cool to have an ability tell privacyIDEA real client IP address with additional API key. For example in configuration on privacyIDEA we could have config param "TrustedSources" or something like this, and when we get request from trusted source IP with key 'realIP=1.1.1.1' we process request in same way if it would be received from client with IP 1.1.1.1.
Explanation of setup is qute simple:
1. Two servers: Server-1 - privacyIDEA, Server-2 - webserver with PHP
2. User opens webpage from Server-2 and see login prompt + PIN field. Also he able to request PIN via SMS on same page.
3. PHP script on Server-2 take all variables from user, check them and sends to Server-1, to /check url of privacyIDEA. Depending on response from Server-1 user would get redirect to internal portal or would get error message.
Since user didn't communicate directly with privacyIDEA, Server-1 didn't know real IP address of user, so it would be cool to have an ability tell privacyIDEA real client IP address with additional API key. For example in configuration on privacyIDEA we could have config param "TrustedSources" or something like this, and when we get request from trusted source IP with key 'realIP=1.1.1.1' we process request in same way if it would be received from client with IP 1.1.1.1.
Cornelius Kölbel
Jan 25, 2016, 12:00:12 PM1/25/16
to priva...@googlegroups.com
the /validate request. This will be used in the policies.
So Server-2 can pass the IP of the users client to Server-1.
Requiring an API key
http://privacyidea.readthedocs.org/en/latest/modules/lib/apipolicy.html?privacyidea.api.lib.prepolicy.api_key_required#privacyidea.api.lib.prepolicy.api_key_required
is ment for the requesting party, i.e. Server-2.
Not for the users client.
Kind regards
Cornelius
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
Zia-ul-Hassan Siddique
Apr 15, 2016, 8:14:52 AM4/15/16
to privacyidea
Hi,
1 please help me regarding this post...
Are (LDAP-password) + (OTP VALUE) seperated by some special charactor?
2 i recieve ""The user has no tokens assigned"" when using policy "passthru": "userstore"........
i want to see that if users via radius are authenticated by Ldap or not
Best Regards
Zia
Cornelius Kölbel
Apr 15, 2016, 8:56:08 AM4/15/16
to priva...@googlegroups.com
Am Freitag, den 15.04.2016, 05:14 -0700 schrieb Zia-ul-Hassan Siddique:
> Hi,
Hi Zia,
secret123456
Please note:
You need to set "prepend otp pin" in the system settings and
you need to define an authentication policy with "otppin=userstore".
a) the policies is not triggered or
b) you gave the wrong ldap password.
Please take a look at the log file.
(https://www.privacyidea.org/getting-help/)
Increase the log level to a higher level.
kind regards
Cornelius
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> Hi,
Hi Zia,
>
>
> 1 please help me regarding this post...
> Are (LDAP-password) + (OTP VALUE) seperated by some special
> charactor?
No. LDAP-Password and OTP value are simply put togeather
>
> 1 please help me regarding this post...
> Are (LDAP-password) + (OTP VALUE) seperated by some special
> charactor?
secret123456
Please note:
You need to set "prepend otp pin" in the system settings and
you need to define an authentication policy with "otppin=userstore".
>
>
> 2 i recieve ""The user has no tokens assigned"" when using policy
> "passthru": "userstore"........
Then for some reason
>
> 2 i recieve ""The user has no tokens assigned"" when using policy
> "passthru": "userstore"........
a) the policies is not triggered or
b) you gave the wrong ldap password.
Please take a look at the log file.
(https://www.privacyidea.org/getting-help/)
Increase the log level to a higher level.
kind regards
Cornelius
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/d63ef22f-06d3-474c-b604-13c031817a02%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages