[RADIATOR] TOTP authentication with Oracle
Martin Mersberger
martin at mersberger.de
Thu Aug 2 14:28:33 UTC 2018
Hi Dennis,
> Yes!
>
> That was the problem!
Thanks for the positive feedback. Maybe it would be helpful to set a
explizit remark in ref.pdf about the secret encoding (imho, there is
something in goodies, but not in ref.pdf if I remember correctly)
Some BTWs for others, who might find this useful:
- People using Radiator in a more LDAP driven way (ie AD backend)
may wonder, why TOTP needs a SQL. Reason is afaik to keep track of used
tokens to avoid replay attacs and to blackout users using wrong tokens
(brute force attacs)
- if you run with a LDAP based user directory, in my mind
the TOTP secret should be stored on the directory as well. Our solution
is to retrieve the secret during the LDAP backend communication
and store/update it in SQL(ite) database used for AUTHBY
SQLTOTP afterwards using AUTHBY GROUP. So no maintenance of the SQL is
needed then.
- Permissions on directory should be adjusted on the
attribute holding the secret to avoid exposure (Example: the way AD
protects user certificates within AD)
- Any RFC compliant token generators do work (soft tokens on mobile
phones, PC OS, perl scripts) as well as hardware tokens (Feitian C200
for example)
- google uses HMAC SHA1 and 30sec. timestep, which is also
the default in Radiator AUTHBY SQLTOTP. Other token generators may
differ and it can be adjusted in radiator sql db in field 7 and 8
(algorithm and timestep) on a per user basis, too.
cheers
Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.open.com.au/pipermail/radiator/attachments/20180802/15cd9bd6/attachment.html>
More information about the radiator
mailing list