Authentication One-time-password

All Plugins / Authfront / Otp

Identity Card

StatusCore
Plugin LabelAuthentication One-time-password
Short DescriptionUse Google Authenticator, Yubikey or standard password to authenticate users.
Plugin Identifierauthfront.otp
AuthorJanos Milus / Tran Cuong
Urldocs/references/plugins/authfront/otp
Dependencies

Documentation

Authfront OTP plugin for Pydio

With authfront.otp, you can cooperate with any backend auth like ldap, mysql...

Based on the google authenticator reference implementation + yubikey demo php implementation. With this plugin you can authenticate users 4 different ways:

  • Password authentication: it works as the auth.serial
  • Password + Google Authenticator: to the password field write the password first, then the six digits from Google Authenticator
  • Password + YubiKey: to the password filed write your password then press yubikey
  • Password + (YubiKey OR Google Authenticator): if both method enabled for a user, the plugin can recognize whether YubiKey or Google Authenticator is used. (it is simple, Google Authenticator uses numbers, YubiKey uses letters)

The authentication method can be set up per users, so it is possible that someone authenticate with password, other user authenticate with YubiKey, and someone else authenticate with both YubiKey and Google Authenticator.
 

Installation yubico package

You need to install php-yubico from http://code.google.com/p/php-yubico/

wget http://php-yubico.googlecode.com/files/Auth_Yubico-2.5.tgz
pear install Auth_Yubico-2.5.tgz


Do not forget to install or enable php-curl for Auth_Yubico.

  • Copy the auth.serial_otp modul to the plugin directory
  • Clear the cache

Configuration

  • Backup your Pydio instance just for sure
  • Enable the Authfront One-Time-Password (authfront.otp) modul in Global configurations >> Extensions importantes >> AuthFront >> Authentication One-Time-Password
    • Enabled: Yes

    • Order:default is 13 (don't change it)

    • Protocol type: Sessions only

    • Yubico secret KEY

    • Yubico Client Id: your Yubico Client Id generated at http://api.yubico.com/get-api-key/ or blank when you don't plan to use YubiKey

    • Modify login page: Yes (There is a line added into login page "* OTP enabled")

Per user configuration

Google authenticator

in Users & Groups, select user to configuration

In the tab bar: Account info |||  ACL ||| Actions ||| Parameters    => select Parameters

  • plugin identifier: authfront.otp
  • parameter name: google (Google Authenticator)
  • repository scope: All

then click Add parameter

  • plugin identifier: authfront.otp (ex: AAAABBBBCCCCDDDD)
  • parameter name: google_last
  • repository scope: All

then click Add parameter

In the same window, session "All workspaces"

  • open authfront.otp
  • input the google secret
  • Don't touch the "Google Authenticator Last" field, it is updating automatically. It is used internally for the defense against replay attack.

then click save

!!! DO NOT USE THE SAME SECRET AS YOUR GOOGLE ACCOUNT !!

Do the same to add YubiKey parameters

Use your in the YubiKey 1 or the YubiKey 2 field. Maximum two YubiKeys can be assigned to one user.

Plugin parameters

LabelDescriptionTypeDefault
Options
Order
ORDER
Order this plugin with other auth frontendsInteger13
Protocol Type
PROTOCOL_TYPE
Enable/disable automatically based on the protocol usedSelect (session_only)session_only
Modify login page
MODIFY_LOGIN_SCREEN
Login page will be modified to give user a OTP textboxBooleantrue
Yubico Secret Key
YUBICO_SECRET_KEY
Yubico secret key attached to your accountString
Yubico Client ID
YUBICO_CLIENT_ID
Yubico client id attached to your accountString

Instance parameters

LabelDescriptionTypeDefault
Yubikey
Use Yubikey
yubikey_enabled
Require a Yubikey usage by the user.Booleanfalse
Your YubiKey ID
yubikey1
YubiKey ID. To add a yubikey, simply use your key button to fill this field.String
Second YubiKey ID
yubikey2
YubiKey ID. To add a second yubikey, simply use your key button to fill this field.String
Google Authenticator
Force Google Authenticator
google_enabled_admin
Force Google Auth usage without letting the choice to the user.Booleanfalse
Enable Google Authenticator
google_enabled
If you enable it for the first time, you will be able to configure Google Authenticator application next time you log in.Booleanfalse
Google Authenticator Secret
google
Google Authenticator Secret Key.String
Google Authenticator Last
google_last
Google Authenticator replay protection, do not editInteger
Auth Driver Commons
Auto Create User
AUTOCREATE_AJXPUSER
When set to true, the user object is created automatically if the authentication succeed. Used by remote authentication systems.Booleanfalse
Login Redirect
LOGIN_REDIRECT
If set to a given URL, the login action will not trigger the display of login screen but redirect to this URL.String
Administrator Login
AJXP_ADMIN_LOGIN
For exotic auth drivers, an user ID that must be considered as admin by default.String
Auto apply role
AUTO_APPLY_ROLE
For multiple authentication, apply this role to users authenticated via this driverString