1. Introduction¶
1.1. System Overview¶
LSE LinOTP is a framework that provides most flexible authentication with One Time Passwords (OTP). The dimension of flexibility is shown in this section.
1.2. Components¶
LSE LinOTP consists of several component types.
The components are shown in Components of LinOTP.
The components are loadable modules which can be used depending on the setup with the LinOTP core. Since the interfaces for component types are well defined, it is straightforward to implement new components without any impact on the LinOTP core. Such new components can be easily loaded during runtime.
1.3. LinOTP core¶
This is the central server part, the LinOTP core. LinOTP is implemented in Python and well tested with Python 2.7 and will also run with Python 2.6. It uses Pylons for the communication of the other components with the core. Thus the other components like management clients and authentication modules will issue HTTP requests to communicate with the LinOTP core. LinOTP stores all token information in an SQL database. MySQL, PostgreSQL, SQLite, Oracle and DB2 were tested successfully.
1.4. OTP Calculation¶
The LinOTP core is capable of using different OTP algorithms for calculating the OTP values. Each OTP token is stored with its token type, that identifies how the OTP value is calculated.
At the moment the following types are supported:
- event based HOTP [1],
- time based TOTP [2],
- time based mOTP [3],
- LSE simple pass token,
- SMS OTP,
- RADIUS Token,
- Remote Token,
- Daily Passwords,
- Vasco Digipass Tokens.
New modules for new tokens can be plugged in easily. LinOTP is OATH certified for HOTP and TOTP.
1.5. UserIdResolver¶
LinOTP uses external userstores to identify users to whom tokens get assigned. LinOTP does not modify the userstore. A UserIdResolver has a well defined interface. So a new useridresolver can be plugged into LinOTP so that users from another userstore can be used. LinOTP can use several UserIDResolvers at the same time. LSE LinOTP provides a PasswdUserIdResolver to access users from flat files like /etc/passwd, an LDAPIdResolver to use users from LDAP directories like OpenLDAP, Active Directory or Novell eDirectory and SQLUserIdResolver to access users in SQL databases.
1.6. Authentication Modules¶
LinOTP does not bind you to any authentication method. Although RADIUS (Remote Authentication Dial In User Service) is an often used protocol, it might not fit all the needs or might be sometimes to costly to set up. So LinOTP also provides an interface for authenticating users. At the moment LinOTP provides an authentication module for FreeRADIUS and for the Unix PAM stack (Pluggable Authentication Module). Additionally LinOTP also provides a simple web API.
Again as the LinOTP authentication interface is very lean, other authentication modules can be implemented easily.
1.7. Management Clients¶
The LinOTP server can be managed in several different ways. There is a command line client for Windows and Linux, a native GUI for Windows and Linux (see Figure 2) and starting with LinOTP server 2.2 a Web UI (see Figure 3). All clients can be used for all administrative and token management tasks. Using this management interfaces the LinOTP server and its UserIdResolvers can be configured. Tokens can be imported, enrolled, assigned or disabled. For a detailed feature comparison of the different management clients see Table 1. The management client also provides a view to the available users in the configured userstore. Of course – as LinOTP only has read access to the userstore – the users will not be managed within LinOTP.
1.8. Features of different management clients¶
Feature | CLI management client (linotpadm.py) | Web UI | GUI management client (glinotpadm.py) |
---|---|---|---|
Manage UserIdResolver | ok | ok | ok |
Manage Realms | ok | ok | ok |
Manage license | – | ok | ok |
Enroll eTokenNG OTP | – | – | ok |
Enroll mOTP Token | ok | ok | ok |
Import Token XML file | ok | ok | ok |
Import PSKC file | – | ok | – |
Enroll/Assign eTokenPASS and other HOTP token | ok | ok | ok |
Enroll/Assign TOTP tokens | ok | ok | ok |
Enroll Simple PASS token | – | ok | ok |
Enroll SMS token | – | ok | ok |
Enroll YubiKey | ok | – | ok |
Enroll Remote Token | – | ok | ok |
Enroll RADIUS Token | – | ok | ok |
Enroll Vasco Token | – | ok | ok |
Manage Tokens (enable, disable, delete, assign, unassign) | ok | ok | ok |
Reset Failcounter | ok | ok | ok |
Manage Token detailed token settings | – | ok | ok |
mass enroll eToken NG | ok | – | – |
mass enroll Yubikey | ok | – | – |
Features of the different management clients
1.9. Licenses¶
LinOTP and it’s components are either licensed under GNU Affero General Public License (AGPL) Version 3. or GNU General Public License (GPL) Version 2.
The LinOTP logo and the LinOTP Manual are intellectual property of LSE Leading Security Experts GmbH and can not be used without permission.
1.9.1. LinOTP Server¶
- LinOTP server (AGPLv3)
1.9.2. LinOTP Administration Clients (adminclients)¶
- LinOTPAdminClientCLI (AGPLv3 : linotpadm.py)
- LinOTPAdminClientGUI (AGPLv3 : glinotpadm.py)
1.9.3. LinOTP Management GUI¶
- LinOTPAdminClientGUI (AGPLv3 : glinotpadm.py)
- WebGui (AGPLv3)
1.9.4. LinOTP Authentication Connectors (authmodules)¶
- freeradius (GPLv2+ : rlm_linotp2)
- libpam-linotp (GPLv2+ : pam_linotp.c)
- freeradius_perl (GPLv2+ : radius_linotp.pm)
- pam_py_linotp (GPLv2+ : pam_linotp.py, setup.py)
- simplesamlphp-module (GPLv2+ : copyright)
- wordpress-php (GPLv2+: linotp.php)
1.9.5. LinOTP User Connectors (useridresolver)¶
- LDAPIdResolver.py (AGPLv3)
- PasswdIdResolver.py (AGPLv3)
- SCIMIdResolver.py (AGPLv3)
- SQLIdResolver.py (AGPLv3)
1.9.6. LinOTP SMS Connectors¶
- DeviceSMSProvider.py (AGPLv3)
- HttpSMSProvider.py (AGPLv3)
- SmtpSMSProvider.py (AGPLv3)
[1] | RFC 4226 |
[2] | RFC 6238 |
[3] | http://motp.sourceforge.net |