1. Introduction

1.1. System Overview

LSE LinOTP is a framework that provides most flexible authentication with One Time Passwords (OTP). The dimension of flexibility is shown in this section.

1.2. Components

LSE LinOTP consists of several component types.

../_images/LinOTP2_modular_architecture_rev08.png

Components of LinOTP

The components are shown in Components of LinOTP.

The components are loadable modules which can be used depending on the setup with the LinOTP core. Since the interfaces for component types are well defined, it is straightforward to implement new components without any impact on the LinOTP core. Such new components can be easily loaded during runtime.

1.3. LinOTP core

This is the central server part, the LinOTP core. LinOTP is implemented in Python and well tested with Python 2.7 and will also run with Python 2.6. It uses Pylons for the communication of the other components with the core. Thus the other components like management clients and authentication modules will issue HTTP requests to communicate with the LinOTP core. LinOTP stores all token information in an SQL database. MySQL, PostgreSQL, SQLite, Oracle and DB2 were tested successfully.

1.4. OTP Calculation

The LinOTP core is capable of using different OTP algorithms for calculating the OTP values. Each OTP token is stored with its token type, that identifies how the OTP value is calculated.

At the moment the following types are supported:

  • event based HOTP [1],
  • time based TOTP [2],
  • time based mOTP [3],
  • LSE simple pass token,
  • SMS OTP,
  • RADIUS Token,
  • Remote Token,
  • Daily Passwords,
  • Vasco Digipass Tokens.

New modules for new tokens can be plugged in easily. LinOTP is OATH certified for HOTP and TOTP.

1.5. UserIdResolver

LinOTP uses external userstores to identify users to whom tokens get assigned. LinOTP does not modify the userstore. A UserIdResolver has a well defined interface. So a new useridresolver can be plugged into LinOTP so that users from another userstore can be used. LinOTP can use several UserIDResolvers at the same time. LSE LinOTP provides a PasswdUserIdResolver to access users from flat files like /etc/passwd, an LDAPIdResolver to use users from LDAP directories like OpenLDAP, Active Directory or Novell eDirectory and SQLUserIdResolver to access users in SQL databases.

1.6. Authentication Modules

LinOTP does not bind you to any authentication method. Although RADIUS (Remote Authentication Dial In User Service) is an often used protocol, it might not fit all the needs or might be sometimes to costly to set up. So LinOTP also provides an interface for authenticating users. At the moment LinOTP provides an authentication module for FreeRADIUS and for the Unix PAM stack (Pluggable Authentication Module). Additionally LinOTP also provides a simple web API.

Again as the LinOTP authentication interface is very lean, other authentication modules can be implemented easily.

1.7. Management Clients

The LinOTP server can be managed in several different ways. There is a command line client for Windows and Linux, a native GUI for Windows and Linux (see Figure 2) and starting with LinOTP server 2.2 a Web UI (see Figure 3). All clients can be used for all administrative and token management tasks. Using this management interfaces the LinOTP server and its UserIdResolvers can be configured. Tokens can be imported, enrolled, assigned or disabled. For a detailed feature comparison of the different management clients see Table 1. The management client also provides a view to the available users in the configured userstore. Of course – as LinOTP only has read access to the userstore – the users will not be managed within LinOTP.

1.8. Features of different management clients

Feature CLI management client (linotpadm.py) Web UI GUI management client (glinotpadm.py)
Manage UserIdResolver ok ok ok
Manage Realms ok ok ok
Manage license ok ok
Enroll eTokenNG OTP ok
Enroll mOTP Token ok ok ok
Import Token XML file ok ok ok
Import PSKC file ok
Enroll/Assign eTokenPASS and other HOTP token ok ok ok
Enroll/Assign TOTP tokens ok ok ok
Enroll Simple PASS token ok ok
Enroll SMS token ok ok
Enroll YubiKey ok ok
Enroll Remote Token ok ok
Enroll RADIUS Token ok ok
Enroll Vasco Token ok ok
Manage Tokens (enable, disable, delete, assign, unassign) ok ok ok
Reset Failcounter ok ok ok
Manage Token detailed token settings ok ok
mass enroll eToken NG ok
mass enroll Yubikey ok

Features of the different management clients

1.9. Licenses

LinOTP and it’s components are either licensed under GNU Affero General Public License (AGPL) Version 3. or GNU General Public License (GPL) Version 2.

The LinOTP logo and the LinOTP Manual are intellectual property of LSE Leading Security Experts GmbH and can not be used without permission.

1.9.1. LinOTP Server

  • LinOTP server (AGPLv3)

1.9.2. LinOTP Administration Clients (adminclients)

  • LinOTPAdminClientCLI (AGPLv3 : linotpadm.py)
  • LinOTPAdminClientGUI (AGPLv3 : glinotpadm.py)

1.9.3. LinOTP Management GUI

  • LinOTPAdminClientGUI (AGPLv3 : glinotpadm.py)
  • WebGui (AGPLv3)

1.9.4. LinOTP Authentication Connectors (authmodules)

  • freeradius (GPLv2+ : rlm_linotp2)
  • libpam-linotp (GPLv2+ : pam_linotp.c)
  • freeradius_perl (GPLv2+ : radius_linotp.pm)
  • pam_py_linotp (GPLv2+ : pam_linotp.py, setup.py)
  • simplesamlphp-module (GPLv2+ : copyright)
  • wordpress-php (GPLv2+: linotp.php)

1.9.5. LinOTP User Connectors (useridresolver)

  • LDAPIdResolver.py (AGPLv3)
  • PasswdIdResolver.py (AGPLv3)
  • SCIMIdResolver.py (AGPLv3)
  • SQLIdResolver.py (AGPLv3)

1.9.6. LinOTP SMS Connectors

  • DeviceSMSProvider.py (AGPLv3)
  • HttpSMSProvider.py (AGPLv3)
  • SmtpSMSProvider.py (AGPLv3)
[1]RFC 4226
[2]RFC 6238
[3]http://motp.sourceforge.net