10. SMSProvider for SMS OTP Tokens / Mobile TANs¶
Starting with version 2.2 LinOTP also supports sending one time passwords via SMS. In this case an SMS OTP token needs to be created. Internally this token is a HMAC token. The token object gets a mobile phone number and this token is assigned to the user.
10.1. Overview¶
10.1.1. Triggering SMS¶
When calling the API /validate/smspin the user is authenticated by the username and OTP PIN. The sending of an SMS with a OTP value is triggered. This OTP value is valid for a configurable amount of time. A sample webpage can be used at
Another possibility of triggering SMS is when the user authenticates with username and PIN. When username and PIN are passed to the authentication URL like /validate/check or /validate/simplecheck, the user is rejected, but, if the PIN is correct, the sending of an SMS is triggered.
Note
Thus SMS can be easily used in conjunction with the RADIUS protocol. The user first needs to authenticate at the RADIUS client with username and PIN. The user will be rejected. After that an SMS will be sent to the user. Then the user needs to authenticate with username and PIN+OTP (from the SMS) and the user will be successfully authenticated.
Starting with version 2.6 SMS can also be triggered using the new challenge response mechanism described in Challenge Response.
10.1.2. Configuration¶
These three values can be configured in the server configuration:
- SMSProvider
- SMSProviderConfig
- SMSProviderTimeout
10.2. SMSProvider¶
An SMSProvider is a LinOTP module, that defines how SMS are sent. At the moment LinOTP comes with two different kinds of SMSProviders.
10.2.1. HttpSMSProvider¶
In this case LinOTP uses public available SMS gateways. There are providers like clickatell.com or smsout.de that can create an SMS by calling a certain well formed URL. The LinOTP HttpSMSProvider module is designed very flexible, so that every SMS Gateway that either uses HTTP GET or HTTP POST request can be used to send SMS.
You need to enter smsprovider.HttpSMSProvider.HttpSMSProvider as SMSProvider.
10.2.2. DeviceSMSProvider¶
LinOTP also comes with an SMSProvider module to enable the LinOTP server to send SMS itself. This can be achieved by connecting an appropriate phone to the LinOTP machine. The SMS are then send via this phone directly. You need to enter smsprovider.DeviceSMSProvider.DeviceSMSProvider as SMSProvider.
10.2.3. SmtpSMSProvider¶
LinOTP can also send SMS via SMTP-Gateways. This means an email is sent to a fixed email address with a certain subject and body. This is interpreted and the gateway sends an SMS to the phone number that is contained either in the subject or the body.
You need to enter smsprovider.SmtpSMSProvider.SmtpSMSProvider as SMSProvider.
10.3. SMSProviderConfig¶
Depending on the type of the SMSProvider, this configuration key stores different values.
10.3.1. HttpSMSProvider¶
For HttpSMSProvider this is:
{"URL":"http://smsgateway.com/sms_send_api.cgi",
"PARAMETER": {
"from":"0170111111",
"password":"yoursecret",
"sender":"name",
"account":"company_ltd"
},
"SMS_TEXT_KEY":"text",
"SMS_PHONENUMBER_KEY":"destination",
"HTTP_Method":"GET",
"PROXY":"http://username:password@your-proxy:8080",
"RETURN_SUCCESS":"ID"
}
The URL holds the link to the API of the SMS Gateway. The PARAMETER can hold any number of fixed parameters, that allow you to use this SMS Gateway to send SMS. Usually this will at least be something like a username or an account and a password.
- SMS_TEXT_KEY
- denotes, which parameter in the URL will hold the SMS text itself.
- SMS_PHONENUMBER_KEY
- denotes, which parameter in the URL will be used to pass the mobile phone number to which the SMS should be sent.
- HTTP_Method
- denotes, if the API of the SMS Gateway should be used with HTTP GET or HTTP POST request.
- USERNAME PASSWORD
- to support HTTP Basic Authentication the parameters USERNAME and PASSWORD can be set.
- PROXY
- is an optional parameter that needs to be set when the LinOTP server accesses the internet via a proxy. This can be either HTTP or HTTPS and you may specify a username for authenticating to the proxy server.
- RETURN_SUCCESS
- matches the reply of the SMS Gateway to indicate successful sending of the SMS. The first characters of the reply are compared to this definition.
- RETURN_FAIL
- matches the reply of the SMS Gateway to indicate the failed sending of the SMS. The first characters of the reply are compared to this definition. The RETURN_FAIL is only evaluated if the RETURN_SUCCESS is not defined.
This is an example configuration for the clickatell SMS Gateway:
{ "URL" : "http://api.clickatell.com/http/sendmsg",
"PARAMETER" : {
"user":"username",
"password":"askme",
"api_id":"12980436"
},
"SMS_TEXT_KEY":"text",
"SMS_PHONENUMBER_KEY":"to",
"HTTP_Method":"GET",
"PROXY" : "http://user:pass@192.168.100.250:8080",
"RETURN_SUCCESS" : "ID"
}
Note
You need to use double quotes and not single quotes! Using single quotes will result in an error and sending SMS will not be possible.
10.3.2. DeviceSMSProvider¶
The DeviceSMSProvider module uses the tool gnokii [1] to send SMS. The configuration parameter looks like this:
{"CONFIGFILE":"/etc/linotp2/gnokiirc"}
where the value of CONFIGFILE reflects the location of the gnokiirc configuration file. A valid configuration file will look like this:
[global]
model = AT
port = /dev/ttyACM1
connection = serial
Note
- The LinOTP service account needs to have write access on the device defined in the port variable. In this case on /dev/ttyACM1. Usually this can be achieved by adding the LinOTP service account linotp to the group dialout.
- There were problems reported using gnokii version 0.6.28. It is recommended to use version 0.6.29.
10.3.3. SmtpSMSProvider¶
The configuration for the SmtpSMSProvider looks like this:
{ “mailserver” : “smtp.yourdomain.com”,
“mailsender” : “linotp@yourdomain.com”,
“mailuser” : “account-to-login-to-smtp-server”,
“mailpassword” : “somesecret”,
“mailto”: “mailadress@smstp-gateway”,
“subject” : “<phone>”,
“body” : “This is your OTP-value: <otp>”
}
The parameters mailuser and mailpassword are optional. The tag <phone> needs to be put where the smtp gateway expects it. This can either be the subject, the body or the mailto. The <phone> tag will be replaced with the mobile phone number of the user. The tag <otp> will be replaced by the generated OTP value. The tag can be places in the subject or in the body.
10.4. SMSProviderTimeout¶
This configuration key holds the time that an OTP value that was sent via SMS is valid. This number is interpreted in seconds. The default value is 300 e.g. 5 minutes. That means that after a user requested a SMS OTP he will be able to use this OTP value within the next 5 minutes. If the SMS arrives later or the user will not use this OTP value within 5 minutes, it will not be valid anymore.
[1] | http://www.gnokii.org/ |