1. Introduction

1.1. System Overview

LinOTP is a framework that provides most flexible authentication with One Time Passwords (OTP). The dimension of flexibility is shown in this section.

1.2. Components

LinOTP consists of several component types.

../_images/LinOTP2_modular_architecture_rev09.png

Components of LinOTP

The components are loadable modules which can be used depending on the setup with the LinOTP core. Since the interfaces for component types are well defined, it is straightforward to implement new components without any impact on the LinOTP core. Such new components can be easily loaded during runtime.

1.3. LinOTP core

This is the central server part, the LinOTP core. LinOTP is implemented in Python and well tested with Python 2.7 and will also run with Python 2.6. It uses Pylons for the communication of the other components with the core. Thus the other components like management clients and authentication modules will issue HTTP requests to communicate with the LinOTP core. LinOTP stores all token information in an SQL database. MySQL, PostgreSQL, SQLite, Oracle and DB2 were tested successfully.

1.4. OTP Calculation

The LinOTP core is capable of using different OTP algorithms for calculating the OTP values. Each OTP token is stored with its token type, that identifies how the OTP value is calculated.

At the moment the following types are supported:

  • event based HOTP 1,

  • time based TOTP 2,

  • time based mOTP 3,

  • KeyIdentity Push Token,

  • KeyIdentity QR Token,

  • KeyIdentity Simple Pass Token,

  • KeyIdentity Static Password Token,

  • Voice Token,

  • OCRA Token

  • SMS OTP,

  • E-Mail OTP,

  • RADIUS Token,

  • Remote Token,

  • Daily Passwords,

  • Yubikeys,

  • Vasco Digipass Token.

New modules for new tokens can be plugged in easily. LinOTP is OATH certified for HOTP and TOTP.

1.5. UserIdResolver

LinOTP uses external user stores to identify users to whom tokens get assigned. LinOTP does not modify the user store. A UserIdResolver has a well defined interface. So a new UserIdResolver can be plugged into LinOTP so that users from another user store can be used. LinOTP can use several UserIdResolvers at the same time which can be organized and used in so called “realms”. LinOTP provides a PasswdUserIdResolver to access users from flat files like /etc/passwd, an LDAPIdResolver to use users from LDAP directories like OpenLDAP, Active Directory or Novell eDirectory and SQLUserIdResolver to access users in SQL databases.

1.6. Authentication Modules

LinOTP does not bind you to any authentication method. Although RADIUS (Remote Authentication Dial In User Service) is an often used protocol, it might not fit all the needs or might be sometimes to costly to set up. So LinOTP also provides an interface for authenticating users. At the moment LinOTP provides an authentication module for FreeRADIUS and for the Unix PAM stack (Pluggable Authentication Module). Additionally LinOTP also provides a simple web API.

Again as the LinOTP authentication interface is very lean, other authentication modules can be implemented easily.

1.7. Management Clients

The LinOTP server can be managed in several different ways. There is a command line client for Windows and Linux and a Web UI. All clients can be used for all administrative and token management tasks. Using this management interfaces the LinOTP server and its UserIdResolvers can be configured. Tokens can be imported, enrolled, assigned or disabled. For a detailed feature comparison of the different management clients see Table 1. The WEB UI management client also provides a view to the available users in the configured user store. Of course – as LinOTP only has read access to the user store – the users will not be managed within LinOTP.

1.8. Features of different management clients

Feature

CLI management client (linotpadm.py)

Web UI

Manage UserIdResolver

ok

ok

Manage Realms

ok

ok

Manage license

ok

Enroll eTokenNG OTP

Enroll mOTP Token

ok

ok

Import Token XML file

ok

ok

Import PSKC file

ok

Enroll/Assign eTokenPASS and other HOTP Token

ok

ok

Enroll/Assign TOTP tokens

ok

ok

Enroll Simple PASS Token

ok

Enroll SMS Token

ok

Enroll YubiKey

ok

Enroll Remote Token

ok

Enroll RADIUS Token

ok

Enroll Vasco Token

ok

Manage Tokens (enable, disable, delete, assign, unassign)

ok

ok

Reset Failcounter

ok

ok

Manage Token detailed token settings

ok

mass enroll eToken NG

ok

mass enroll YubiKey

ok

Features of the different management clients

1.9. Licenses

LinOTP and it’s components are either licensed under GNU Affero General Public License (AGPL) Version 3. or GNU General Public License (GPL) Version 2.

The LinOTP logo and the LinOTP Manuals and documentation, “LinOTP Management Guide”, “LinOTP Installation Guide”, “LinOTP User Guide”, “LinOTP Appliance Manual”, “LinOTP Module Development Guide”, are intellectual property and under the copyright of KeyIdentity GmbH and can not be used without permission.

1.9.1. LinOTP Server

  • LinOTP server (AGPLv3)

1.9.2. LinOTP Administration Clients (adminclients)

  • LinOTPAdminClientCLI (AGPLv3 : linotpadm.py)

1.9.3. LinOTP Management GUI

  • WebGui (AGPLv3)

1.9.4. LinOTP Authentication Connectors (authmodules)

  • freeradius (GPLv2+ : rlm_linotp2)

  • libpam-linotp (GPLv2+ : pam_linotp.c)

  • freeradius_perl (GPLv2+ : radius_linotp.pm)

  • pam_py_linotp (GPLv2+ : pam_linotp.py, setup.py)

  • simplesamlphp-module (GPLv2+ : copyright)

  • wordpress-php (GPLv2+: linotp.php)

1.9.5. LinOTP User Connectors (UserIdResolver)

  • LDAPIdResolver.py (AGPLv3)

  • PasswdIdResolver.py (AGPLv3)

  • SCIMIdResolver.py (AGPLv3)

  • SQLIdResolver.py (AGPLv3)

1.9.6. LinOTP SMS Connectors

  • DeviceSMSProvider.py (AGPLv3)

  • HttpSMSProvider.py (AGPLv3)

  • SmtpSMSProvider.py (AGPLv3)

1

RFC 4226

2

RFC 6238

3

http://motp.sourceforge.net