1. Introduction¶
1.1. System Overview¶
LinOTP is a framework that provides most flexible authentication with One Time Passwords (OTP). The dimension of flexibility is shown in this section.
1.2. Components¶
LinOTP consists of several component types.
The components are loadable modules which can be used depending on the setup with the LinOTP core. Since the interfaces for component types are well defined, it is straightforward to implement new components without any impact on the LinOTP core. Such new components can be easily loaded during runtime.
1.3. LinOTP core¶
This is the central server part, the LinOTP core. LinOTP is implemented in Python and well tested with Python 2.7 and will also run with Python 2.6. It uses Pylons for the communication of the other components with the core. Thus the other components like management clients and authentication modules will issue HTTP requests to communicate with the LinOTP core. LinOTP stores all token information in an SQL database. MySQL, PostgreSQL, SQLite, Oracle and DB2 were tested successfully.
1.4. OTP Calculation¶
The LinOTP core is capable of using different OTP algorithms for calculating the OTP values. Each OTP token is stored with its token type, that identifies how the OTP value is calculated.
At the moment the following types are supported:
event based HOTP 1,
time based TOTP 2,
time based mOTP 3,
KeyIdentity Push Token,
KeyIdentity QR Token,
KeyIdentity Simple Pass Token,
KeyIdentity Static Password Token,
Voice Token,
OCRA Token
SMS OTP,
E-Mail OTP,
RADIUS Token,
Remote Token,
Daily Passwords,
Yubikeys,
Vasco Digipass Token.
New modules for new tokens can be plugged in easily. LinOTP is OATH certified for HOTP and TOTP.
1.5. UserIdResolver¶
LinOTP uses external user stores to identify users to whom tokens get assigned. LinOTP does not modify the user store. A UserIdResolver has a well defined interface. So a new UserIdResolver can be plugged into LinOTP so that users from another user store can be used. LinOTP can use several UserIdResolvers at the same time which can be organized and used in so called “realms”. LinOTP provides a PasswdUserIdResolver to access users from flat files like /etc/passwd, an LDAPIdResolver to use users from LDAP directories like OpenLDAP, Active Directory or Novell eDirectory and SQLUserIdResolver to access users in SQL databases.
1.6. Authentication Modules¶
LinOTP does not bind you to any authentication method. Although RADIUS (Remote Authentication Dial In User Service) is an often used protocol, it might not fit all the needs or might be sometimes to costly to set up. So LinOTP also provides an interface for authenticating users. At the moment LinOTP provides an authentication module for FreeRADIUS and for the Unix PAM stack (Pluggable Authentication Module). Additionally LinOTP also provides a simple web API.
Again as the LinOTP authentication interface is very lean, other authentication modules can be implemented easily.
1.7. Management Clients¶
The LinOTP server can be managed in several different ways. There is a command line client for Windows and Linux and a Web UI. All clients can be used for all administrative and token management tasks. Using this management interfaces the LinOTP server and its UserIdResolvers can be configured. Tokens can be imported, enrolled, assigned or disabled. For a detailed feature comparison of the different management clients see Table 1. The WEB UI management client also provides a view to the available users in the configured user store. Of course – as LinOTP only has read access to the user store – the users will not be managed within LinOTP.
1.8. Features of different management clients¶
Feature |
CLI management client (linotpadm.py) |
Web UI |
---|---|---|
Manage UserIdResolver |
ok |
ok |
Manage Realms |
ok |
ok |
Manage license |
– |
ok |
Enroll eTokenNG OTP |
– |
– |
Enroll mOTP Token |
ok |
ok |
Import Token XML file |
ok |
ok |
Import PSKC file |
– |
ok |
Enroll/Assign eTokenPASS and other HOTP Token |
ok |
ok |
Enroll/Assign TOTP tokens |
ok |
ok |
Enroll Simple PASS Token |
– |
ok |
Enroll SMS Token |
– |
ok |
Enroll YubiKey |
ok |
– |
Enroll Remote Token |
– |
ok |
Enroll RADIUS Token |
– |
ok |
Enroll Vasco Token |
– |
ok |
Manage Tokens (enable, disable, delete, assign, unassign) |
ok |
ok |
Reset Failcounter |
ok |
ok |
Manage Token detailed token settings |
– |
ok |
mass enroll eToken NG |
ok |
– |
mass enroll YubiKey |
ok |
– |
Features of the different management clients
1.9. Licenses¶
LinOTP and it’s components are either licensed under GNU Affero General Public License (AGPL) Version 3. or GNU General Public License (GPL) Version 2.
The LinOTP logo and the LinOTP Manuals and documentation, “LinOTP Management Guide”, “LinOTP Installation Guide”, “LinOTP User Guide”, “LinOTP Appliance Manual”, “LinOTP Module Development Guide”, are intellectual property and under the copyright of KeyIdentity GmbH and can not be used without permission.
1.9.1. LinOTP Server¶
LinOTP server (AGPLv3)
1.9.2. LinOTP Administration Clients (adminclients)¶
LinOTPAdminClientCLI (AGPLv3 : linotpadm.py)
1.9.3. LinOTP Management GUI¶
WebGui (AGPLv3)
1.9.4. LinOTP Authentication Connectors (authmodules)¶
freeradius (GPLv2+ : rlm_linotp2)
libpam-linotp (GPLv2+ : pam_linotp.c)
freeradius_perl (GPLv2+ : radius_linotp.pm)
pam_py_linotp (GPLv2+ : pam_linotp.py, setup.py)
simplesamlphp-module (GPLv2+ : copyright)
wordpress-php (GPLv2+: linotp.php)
1.9.5. LinOTP User Connectors (UserIdResolver)¶
LDAPIdResolver.py (AGPLv3)
PasswdIdResolver.py (AGPLv3)
SCIMIdResolver.py (AGPLv3)
SQLIdResolver.py (AGPLv3)