PHP script for TFA login

Hello,

During privacyIDEA testing for our environment I’m trying to write test PHP
script based on checkOtp function from
https://github.com/privacyidea/privacyidea/blob/master/authmodules/ownCloud/user_privacyidea/lib/otp_privacyidea.php
I’m trying to get this basic functionality:

  1. Show submit form with such fields:
    • Login
    • Password
    • PIN
  2. When ‘Login’ and ‘Password’ fields are filled, button GetPIN became
    active so it would allow user to get PIN via SMS and put it into PIN field.
    Also user able to fill PIN field using own pin generator.
    In privacyIDEA I have configured LDAP realm, test user has two tokens
    assigned to him - sms and hotp.

Maybe I used to look at FreeIPA+OTP too long, but please correct me if I
wrong.
I could pass check at /validate/check when I use username with
LDAP_password, or username with PIN. But I can’t use username with
LDAP_Password+PIN, so in current situation guessing 6 digits passes all
checks, but how to check both factors with /validate/check at once?

Thank you.

Yes

you can either use

(LDAP-password) + (OTP VALUE)

or

(OTP PIN) + (OTP VALUE)

Kind regards
CorneliusAm Dienstag, den 19.01.2016, 09:41 -0800 schrieb MKS:

Looks like setting authentication policy with otppin=userstore moves
me forward. Am I on right path? )


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/b5a2b94c-8e10-46f4-a1c8-22819eae058e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Looks like setting authentication policy with otppin=userstore moves me
forward. Am I on right path? )

Thank you, I moved one step forward.
Now I’m trying to check is user really has SMS token configured when he
press “Get SMS” button (which uses /validate/check url ).

For user with disabled SMS token I’m still getting:
“detail”: {“message”: “Enter the OTP from the SMS:”}, “versionnumber”:
“2.9”, “version”: “privacyIDEA
2.9”, “result”: {“status”: true, “value”: false}, “time”:
1453372931.413365, “id”: 1}

For user without SMS tokens response are same as for user with wrong
password:
“detail”: {“message”: “wrong otp pin”}, “versionnumber”: “2.9”, “version”:
“privacyIDEA 2.9”, “result”
: {“status”: true, “value”: false}, “time”: 1453373017.457972, “id”: 1}

As far as I understand I should stick on status-value pairs for all checks
via API, but what condition should be used to tell that user has no option
to get SMS and hide “Get SMS” button for him after first try?On Tuesday, January 19, 2016 at 9:02:40 PM UTC+2, Cornelius Kölbel wrote:

Yes

you can either use

(LDAP-password) + (OTP VALUE)

or

(OTP PIN) + (OTP VALUE)

Kind regards
Cornelius

Hello, Cornelius

    > Thank you, I moved one step forward. 
    > Now I'm trying to check is user really has SMS token
    configured when 
    > he press "Get SMS" button (which uses /validate/check url
    ). 
    > 
    > For user with disabled SMS token I'm still getting: 
    > "detail": {"message": "Enter the OTP from the SMS:"},
    "versionnumber": 
    > "2.9", "version": "privacyIDEA 
    >  2.9", "result": {"status": true, "value": false}, "time": 
    > 1453372931.413365, "id": 1} 
    
    If the SMS token is disabled the SMS should not be sent.
    Since 
    authentication will not work anyway. Do you receive an SMS? 
    Maybe we might have to do a small fix here. 

No SMS were not send. But our login script would be confusing for
users during login process, with this message from privacyIDEA )

You may check for the transaction_id.
Meanwhile, I will see to not return detail->message if the token is
inactive.

    > 
    > For user without SMS tokens response are same as for user
    with wrong 
    > password: 
    >  "detail": {"message": "wrong otp pin"}, "versionnumber":
    "2.9", 
    > "version": "privacyIDEA 2.9", "result" 
    > : {"status": true, "value": false}, "time":
    1453373017.457972, "id": 
    > 1} 
    
    I assume the user has another token and thus you get this
    response. 

Yes.

That is the reason why.

    > 
    > As far as I understand I should stick on status-value pairs
    for all 
    > checks via API, but what condition should be used to tell
    that user 
    > has no option to get SMS and hide "Get SMS" button for him
    after first 
    > try? 
    
    There is no simple way to receive this information. 
    In fact it would leak information for the attacker, wouldn't
    it? 

Well, since privacyIDEA has polices may be it would be possible to has
some trusted subnet for internal users or something like this.
BTW, is it possible to have additional key for API to specify real
user IP? Same thing as mod_rpaf for Apache do, when it sitting behind
Nginx. In current configuration I’m planning to hide privacyIDE check
url and restrict it for all, except server with TFA login page. So all
requests to check would be arrive from single IP address.

You did not explain your setup and I do not understand it.

Please take a look at the services for specific consultancy.
https://netknights.it/en/leistungen/support/

Kind regards
CorneliusAm Montag, den 25.01.2016, 01:28 -0800 schrieb MKS:

On Monday, January 25, 2016 at 10:45:53 AM UTC+2, Cornelius Kölbel wrote:
Am Donnerstag, den 21.01.2016, 02:59 -0800 schrieb MKS:


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/f15b75b7-e6e0-4867-b357-a0f865ac2e38%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

You may check for the transaction_id.
Meanwhile, I will see to not return detail->message if the token is
inactive.

Thank you, will try it.

You did not explain your setup and I do not understand it.

Please take a look at the services for specific consultancy.
Support - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

I have no budget for support yet (maybe in future if it would be
suitable), since I’m just looking at features of privacyIDEA. :slight_smile:
Explanation of setup is qute simple:

  1. Two servers: Server-1 - privacyIDEA, Server-2 - webserver with PHP
  2. User opens webpage from Server-2 and see login prompt + PIN field. Also
    he able to request PIN via SMS on same page.
  3. PHP script on Server-2 take all variables from user, check them and
    sends to Server-1, to /check url of privacyIDEA. Depending on response from
    Server-1 user would get redirect to internal portal or would get error
    message.

Since user didn’t communicate directly with privacyIDEA, Server-1 didn’t
know real IP address of user, so it would be cool to have an ability tell
privacyIDEA real client IP address with additional API key. For example in
configuration on privacyIDEA we could have config param “TrustedSources” or
something like this, and when we get request from trusted source IP with
key ‘realIP=1.1.1.1’ we process request in same way if it would be received
from client with IP 1.1.1.1.On Monday, January 25, 2016 at 6:16:47 PM UTC+2, Cornelius Kölbel wrote:

    You may check for the transaction_id. 
    Meanwhile, I will see to not return detail->message if the
    token is 
    inactive. 

Thank you, will try it.

    You did not explain your setup and I do not understand it. 
    
    Please take a look at the services for specific consultancy. 
    https://netknights.it/en/leistungen/support/ 

I have no budget for support yet (maybe in future if it would be
suitable), since I’m just looking at features of privacyIDEA. :slight_smile:
Explanation of setup is qute simple:

  1. Two servers: Server-1 - privacyIDEA, Server-2 - webserver with PHP
  2. User opens webpage from Server-2 and see login prompt + PIN field.
    Also he able to request PIN via SMS on same page.
  3. PHP script on Server-2 take all variables from user, check them and
    sends to Server-1, to /check url of privacyIDEA. Depending on response
    from Server-1 user would get redirect to internal portal or would get
    error message.

Since user didn’t communicate directly with privacyIDEA, Server-1
didn’t know real IP address of user, so it would be cool to have an
ability tell privacyIDEA real client IP address with additional API
key. For example in configuration on privacyIDEA we could have config
param “TrustedSources” or something like this, and when we get request
from trusted source IP with key ‘realIP=1.1.1.1’ we process request in
same way if it would be received from client with IP 1.1.1.1.

You can pass a client IP to privacyIDEA using the “client” parameter in
the /validate request. This will be used in the policies.
So Server-2 can pass the IP of the users client to Server-1.

Requiring an API key
http://privacyidea.readthedocs.org/en/latest/modules/lib/apipolicy.html?privacyidea.api.lib.prepolicy.api_key_required#privacyidea.api.lib.prepolicy.api_key_required
is ment for the requesting party, i.e. Server-2.
Not for the users client.

Kind regards
CorneliusAm Montag, den 25.01.2016, 08:50 -0800 schrieb MKS:

On Monday, January 25, 2016 at 6:16:47 PM UTC+2, Cornelius Kölbel wrote:


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/893945ca-bd22-43be-941d-ce86e0af90e8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Thank you, I moved one step forward.
Now I’m trying to check is user really has SMS token configured when
he press “Get SMS” button (which uses /validate/check url ).

For user with disabled SMS token I’m still getting:
“detail”: {“message”: “Enter the OTP from the SMS:”}, “versionnumber”:
“2.9”, “version”: “privacyIDEA
2.9”, “result”: {“status”: true, “value”: false}, “time”:
1453372931.413365, “id”: 1}

If the SMS token is disabled the SMS should not be sent. Since
authentication will not work anyway. Do you receive an SMS?
Maybe we might have to do a small fix here.

For user without SMS tokens response are same as for user with wrong
password:
“detail”: {“message”: “wrong otp pin”}, “versionnumber”: “2.9”,
“version”: “privacyIDEA 2.9”, “result”
: {“status”: true, “value”: false}, “time”: 1453373017.457972, “id”:
1}

I assume the user has another token and thus you get this response.

As far as I understand I should stick on status-value pairs for all
checks via API, but what condition should be used to tell that user
has no option to get SMS and hide “Get SMS” button for him after first
try?

There is no simple way to receive this information.
In fact it would leak information for the attacker, wouldn’t it?

Kind regards
CorneliusAm Donnerstag, den 21.01.2016, 02:59 -0800 schrieb MKS:

On Tuesday, January 19, 2016 at 9:02:40 PM UTC+2, Cornelius Kölbel wrote:
Yes

    you can either use 
    
     (LDAP-password) + (OTP VALUE) 
    
    or 
    
     (OTP PIN) + (OTP VALUE) 
    
    Kind regards 
    Cornelius 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/7fab8416-20ea-42e1-9175-784c50d2f0de%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hello, Cornelius

Thank you, I moved one step forward.
Now I’m trying to check is user really has SMS token configured when
he press “Get SMS” button (which uses /validate/check url ).

For user with disabled SMS token I’m still getting:
“detail”: {“message”: “Enter the OTP from the SMS:”}, “versionnumber”:
“2.9”, “version”: “privacyIDEA
2.9”, “result”: {“status”: true, “value”: false}, “time”:
1453372931.413365, “id”: 1}

If the SMS token is disabled the SMS should not be sent. Since
authentication will not work anyway. Do you receive an SMS?
Maybe we might have to do a small fix here.

No SMS were not send. But our login script would be confusing for users
during login process, with this message from privacyIDEA )

For user without SMS tokens response are same as for user with wrong
password:
“detail”: {“message”: “wrong otp pin”}, “versionnumber”: “2.9”,
“version”: “privacyIDEA 2.9”, “result”
: {“status”: true, “value”: false}, “time”: 1453373017.457972, “id”:
1}

I assume the user has another token and thus you get this response.

Yes.

As far as I understand I should stick on status-value pairs for all
checks via API, but what condition should be used to tell that user
has no option to get SMS and hide “Get SMS” button for him after first
try?

There is no simple way to receive this information.
In fact it would leak information for the attacker, wouldn’t it?

Well, since privacyIDEA has polices may be it would be possible to has
some trusted subnet for internal users or something like this.
BTW, is it possible to have additional key for API to specify real user IP?
Same thing as mod_rpaf for Apache do, when it sitting behind Nginx. In
current configuration I’m planning to hide privacyIDE check url and
restrict it for all, except server with TFA login page. So all requests to
check would be arrive from single IP address.On Monday, January 25, 2016 at 10:45:53 AM UTC+2, Cornelius Kölbel wrote:
Am Donnerstag, den 21.01.2016, 02:59 -0800 schrieb MKS:

Hi,

Hi Zia,

1 please help me regarding this post…
Are (LDAP-password) + (OTP VALUE) seperated by some special
charactor?

No. LDAP-Password and OTP value are simply put togeather

secret123456

Please note:
You need to set “prepend otp pin” in the system settings and
you need to define an authentication policy with “otppin=userstore”.

2 i recieve ““The user has no tokens assigned”” when using policy
“passthru”: “userstore”…

Then for some reason

a) the policies is not triggered or
b) you gave the wrong ldap password.

Please take a look at the log file.
(Getting help – privacyID3A)
Increase the log level to a higher level.

kind regards
CorneliusAm Freitag, den 15.04.2016, 05:14 -0700 schrieb Zia-ul-Hassan Siddique:

i want to see that if users via radius are authenticated by Ldap or
not

Best Regards
Zia

On Wednesday, January 20, 2016 at 12:02:40 AM UTC+5, Cornelius Kölbel wrote:
Yes

    you can either use 
    
     (LDAP-password) + (OTP VALUE) 
    
    or 
    
     (OTP PIN) + (OTP VALUE) 
    
    Kind regards 
    Cornelius 
    
    Am Dienstag, den 19.01.2016, 09:41 -0800 schrieb MKS: 
    > Looks like setting authentication policy with
    otppin=userstore moves 
    > me forward. Am I on right path? ) 
    > 
    > -- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/b5a2b94c-8e10-46f4-a1c8-22819eae058e%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/d63ef22f-06d3-474c-b604-13c031817a02%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi,

1 please help me regarding this post…
Are (LDAP-password) + (OTP VALUE) seperated by some special charactor?

2 i recieve ““The user has no tokens assigned”” when using policy “passthru”:
“userstore”…

i want to see that if users via radius are authenticated by Ldap or not

Best Regards
ZiaOn Wednesday, January 20, 2016 at 12:02:40 AM UTC+5, Cornelius Kölbel wrote:

Yes

you can either use

(LDAP-password) + (OTP VALUE)

or

(OTP PIN) + (OTP VALUE)

Kind regards
Cornelius

Am Dienstag, den 19.01.2016, 09:41 -0800 schrieb MKS:

Looks like setting authentication policy with otppin=userstore moves
me forward. Am I on right path? )


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/b5a2b94c-8e10-46f4-a1c8-22819eae058e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel