Configure Time-Based One-Time Passwords ((T)OTP)
Passwords, everyone loves to hate them and still, in the era of digital certificates, fingerprints, and voice recognition, we use them on a daily basis and want users to memorize tens of different complex passwords. So they cheat and passwords get reused, written down on a piece of paper, you name it. Not that producers always get this right either. And any time we use a password, we run the risk of it being intercepted, and at that point it’s no longer secret and needs to be changed.
Still, passwords have one important advantage over most other forms of authentication: as a simple string they can be used anywhere. Everyone understands a login prompt and it tends to be rather hard to make anything else work for everyone.
One-time passwords represent a modest improvement being relatively unobtrusive for the user while anyone who sees the password should be unable to do anything with it. The user has little extra work to do, and chances are they already carry a smartphone with them. But how do we get existing applications to support them without extensive modification?
For applications that use OpenLDAP for authentication, the answer is easy: turn on time-based one-time password authentication.
Getting started
Symas OpenLDAP now includes a password module that lets any application that authenticates through LDAP to work with time-based one-time passwords (https://tools.ietf.org/html/rfc6238).
Module
The TOTP module is standard in versions of Symas OpenLDAP Gold and Silver starting with release 2.4.44.1.
Also, starting with release 2.4.xx.xx, the packages also come with a script that sets up an example database running all the below steps for you. You can find that script in /opt/symas/etc/openldap/example-totp.sh.
Configuration
Load the TOTP module:
ldapmodify -x -D cn=config -W -H ldap://localhost dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: pw-totp.la
Set the default password hash to TOTP1:
ldapmodify -x -D cn=config -W -H ldap://localhost dn: cn=config changetype: modify replace: olcPasswordHash olcPasswordHash: {TOTP1}
Add the TOTP overlay to the definition of each database that will allow TOTP authentication To enforce the passwords are valid only once, the module exposes an overlay that enables TOTP functionality on the database. For each database that you will be storing users with TOTP set up, enable the overlay:
ldapadd -x -D cn=config -W -H ldap://localhost dn: olcOverlay=totp,olcDatabase={X}YYY,cn=config objectClass: olcOverlayConfig
Setting the TOTP Secret
Now that the server knows how to use TOTP, we can let our user set things up.
Start with generating a random shared secret that’s at least 20 bytes long:
touch sharedkey chmod 600 sharedkey openssl rand 20 > sharedkey base32 sharedkey N6CIHPYDGHI6QC4ZV7Q3S3FXA22BZOCY
Set the sharedkey as their password. Having already set the default scheme to ‘TOTP1’ above, we made sure that server will treat it as a TOTP secret.
ldappasswd -T sharedkey -x -H ldap://localhost --D cn=user,dc=example,dc=com -W
Or, if we are acting on behalf of the user (they might not have a password yet), we can tell ldappasswd whose password it is that we are changing:
ldappasswd -T sharedkey -x -H ldap://localhost -D dc=example,dc=com -W
cn=user,dc=example,dc=com
The user now adds this shared key to their authenticator. In the Google Authenticator app, they would select ‘Enter a provided key’ and then type the generated string.
Showtime
Now it’s time to test. To log into the system: whenever you get asked to enter your password, check with your device and enter the six-digit code that appears on the screen:
ldapwhoami -x -H ldap://localhost -D 'cn=user,dc=example,dc=com' -W
Enter LDAP Password:
dn:cn=user,dc=example,dc=com
If your systems rely on your server for user authentication and use LDAP Binds, you are set. Once a user has a shared key set in the database, they can use the token to log in just like they would their password. And just like they remember their password, they make sure they retain control over their device.
Final notes
If you decide to use this in production, you might want to make it easier for users to manage their keys. Many authenticator apps support reading the key from a QR code (https://github.com/google/google-authenticator/wiki/Key-Uri-Format), so rendering the key in a QR code on a web page becomes a handy way to deliver it. In modern web systems, QR code rendering is easy with generators written in node.js, such as qr-image (https://github.com/alexeyten/qr-image). This is a time-based one-time password scheme, and as such you will have some trouble using it as the only method of authentication when the credentials have to be reused or if there is a disconnect between the time the user enters the password and when authentication happens. In these circumstances, switching to SASL proxied authentication once you have authenticated your user might be an option worth investigating. The TOTP overlay depends on the authTimestamp attribute to make sure the password cannot be reused, this makes it impossible to use the lastbind overlay on the same database. There is a limitation that makes this TOTP implementation behave slightly different from others. The authenticator’s clock might drift from the server’s own and it might take some time for the user to enter the one-time password. For these reasons, servers can usually correct a short time difference and record the perceived drift. These resynchronization capabilities are not available in this version, and while a 30 second window is usually plenty of time, any time drift between the device and server might make it more difficult for the user to log in. Lifting this limitation is on our roadmap, so stay tuned!
Complete cn=config Example
dn: cn=config
objectClass: olcGlobal
dn: cn=module{0},cn=config
objectClass: olcModuleList
olcModulePath: /opt/symas/lib64/openldap
olcModuleLoad: back_mdb.la
olcModuleLoad: pw-totp.la
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
dn: cn={0}core,cn=schema,cn=config
objectClass: olcSchemaConfig
olcAttributeTypes: ( 2.5.4.4 NAME ( 'sn' 'surname' )
DESC 'RFC2256: last (family) name(s) for which the entity is known
by' SUP name )
olcAttributeTypes: ( 2.5.4.20 NAME 'telephoneNumber'
DESC 'RFC2256: Telephone Number'
EQUALITY telephoneNumberMatch
SUBSTR telephoneNumberSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} )
olcObjectClasses: ( 2.5.6.6 NAME 'person'
DESC 'RFC2256: a person'
SUP top STRUCTURAL
MUST ( sn $ cn )
MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )
olcAttributeTypes: ( 0.9.2342.19200300.100.1.25
NAME ( 'dc' 'domainComponent' )
DESC 'RFC1274/2247: domain component'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcObjectClasses: ( 1.3.6.1.4.1.1466.344 NAME 'dcObject'
DESC 'RFC2247: domain component object'
SUP top AUXILIARY MUST dc )
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcRootDN: cn=config
olcRootPW: secret
dn: olcDatabase={1}mdb,cn=config
objectClass: olcMdbConfig
olcDbDirectory: /var/symas/openldap-data/example
olcSuffix: dc=example,dc=com
olcRootDN: dc=example,dc=com
olcRootPW: secret
dn: olcOverlay=totp,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
Complete slapd.conf Example
include /opt/symas/etc/openldap/schema/core.schema
modulepath /opt/symas/lib64/openldap
moduleload back_mdb.la
moduleload pw-totp.la
password-hash {TOTP1}
database mdb
directory /var/symas/openldap-data/example
suffix "dc=example,dc=com"
rootdn "dc=example,dc=com"
rootpw secret
overlay totp