Authenticator support

  • Hello,


    how about adding authenticator support per user level? So every user can choose if he/she wants to use an authenticator like google authenticator for the login.

  • @UncleSam


    I'm currently working on two plugins:


    SSL/TLS MutualAuthentication plugin


    This plugin will allows authentication using SSL client certificates. This will work as follow:


    The plugin will manage its own CA and deliver SSL client certificates to control panel users.
    The control panel users will connect to the control panel using their credential as usually and will click on a specific button. Once done a SSL client certificate will be issued and automatically installed in their browser. With the SSL client certificate installed in their browser, the control panel users will be automatically logged in without the need to use any credentials, nor submit any login form. This feature is almost same as the one used by StartSSL for authenticating users.


    There will be also another layer in that plugin which will allows for a one-time password authentication. This will cover cases where the users lost their SSL client certificates (for any reasons), or when SSL client certificate are expired or revoked. Here, the users will be able to login using a one-time password for getting a new SSL client certificate.


    Here the requirement will be SSL of course.


    Edit: There will be also possibility to use external CA such as CAcert.


    YubiKeyAuth plugin


    This plugin will allows authentication using Yubikey. See https://www.yubico.com/


    Here the requirement will be a yubikey. @konzeptplus can give more information about this.


    [hr]


    For any other authenticator, create an issue on youtrack with link to developer documentation.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • @Nuxwin
    I like both of them, but I usally need to login from different locations. As I do not have a Yubikey (and do not want to buy one) it would be great to have an authenticator which can be used with a handy. As I am using android a google authenticator would be great.

  • @UncleSam



    The MutualAuthentication plugin will allows the users to get more than one SSL client certificate, allowing them to authenticate from different places, using different SSL client certificates.


    I'll add google authenticator on my TODO list.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • YubiKeyAuth plugin will be available in few hours ;)


    yubikey_otp.png

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • @mikerhyner @konzeptplus


    Review needed (README.md file):


    [hr]


    # i-MSCP YubiKeyAuth plugin v1.0.0


    ## Introduction


    This plugin provides single-factor and two-factor authentication with one-time passwords (OTPs), using the YubiKey USB token. This plugin make use of the Yubico Web service API in the i-MSCP authentication process. The one-time password requirement is enabled on a per user basis, and each user can use one or many YubiKey, according administrator setup.


    Usage of a YubiKey can be mandatory or optional, depending on the administrator setup. When optional, users that have not added a YubiKey through their user profile interface can simply ignore the YubiKey OTP field.


    ### Single-factor authentication


    In this mode, a user can authenticate using his YubiKey only. There is no need to enter any credentials.


    Be aware that single-factor (YubiKey only) authentication is not recommended for production use, as a lost or stolen YubiKey would suffice to authenticate as a user.


    ### Two-factor authentication


    This mode is more secure than single-factor, as an attacker would need to get an username, a password and a user YubiKey. When this mode is enabled (default), the user need to provide an username, a password and use his YubiKey.


    ## Requirements

    • i-MSCP Serie 1.3.x
    • A YubiKey (See the `Getting a Yubikey` section below)
    • A Yubico client ID & secret key (See the `Getting your Yubico client ID & secret key` section below)

    ## Installation

    • Be sure that all requirements as stated in the requirements section are met
    • Upload the plugin through the plugin management interface
    • Setup your client ID & secret key in the plugin configuration file
    • Trigger a plugin list update through the plugin management interface
    • Install the plugin through the plugin management interface

    ## Update

    • Read the UPDATE file inside the plugin archive
    • Be sure that all requirements as stated in the requirements section are met
    • Upload the plugin through the plugin management interface

    ## Getting a Yubikey


    If you don't have a YubiKey yet, you can buy one on our partner site: https://yubikey.ch/ or at the Yubico store: https://www.yubico.com/store/


    Note that this plugin has been successfully tested with the following YubiKey models:

    However, note that this plugin should be compatible with any hardware providing OTP support.


    ## Getting your Yubico client ID & secret key


    This plugin make use of the Yubico Web service API in the authentication process. Therefore, you need first generate a client ID and secret key for use with the Yubico Web Services. In order you must:

    • Put your YubiKey in USB port of your computer
    • Browse the following URL: https://upgrade.yubico.com/getapikey/
    • Enter your e-mail address
    • Click on the `Yubikey OTP` field and touch the Yubikey button to fill the field
    • Check the `Terms and Conditions` checkbox
    • Click on the `Get API key` button

    Once done, you must fill the plugin configuration file with your client ID and your secret key, save the changes and process a plugin list update through the plugin management interface.


    ## Making use of your YubiKey(s) in i-MSCP authentication process


    In order, to make use of your YubiKey in i-MSCP authentication process you must:

    • Put your YubiKey in USB port of your computer
    • Login to i-MSCP with your current credentials
    • Go to the profile section of your account
    • Click on the `YubiKey management` link
    • Click on the `add a YubiKey` button
    • Click on the `YubiKey ID` field and touch the YubiKey button to fill the field

    If all goes fine, your Yubikey should be automatically added to your list of YubiKeys


    Once done, you can logout and give a try:

    • Put your YubiKey in USB port of your computer
    • Enter your current credentials (only needed for two-factor authentication)
    • Click on the `YubiKey OTP` field and touch the YubiKey button to fill the field

    If all goes fine, you should be automatically authenticated (can take few seconds, depending on the network congestion).


    ### OTP validation protocol


    This plugin acts as a client that implements version 2.0 of the OTP validation protocol. See
    https://developers.yubico.com/…dation_Protocol_V2.0.html for more details.


    ## Plugin translation


    You can translate this plugin using a gettext translation editor such as `poedit`. Translation files are located under the `./l10n` directory inside of this plugin archive. Once translated you can send us your translation file (po file) for integration in future release.


    Note that if no translation file exists for your localization in the `./l10n/po` directory, you must create it first from the l10n/PhpSwitcher.pot file. Be aware that your file must be UTF-8, else, it won't be accepted.


    ## License


    i-MSCP YubiKeyAuth plugin
    © 2016 Laurent Declercq <[email protected]>
    i-MSCP License <https://www.i-mscp.net/license-agreement.html>


    See the LICENSE file inside the archive for further details.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Awaiting your review, I post a little screenshot:


    add_yubikey_int.png

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Bellow you can find the translation files for the following countries:

    • German (Germany)
    • Dutch (Netherlands)

    Thank you for helping us to translate the YubiKeyAuth plugin.

    Files

    • de_DE.po

      (4.17 kB, downloaded 2 times, last: )
    • nl_NL.po

      (4.17 kB, downloaded 1 times, last: )

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Hi @Nuxwin


    sorry I do not have an YubiKey authenticator. So I am unable to generate a review.


    I have one thing which I find a little bit strange:
    In my eyes the user (admin, reseller or user) should be able to choose if he wants to use 2fa and in the best cases which 2fa he wants to use. So a login screen with a fixed YubiKey textbox seems to be a little bit static for me and seems to force the usage of this authenticator for all users. I know the authentification from google. On every page it is the same thing to authenticate:

    • Login using username/password
    • If user has set the 2fa from google: enter auth code

    So the login process is dynamic and the user would only get fields to fill which are needed.


    Is it possible with YubiKey, to generate a page between credentials and logged in webinterface like google is doiing it? Something like a 2fa transfer page where I-MSCP checks if the user has 2fa and if it is set ask for the token. So both 2fa would be possible and user would be able to choose which to use.