Authenticator support

@UncleSam

I'm currently working on two plugins:

SSL/TLS MutualAuthentication plugin

This plugin will allows authentication using SSL client certificates. This will work as follow:

The plugin will manage its own CA and deliver SSL client certificates to control panel users.
The control panel users will connect to the control panel using their credential as usually and will click on a specific button. Once done a SSL client certificate will be issued and automatically installed in their browser. With the SSL client certificate installed in their browser, the control panel users will be automatically logged in without the need to use any credentials, nor submit any login form. This feature is almost same as the one used by StartSSL for authenticating users.

There will be also another layer in that plugin which will allows for a one-time password authentication. This will cover cases where the users lost their SSL client certificates (for any reasons), or when SSL client certificate are expired or revoked. Here, the users will be able to login using a one-time password for getting a new SSL client certificate.

Here the requirement will be SSL of course.

Edit: There will be also possibility to use external CA such as CAcert.

YubiKeyAuth plugin

This plugin will allows authentication using Yubikey. See https://www.yubico.com/

Here the requirement will be a yubikey. @konzeptplus can give more information about this.

[hr]

For any other authenticator, create an issue on youtrack with link to developer documentation.

@UncleSam

The MutualAuthentication plugin will allows the users to get more than one SSL client certificate, allowing them to authenticate from different places, using different SSL client certificates.

I'll add google authenticator on my TODO list.

YubiKeyAuth plugin will be available in few hours

yubikey_otp.png

@mikerhyner @konzeptplus

Review needed (README.md file):

[hr]

# i-MSCP YubiKeyAuth plugin v1.0.0

## Introduction

This plugin provides single-factor and two-factor authentication with one-time passwords (OTPs), using the YubiKey USB token. This plugin make use of the Yubico Web service API in the i-MSCP authentication process. The one-time password requirement is enabled on a per user basis, and each user can use one or many YubiKey, according administrator setup.

Usage of a YubiKey can be mandatory or optional, depending on the administrator setup. When optional, users that have not added a YubiKey through their user profile interface can simply ignore the YubiKey OTP field.

### Single-factor authentication

In this mode, a user can authenticate using his YubiKey only. There is no need to enter any credentials.

Be aware that single-factor (YubiKey only) authentication is not recommended for production use, as a lost or stolen YubiKey would suffice to authenticate as a user.

### Two-factor authentication

This mode is more secure than single-factor, as an attacker would need to get an username, a password and a user YubiKey. When this mode is enabled (default), the user need to provide an username, a password and use his YubiKey.

## Requirements

• i-MSCP Serie 1.3.x
• A YubiKey (See the `Getting a Yubikey` section below)
• A Yubico client ID & secret key (See the `Getting your Yubico client ID & secret key` section below)

## Installation

• Be sure that all requirements as stated in the requirements section are met
• Upload the plugin through the plugin management interface
• Setup your client ID & secret key in the plugin configuration file
• Trigger a plugin list update through the plugin management interface
• Install the plugin through the plugin management interface

## Update

• Read the UPDATE file inside the plugin archive
• Be sure that all requirements as stated in the requirements section are met
• Upload the plugin through the plugin management interface

## Getting a Yubikey

If you don't have a YubiKey yet, you can buy one on our partner site: https://yubikey.ch/ or at the Yubico store: https://www.yubico.com/store/

Note that this plugin has been successfully tested with the following YubiKey models:

• YubiKey 4 and YubiKey 4 Nano (see https://yubikey.ch/index.php/webshop/yubikey-4)
• YubiKey NEO and YubiKey NEO-n (see https://yubikey.ch/index.php/webshop/yubikey-neo)

However, note that this plugin should be compatible with any hardware providing OTP support.

## Getting your Yubico client ID & secret key

This plugin make use of the Yubico Web service API in the authentication process. Therefore, you need first generate a client ID and secret key for use with the Yubico Web Services. In order you must:

• Put your YubiKey in USB port of your computer
• Browse the following URL: https://upgrade.yubico.com/getapikey/
• Enter your e-mail address
• Click on the `Yubikey OTP` field and touch the Yubikey button to fill the field
• Check the `Terms and Conditions` checkbox
• Click on the `Get API key` button

Once done, you must fill the plugin configuration file with your client ID and your secret key, save the changes and process a plugin list update through the plugin management interface.

## Making use of your YubiKey(s) in i-MSCP authentication process

In order, to make use of your YubiKey in i-MSCP authentication process you must:

• Put your YubiKey in USB port of your computer
• Login to i-MSCP with your current credentials
• Go to the profile section of your account
• Click on the `YubiKey management` link
• Click on the `add a YubiKey` button
• Click on the `YubiKey ID` field and touch the YubiKey button to fill the field

If all goes fine, your Yubikey should be automatically added to your list of YubiKeys

Once done, you can logout and give a try:

• Put your YubiKey in USB port of your computer
• Enter your current credentials (only needed for two-factor authentication)
• Click on the `YubiKey OTP` field and touch the YubiKey button to fill the field

If all goes fine, you should be automatically authenticated (can take few seconds, depending on the network congestion).

### OTP validation protocol

This plugin acts as a client that implements version 2.0 of the OTP validation protocol. See
https://developers.yubico.com/…dation_Protocol_V2.0.html for more details.

## Plugin translation

You can translate this plugin using a gettext translation editor such as `poedit`. Translation files are located under the `./l10n` directory inside of this plugin archive. Once translated you can send us your translation file (po file) for integration in future release.

Note that if no translation file exists for your localization in the `./l10n/po` directory, you must create it first from the l10n/PhpSwitcher.pot file. Be aware that your file must be UTF-8, else, it won't be accepted.

## License

i-MSCP YubiKeyAuth plugin
© 2016 Laurent Declercq <l.declercq@nuxwin.com>
i-MSCP License <https://www.i-mscp.net/license-agreement.html>

See the LICENSE file inside the archive for further details.

Awaiting your review, I post a little screenshot:

add_yubikey_int.png

Bellow you can find the translation files for the following countries:

• German (Germany)
• Dutch (Netherlands)

Thank you for helping us to translate the YubiKeyAuth plugin.