[[!meta description="OTP on Linux]]
LinOTP
LinOTP is our solution for strong two-factor authentication with One Time Passwords. This page describes LinOTP 1. If you are looking for LinOTP 2 go here.
Background
HMAC-OTP
LinOTP is based on the open HMAC-OTP (RFC4226) algorithm to calculate one time passwords.
Components
LinOTP integrates into FreeRADIUS and OpenLDAP. The central component of LSE LinOTP is a FreeRADIUS module, which – based on the HMAC-OTP algortihm – calculates the next OTP value. All user data and the data (roughly key and counter) that is used to calculate the OTP values, are stored in an openLDAP server.
Functionality
The user authenticates with its username and password and the OTP value at e.g. a website or a VPN connection.
This RADIUS client forwards the credentials and the authentication request to FreeRADIUS. The RADIUS server – in fact the radius module of LSE LinOTP - requests the HMAC key of the corresponding user from the LDAP and calculates the next OTP value. The RADIUS server responds to the request accordingly.
Different Editions
LinOTP is available as a Community Edition and an Enterprise Edition. The Community Edition on this website is licensed under the GPLv2 completely and you may get the sources below. The LinOTP Community Edition provides the basic functionalities to authenticate with either soft tokens or hardware tokens in a secure two-factor way. Alternatively you may use the LSE LinOTP Enterprise Edition which supports additional management features, that are necessary if managing more users. Moreover the LSE LinOTP Enterprise Edition supports additional hardware.
The following table denotes the differences between the Community Edition and the Enterprise Edition.
| feature | LinOTP Community Edition | LSE LinOTP Enterprise Edition |
|---|---|---|
| supported hardware tokens | ||
| Aladdin eToken PASS | supported | supported |
| Safeword Alpine | supported | supported |
| LSE Mobile OTP | supported | supported |
| Aladdin eToken NG-OTP | not supported | supported |
| management | ||
| enroll/assign token | supported | supported |
| synchronize OTP | not supported | supported |
| activate, deactivate, delete OTP user | not supported | supported |
| Aladdin eToken PASS XML seamlessly integrated | not supported | supported |
| fixed OTP password component | not supported | supported |
| other | ||
| PDF documentation | not contained | contained |
| readymade packages for Debian Lenny | not contained | contained |
| robust and securely scriptable | not supported | supported |
| maintenance and support | not contained | contained |
More information on the LSE LinOTP Enterprise Edition can be found on our company website on LinOTP.
Get the LinOTP Community Edition
The source code of the LinOTP community edition is managed in several hg repositories.
Utils
The utils repository contains a small tool to import an HMAC key to openLDAP, the ldap schema, a soft otp-token and some usefull scripts.
hg clone http://opensource.lsexperts.de/hg/linotp/utils
rlm_linotp
This is the FreeRADIUS module, that gets the HMAC key from the LDAP server and calculates and compares the OTP values.
hg clone http://opensource.lsexperts.de/hg/linotp/rlm_linotp
libotpdb
This is a basic library used by rlm_linotp.
hg clone http://opensource.lsexperts.de/hg/linotp/libotpdb
Please follow the READMEs within the corresponding repositories for the next steps.
Getting started
You may enroll your first OTP-Token as described in this short howto.
More detailed background information are available in the Manual of the Enterprise Edition (english) (in german), that can be found here.
Contact or contribute
If you are interested in any further information or if you would like to contribute, contact us at linotp-community (at) lsexperts.de.
Ongoing development
At the moment we are working a new modularized version of LinOTP. This new modular design shall make it possible to simply replace authentication modules (like freeradius or PAM). Also it will be possible to use different user backends, so that users may be located in an openldap server, but also in an Active Directory or some SQL server. If you are interested in learning more about this, drop us a note.
