Quickstart: LinOTP Community Edition

IMPORTANT SECURITY NOTE!!

The below examples are not for production use!

They show a quick way to try out linotp, but do NOT offer a secure setup.

You'll notice that the encryption and HMAC-OTP keys are passed in plain on the commandline. They will be visible to other users and might be saved in e.g. ~/.zsh_history.

PLEASE do not use this quickstart guide for anything but test setups unless you know what you are doing!

Prepare

After you have cloned the hg repositories (see "Getting") and built/installed the components:

Install slapd and configure it to include the linotp schema.

Unless you already have existing users, create some with objectClass posixAccount. The LinOTP schema extends posixAccount.

Now create an encryption key. This key used to protect the individual HMAC-OTP keys in the LDAP directory.

$ hexdump -n32 -e '"%x"' /dev/random
a9561676baff9981961fd07e6d0ab4cad6ae3218ff602bfad0900891fa553edf

Prepend "01:00:" to the hexstring. This is the 'enckey' you can put into /etc/freeradius/linotp.conf.

Initialize OTP for a user

We first need an HMAC-OTP key. You can create it as follows.

Note that while we create a 256 bit key, other sizes are supported, too, in particular 160 bits for compatibility with Aladdin TMS.

$ hexdump -n32 -e '"%x"' /dev/random
84d052ebb6e2df2ddd2b9cfcafb7adb06c1aacd6c84b37d317af8e0b1f0bee95

Now run 'otpinit' from the utils repository to initialize the user for OTP use:

$ python otpinit --enckey=01:00:a9561676baff9981961fd07e6d0ab4cad6ae3218ff602bfad0900891fa553edf --key=84d052ebb6e2df2ddd2b9cfcafb7adb06c1aacd6c84b37d317af8e0b1f0bee95 <username>
Found userdn 'uid=max,ou=users,dc=nodomain'
Added LinOTP attributes.

(You may need to edit otpinit to specify the LDAP server URL, base DN, bind DN, bind password and OTP PIN. Patches to make this more configurable are welcome. :-) )

The user is now ready to authenticate over RADIUS.

Authenticate using OTP

There is a quick way you can try it out even if you don't have proper OTP device yet.

Just call the otpclient script (in utils repository) with the HMAC-OTP key as parameter:

$ python otpclient a9561676baff9981961fd07e6d0ab4cad6ae3218ff602bfad0900891fa553edf
Your OTP with number 13 is 988507.
Happy Authenticating!

The script increments and remembers the counter by writing it into ~/.otpclient-counter.