search

archiecobbs / mod-authn-otp

Apache module for one-time password authentication
Apache License 2.0
63 stars 17 forks source link

Can not make this mod work for FreeOTP / iOS #39

Closed nickbe closed 6 years ago

nickbe commented 6 years ago

Userfile is /var/www/.otpusers

HOTP/T30 tester - k7jdhvm2hoqzbznbnsjgj4vxroq24cq6x7kpanjxyeovkqmib7ronytd

The key was generated here: https://freeotp.github.io/qrcode.html

When I try to login apache reports this:

[Sat Jul 21 22:46:17.004144 2018] [:warn] [pid 4239] [client 212.114.237.254:51614] ignoring invalid entry in OTP users file "/var/www/.otpusers" on line 1: invalid key starting with "k7jdhvm2hoqzbznbnsjgj4vxroq24cq6x7kpanjxyeovkqmib7ronytd" [Sat Jul 21 22:46:17.005120 2018] [:notice] [pid 4239] [client 212.114.237.254:51614] user "tester" not found in OTP users file "/var/www/.otpusers" [Sat Jul 21 22:46:17.005291 2018] [auth_basic:error] [pid 4239] [client 212.114.237.254:51614] AH01618: user nickbe not found: / [Sat Jul 21 22:46:17.005746 2018] [:warn] [pid 4239] [client 212.114.237.254:51614] ignoring invalid entry in OTP users file "/var/www/.otpusers" on line 1: invalid key starting with "k7jdhvm2hoqzbznbnsjgj4vxroq24cq6x7kpanjxyeovkqmib7ronytd" [Sat Jul 21 22:46:17.005931 2018] [:notice] [pid 4239] [client 212.114.237.254:51614] user "tester" not found in OTP users file "/var/www/.otpusers" [Sat Jul 21 22:46:17.006082 2018] [auth_basic:error] [pid 4239] [client 212.114.237.254:51614] AH01618: user nickbe not found: /var/log/login.log

archiecobbs commented 6 years ago

The key needs to be in hexadecimal format, not base 64.

E.g. you could use this command to generate one:

$ head -c 12 /dev/urandom | openssl sha1 | cut -c 1-20
1b6efa2ca74390af90b6
tessus commented 6 years ago

@archiecobbs dumb question: wouldn't it be possible to validate the base64 as well? you are using apr, thus there are base64 functions available. You merely would have to run one more test, if the hex value failed.

I don't know what the standard is. But if base64 was the standard, it should be supported as well. Just my 2 cents.

archiecobbs commented 6 years ago

One problem is that now you'd need to also disambiguate. E.g., a37bF2 is valid as either hex or base64. Which means changing/extending the file format.

It could be done, but it's not clear whether it'd be worth it.

Instead, I've added an genotpurl(1) utility to the package. See commit c54316ac.

nickbe commented 6 years ago

Well the numbers seem to short for the FreeOTP Barcode Generator: https://freeotp.github.io/qrcode.html

Can you describe how to enter the coresponding secret into the iOS FreeOTP App?

archiecobbs commented 6 years ago

Sorry, I have no knowledge of FreeOTP.

If you need to convert between base 64 and hex, you can try some of these.

Note: the Google Authenticator app requires SHA1, time-based, 30 second interval, and 6 decimal digits.

nickbe commented 6 years ago

I just updated and tried the 'genotpurl' command. Can you give me an example how to use it?

archiecobbs commented 6 years ago

There's a man page describing the usage.

Basically, just run it with whatever you want for the -I and -L flags and it will auto-generate a secret for you (in hexadecimal format).

nickbe commented 6 years ago

ok this works as expected. I can generate a key for the authn_otp mod, but I'm completey at a loss how to turn this into a QR code which can in turn be scanned by the many iOS or Android apps

nickbe commented 6 years ago

Second tool I just tried is this: https://dan.hersam.com/tools/gen-qr-code.html But the FreeOTP gives me different codes from the otptool.

nickbe commented 6 years ago

What tools do you recomment on iOS which I can use to generate the necessary codes and which matches your routines?

archiecobbs commented 6 years ago

On iOS I use the Google Authenticator app to hold my various tokens.

To create tokens for it, I use a normal computer (Linux) and the genotpurl(1) utility, then text the URL to the phone (or print the corresponding QR-code and scan it with the app).

To verify a token, use mod_authn_otp or you can use the otptool(1) utility in a shell script, etc.

nickbe commented 6 years ago

I added the secret manually to the Google Auth Tool but I got different resulting PINs to the otptool :/ How did you create the coresponding QR code then? I have no clue how to get from URL to qrcode.

archiecobbs commented 6 years ago

Did you try Googling for "qr code generator"?

nickbe commented 6 years ago

I'm really sorry to bother you again but I can't make it work. This is what I did:

genotpurl -I TEST -L admin generated key (hex): 4b31ba191306a241767e otpauth://totp/TEST:admin?issuer=TEST&secret=JMY3UGITA2REC5T6

echo 4b31ba191306a241767e>test.key

I used this site: https://www.qrcode-generator.de/ to generate the QR Code: grafik

Other generators show exactly the same QR code btw.

Then I scanned the barcode with Google Authenticator on iOS When I test the keys with:

otptool -f test.key -t 51085153: 823658 6d7d6a

while Google Authenticator says: 796 941

And I have no clue what i did wrong here.

archiecobbs commented 6 years ago

otptool needs to be configured with the same parameters that the Google Authenticator app is using. In particular, using time-based tokens instead of count-based.

Try this: otptool -t 4b31ba191306a241767e

nickbe commented 6 years ago

I think I found the problem. If you use: otptool -t 4b31ba191306a241767e then it works, but if you put the key in a file (ex: test.key) and use otptool -t -f test.key then your results are wrong.

Example:

echo ab3d915b889dd1b5374d > demo.key otptool -t ab3d915b889dd1b5374d && otptool -t -f demo.key 51088220: 879836 d7e21c 51088220: 541685 12ed35

And I suppose both methods should result in the same code.

Therefore I suspect that the mod itself has the same problem, so that the mobile apps always compare to the wrong code.

tessus commented 6 years ago

Can you try:

echo -n ab3d915b889dd1b5374d > demo.key

I think the \n could be the problem.

On July 26, 2018 7:10:53 PM EDT, Nick notifications@github.com wrote:

I think I found the problem. If you use: otptool -t 4b31ba191306a241767e then it works, but if you put the key in a file (ex: test.key) and use otptool -t -f test.key then your results are wrong.

Example:

echo ab3d915b889dd1b5374d > demo.key otptool -t ab3d915b889dd1b5374d && otptool -t -f demo.key 51088220: 879836 d7e21c 51088220: 541685 12ed35

-- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/archiecobbs/mod-authn-otp/issues/39#issuecomment-408262563

-- regards Helmut K. C. Tessarek

(sent from a mobile device)

archiecobbs commented 6 years ago

When using the -f option, the file contains the raw key, not the ASCII hex version of the key.

$ printf '\xab\x3d\x91\x5b\x88\x9d\xd1\xb5\x37\x4d' > xx
$ hexdump -C xx
00000000  ab 3d 91 5b 88 9d d1 b5  37 4d                    |.=.[....7M|
0000000a
$ otptool -t ab3d915b889dd1b5374d && otptool -t -f xx
51089949: 512654 c2ca4e
51089949: 512654 c2ca4e

I'll update the man page to make this clear.

archiecobbs commented 6 years ago

I just added the -F flag to otptool(1) in b58522d. This option allows the file to contain the key in hexadecimal format.

nickbe commented 6 years ago

Ok thanks so far. Everything works now as expected :)

tessus commented 6 years ago

Sorry for replying to a closed issue, but I couldn't find an email in your github profile.

One problem is that now you'd need to also disambiguate. E.g., |a37bF2| is valid as either hex or base64. Which means changing/extending the file format.

Yep, but in this case it's rather obvious which one is one. The hex codes are always 40 characters long. The base64 encoded stuff is not.

It could be done, but it's not clear whether it'd be worth it.

Probably not. Especially now that you added genopturl. ;-)

Instead, I've added an |genotpurl(1)| utility to the package. See commit c54316a

Nice.