LinOTP for two phase authentication Source

October 14, 2016 Markdown source

1---
2title: 'LinOTP for two phase authentication'
3date: '2016-10-14'
4published_at: '2016-10-14T16:07:00.002+11:00'
5tags: ['authentication', 'linotp', 'linux', 'python', 'security', 'two phase authentication']
6author: 'Gavin Jackson'
7excerpt: 'At work we just completed a migration from a closed source 2 phase authentication product (that ran on our Windows AD Server) to an open source product called LinOTP that integrates with Google Authen...'
8updated_at: '2016-10-14T16:07:18.898+11:00'
9legacy_url: 'http://www.gavinj.net/2016/10/linotp-for-two-phase-authentication.html'
10---
11
12[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0kHDgbgybdX4dDx4-Kkz7TXQrN_XxS9XYVq1DZCvBD0ij_m0yH35gD3fZGWiyCHGWpKNMDIS7naosqwC1DJNyb_KUJv_2013RVG69Bt7krPXuLxJ_OB6q8NVSUOMWeDAvi6mh0AGnzyc/s320/LinOTP_Logo_rgb.png)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0kHDgbgybdX4dDx4-Kkz7TXQrN_XxS9XYVq1DZCvBD0ij_m0yH35gD3fZGWiyCHGWpKNMDIS7naosqwC1DJNyb_KUJv_2013RVG69Bt7krPXuLxJ_OB6q8NVSUOMWeDAvi6mh0AGnzyc/s1600/LinOTP_Logo_rgb.png)
13
14[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgH_4psYsjgz0ZWNI-65P0o91_cfoCuAcLFFJXLYORK2e4QvJA8T3ejq27uo813y2BKMWoYjnvHdYHJC2vMLbd0jJwk8xlRrTSPHFpim1eihtPHJoHS7tXBZRvhnXxVl2gkFkgyflcZn2E/s200/Google-Authenticator.png)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgH_4psYsjgz0ZWNI-65P0o91_cfoCuAcLFFJXLYORK2e4QvJA8T3ejq27uo813y2BKMWoYjnvHdYHJC2vMLbd0jJwk8xlRrTSPHFpim1eihtPHJoHS7tXBZRvhnXxVl2gkFkgyflcZn2E/s1600/Google-Authenticator.png)
15
16At work we just completed a migration from a closed source 2 phase authentication product (that ran on our Windows AD Server) to an open source product called [LinOTP](https://www.linotp.org/) that integrates with Google Authenticator (in fact it work with any authenticator that supports the HMAC-Based One-Time Password (HOTP) or Time-Based One-Time Password (TOTP) algorithms - these include Lastpass Authenticator and FreeOTP).
17
18LinOTP is written in Python (Python 2/Pylons), is extremely modular (allowing you to configure it to suit your environment).
19
20Our configuration makes use of the following modules:
21- PAM authentication module (which is used by Openvpn to perform the two phase authentication).
22- LDAP against AD to perform user ID resolution
23- Postgresql to host the token and audit databases
24- Apache2 to provide authentication to the management interface and SSL
25
26A lot of the configuration is plumbing - as it is running on python 2 I did have to use [pyenv](https://github.com/yyuu/pyenv) to get a version of python 2 with a working virtualenv (Ubuntu seems to have broken virtualenv in their recent 16.04 LTS upgrade).
27
28The LinOTP [documentation](https://www.linotp.org/documentation.html) is **VERY** good.
29
30[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFzTpbLVvqzETyiFRzy7w-Dzo4hyphenhyphenzyTsWTN7r6pvw6Xi8ceRsWGRqU9HNIXL2PtFrhWTpWc4lDOpDHzTdudf3sBQXCBJqOmppfLtxCz2pfX64WpSejQSrfRg-N5QuSgaamK6UUMpnXPGs/s640/linotp_management_console.png)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFzTpbLVvqzETyiFRzy7w-Dzo4hyphenhyphenzyTsWTN7r6pvw6Xi8ceRsWGRqU9HNIXL2PtFrhWTpWc4lDOpDHzTdudf3sBQXCBJqOmppfLtxCz2pfX64WpSejQSrfRg-N5QuSgaamK6UUMpnXPGs/s1600/linotp_management_console.png)
31
32*Tidy Management Interface (with self service portal capability)*
33
34[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixcxt9sCf6adHRynLPn6mz5gNitvpeUDDW4_HYR6ybwNBh86fpbxUv6WXzbdn-5AQ70Vf-SrguuOtLkLX0sJv1klamUKBKFa7Q9VIr_V9F97nDAFErdlOgdqUGzs-Tn0k7iHffJNPH0Lo/s640/linotp_token_generation_2.png)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixcxt9sCf6adHRynLPn6mz5gNitvpeUDDW4_HYR6ybwNBh86fpbxUv6WXzbdn-5AQ70Vf-SrguuOtLkLX0sJv1klamUKBKFa7Q9VIr_V9F97nDAFErdlOgdqUGzs-Tn0k7iHffJNPH0Lo/s1600/linotp_token_generation_2.png)
35
36*Range of Token types supported*
37
38[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvDHc18vCf9u6PEOVFQShsCciz_D1qFdHhNtlGNd-YOq0K9H-0DrP4gWb7sErZhnQxpDGlbHmMQsc5aTV4m4J8wkTqCpCziUZG1K1GtLRZ954swNM0HBdlXn9e4YXucnzm5iIo1cTjAYU/s640/linotp_token_generation_4.png)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvDHc18vCf9u6PEOVFQShsCciz_D1qFdHhNtlGNd-YOq0K9H-0DrP4gWb7sErZhnQxpDGlbHmMQsc5aTV4m4J8wkTqCpCziUZG1K1GtLRZ954swNM0HBdlXn9e4YXucnzm5iIo1cTjAYU/s1600/linotp_token_generation_4.png)
39
40*QRCode Scanning Screen*
41
42
43

---
title: 'LinOTP for two phase authentication'
date: '2016-10-14'
published_at: '2016-10-14T16:07:00.002+11:00'
tags: ['authentication', 'linotp', 'linux', 'python', 'security', 'two phase authentication']
author: 'Gavin Jackson'
excerpt: 'At work we just completed a migration from a closed source 2 phase authentication product (that ran on our Windows AD Server) to an open source product called LinOTP that integrates with Google Authen...'
updated_at: '2016-10-14T16:07:18.898+11:00'
legacy_url: 'http://www.gavinj.net/2016/10/linotp-for-two-phase-authentication.html'
---

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0kHDgbgybdX4dDx4-Kkz7TXQrN_XxS9XYVq1DZCvBD0ij_m0yH35gD3fZGWiyCHGWpKNMDIS7naosqwC1DJNyb_KUJv_2013RVG69Bt7krPXuLxJ_OB6q8NVSUOMWeDAvi6mh0AGnzyc/s320/LinOTP_Logo_rgb.png)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0kHDgbgybdX4dDx4-Kkz7TXQrN_XxS9XYVq1DZCvBD0ij_m0yH35gD3fZGWiyCHGWpKNMDIS7naosqwC1DJNyb_KUJv_2013RVG69Bt7krPXuLxJ_OB6q8NVSUOMWeDAvi6mh0AGnzyc/s1600/LinOTP_Logo_rgb.png)

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgH_4psYsjgz0ZWNI-65P0o91_cfoCuAcLFFJXLYORK2e4QvJA8T3ejq27uo813y2BKMWoYjnvHdYHJC2vMLbd0jJwk8xlRrTSPHFpim1eihtPHJoHS7tXBZRvhnXxVl2gkFkgyflcZn2E/s200/Google-Authenticator.png)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgH_4psYsjgz0ZWNI-65P0o91_cfoCuAcLFFJXLYORK2e4QvJA8T3ejq27uo813y2BKMWoYjnvHdYHJC2vMLbd0jJwk8xlRrTSPHFpim1eihtPHJoHS7tXBZRvhnXxVl2gkFkgyflcZn2E/s1600/Google-Authenticator.png)

At work we just completed a migration from a closed source 2 phase authentication product (that ran on our Windows AD Server) to an open source product called [LinOTP](https://www.linotp.org/) that integrates with Google Authenticator (in fact it work with any authenticator that supports the HMAC-Based One-Time Password (HOTP) or Time-Based One-Time Password (TOTP) algorithms - these include Lastpass Authenticator and FreeOTP).

LinOTP is written in Python (Python 2/Pylons), is extremely modular (allowing you to configure it to suit your environment).

Our configuration makes use of the following modules:
- PAM authentication module (which is used by Openvpn to perform the two phase authentication).
- LDAP against AD to perform user ID resolution
- Postgresql to host the token and audit databases
- Apache2 to provide authentication to the management interface and SSL

A lot of the configuration is plumbing - as it is running on python 2 I did have to use [pyenv](https://github.com/yyuu/pyenv) to get a version of python 2 with a working virtualenv (Ubuntu seems to have broken virtualenv in their recent 16.04 LTS upgrade).

The LinOTP [documentation](https://www.linotp.org/documentation.html) is **VERY** good.

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFzTpbLVvqzETyiFRzy7w-Dzo4hyphenhyphenzyTsWTN7r6pvw6Xi8ceRsWGRqU9HNIXL2PtFrhWTpWc4lDOpDHzTdudf3sBQXCBJqOmppfLtxCz2pfX64WpSejQSrfRg-N5QuSgaamK6UUMpnXPGs/s640/linotp_management_console.png)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFzTpbLVvqzETyiFRzy7w-Dzo4hyphenhyphenzyTsWTN7r6pvw6Xi8ceRsWGRqU9HNIXL2PtFrhWTpWc4lDOpDHzTdudf3sBQXCBJqOmppfLtxCz2pfX64WpSejQSrfRg-N5QuSgaamK6UUMpnXPGs/s1600/linotp_management_console.png)

*Tidy Management Interface (with self service portal capability)*

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixcxt9sCf6adHRynLPn6mz5gNitvpeUDDW4_HYR6ybwNBh86fpbxUv6WXzbdn-5AQ70Vf-SrguuOtLkLX0sJv1klamUKBKFa7Q9VIr_V9F97nDAFErdlOgdqUGzs-Tn0k7iHffJNPH0Lo/s640/linotp_token_generation_2.png)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixcxt9sCf6adHRynLPn6mz5gNitvpeUDDW4_HYR6ybwNBh86fpbxUv6WXzbdn-5AQ70Vf-SrguuOtLkLX0sJv1klamUKBKFa7Q9VIr_V9F97nDAFErdlOgdqUGzs-Tn0k7iHffJNPH0Lo/s1600/linotp_token_generation_2.png)

*Range of Token types supported*

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvDHc18vCf9u6PEOVFQShsCciz_D1qFdHhNtlGNd-YOq0K9H-0DrP4gWb7sErZhnQxpDGlbHmMQsc5aTV4m4J8wkTqCpCziUZG1K1GtLRZ954swNM0HBdlXn9e4YXucnzm5iIo1cTjAYU/s640/linotp_token_generation_4.png)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvDHc18vCf9u6PEOVFQShsCciz_D1qFdHhNtlGNd-YOq0K9H-0DrP4gWb7sErZhnQxpDGlbHmMQsc5aTV4m4J8wkTqCpCziUZG1K1GtLRZ954swNM0HBdlXn9e4YXucnzm5iIo1cTjAYU/s1600/linotp_token_generation_4.png)

*QRCode Scanning Screen*