OTP solution for archlinux

rekahsoft · 2014-12-07 02:36:49

Hi all, I have been looking around for a way to offer OTP (One Time Passwords) as a added method of authentication. I require an open source solution; that is, server and client must be open source. Now after some searching I have found the following but none officially support Archlinux.

linotp
freeipa
privacyID3A (fork of linotp 2.6.1 community edition)

There is a package for freeipa in the AUR but it seems to not be updated/working, though I haven't tried it yet. Also I was unable to find anything which specified the difference between privacyID3A and linotp. I was just wondering what others have used to implement OTP in archlinux. I would want to use it with a security token like the yubikey neo or something similar. Also I would want to be able to integrate it with the various other services I offer from my server (ssh, smtp, pop, imap, various web services (eg. wordpress)).

Anyways, let me know; I will post any updates to what I have found/implemented here.

TLDR: What do you use to enable OTP as a method of authentication on your server?

jasonwryan · 2014-12-07 02:40:48

https://wiki.archlinux.org/index.php/Yu … n_with_SSH

rekahsoft · 2014-12-08 00:16:43

I've seen this page but I am looking for a more general solution for my server. One where I could support more then just yubikeys. It would also be nice to have a REST API so that I can implement the OTP auth in applications that don't support PAM (eg some webapps). Also I have heard that the yubikey PAM module mediocre but I haven't looked more into those claims (forget where I read them currently too).

cornelinux · 2014-12-08 21:26:48

(disclaimer: I was involved with LinOTP and are maintaining privacyIDEA)

FreeIPA is much more than just an OTP backend. As you might know, it is supposed to work as your kerberos server, your key distribution center and/or as identity management system.
So you can also do single sign on in your network.
But - to my knowledge freeipa only supports TOTP tokens out of the box.

LinOTP and privacyIDEA are only authentication backends. You need to have an additional user store - e.g. your etc/passwd, and LDAP server or an SQL database.
privacyIDEA also supports users in a SCIM service - but I would call this an alpha state.
linotp might have the more sophisticated LDAP connection at the moment, i.e. supporting some kind of round robin for asking several ldap servers.
privacyIDEA forked from linotp 2.6.1, which did not provide the LDAP resolver, so I had to write it anew. (sometime this is also good

I added additional tokentypes to privacyIDEA to suppot SSH key management for different ssh servers/machines or yubikeys with LUKS.
At the moment I am migrating the system to probably flask. Doing major code rewrites. cleaning up the structure. Better tests for code coverage etc, which you can read here. So the goal is to not only be an OTP backend but a more common authentication backend for 2FA.
I do not know anything about the linotp roadmap.

linotp is developed by the company and you might feel a bit more comfortable with have a company behind, were you can get updates till the end of time. So you can go with their enterprise edition or you can use their community edition free of charge. Well, but if you like to you can also get support for privacyIDEA. But privacyIDEA is supposed to be and to stay an open source project, where everbody is invited to participate or also invited to provide support. To my understanding linotp enterprise edition is thought of as a shelf product.

Hope this helps.

Arch Linux

#1 2014-12-07 02:36:49

OTP solution for archlinux

#2 2014-12-07 02:40:48

Re: OTP solution for archlinux

#3 2014-12-08 00:16:43

Re: OTP solution for archlinux

#4 2014-12-08 21:26:48

Re: OTP solution for archlinux

Board footer