OTPme is a flexible One-Time-Password system¶
OTPme aims to be the most useful authentication system with focus on One-Time-Passwords.
Currently it consists of different command line tools to manage users, groups, tokens, clients etc. and an authentication tool that's intended to be used with freeradius to authenticate users.¶
OTPme is open source and released under the terms of the GNU General Public License v2.
Features:
- add different tokens to users (currently motp and "static-password tokens" supported)
- support for OTP-sessions which can be used to re-use an OTP (e.g. login to an web-based Single-Sign-On system that hands over the OTP to an webmail system which uses it for IMAP login)
- configure clients based on name (NAS-Identifier in case of radius) or ip address (e.g. if requests do not contain a NAS-ID)
- supports access groups to configure:
- which tokens can be used for which logins (clients)
- per group "max login failures"
- per OTP-Session "max logins"
- session-timeout and unused-session-timeout for OTP-Sessions
- child groups that inherit access permissions from parent groups
- child sessions to allow other services to use the same OTP
- a "Session Master" to make it easier to configure child session relations
- supports client trust passwords (CTP)
- to protect against keyloggers
- to improve security by using a 32-character long trust password
- supports per session logout passwords (SLP) which can be used to securely logout a OTP session (and childs if configured)
- count logon failures only once per OTP/password (e.g. a wrong configured mail client which tries to login with the same wrong password again and again may not lock the user account)
- support for MSCHAP Challenge/Response authentication with static-password tokens and MOTP tokens (e.g. often needed for WLAN authentication)
- which tokens can be used for which logins (clients)
- per group "max login failures"
- per OTP-Session "max logins"
- session-timeout and unused-session-timeout for OTP-Sessions
- child groups that inherit access permissions from parent groups
- child sessions to allow other services to use the same OTP
- a "Session Master" to make it easier to configure child session relations
- to protect against keyloggers
- to improve security by using a 32-character long trust password
Documentation¶
- OTPme Step-by-Step Guide
- Command Line Tools
- Web Interface (not implemented yet)
- Freeradius Example Configuration
- SSO Examples
- Howto OTPme my site :)
Other stuff¶