mirror/librenms-librenms
1
0
Fork 0
mirror of https://github.com/librenms/librenms.git synced 2024-10-07 16:52:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
d80c19d0dd64384a8a409faecf9ee87bda1f9fb8
librenms-librenms/doc/Extensions/Two-Factor-Auth.md
Zane C. Bowers-Hadley e4c9153d16 more documentation clean up (#10577) 
* fix a few bare URLs

* make mdl happy

* make Weathermap.md as mdl happy as possible

* make Varnish.md as mdl happy as possible

* make Two-Factor-Auth.md mdl happy

* touch one header for Syslog.md, but little can be done about the rest

* make Sub-Directory.md as mdl happy as possible

* make SNMP-Trap-Handler.md lint happy

* make SNMP-Proxy.md mdl happy

* make Smokeping.md as mdl happy as possible

* make Services.md mdl happy

* make RRDTune.md mdl happy

* cleanup RRDCached.md as much as possible

* make RRDCached-Security.md mdl happy

* make Rancid.md as mdl happy as possible

* make Proxmox.md mdl happy

* make Plugin-System.md as mdl happy as possible

* make PeeringDB.md mdl happy

* make Oxidized.md more lint happy

* make Network-Map.md mdl happy

* make MIB-based-polling.md as mdl happy as possible

* make Metric-Storage.md mdl happy

* make IRC-Bot.md as mdl happy as possible

* make IRC-Bot-Extensions.md as mdl happy as possible

* make

* make Graylog.md mdl happy

* make Gateone.md mdl happy

* make Fast-Ping-Check.md mdl happy

* make Distributed-Poller.md as mdl happy as possible

* make Dispatcher-Service.md as mdl happy as possible

* make Device-Groups.md mdl happy

* make Dell-OpenManage.md mdl happy

* make Dashboard.md mdl happy

* make Customizing-the-Web-UI.md as mdl happy as possible

* make Component.md mdl happy

* make Billing-Module.md mdl happy

* make Auto-Discovery.md mostly mdl happy

* make Authentication.md as mdl happy as possible

* tidy up a few lines in Applications.md

* make Agent-Setup.md as mdl happy as possible

* make metrics/OpenTSDB.md mdl happy

* spelling fix
2019-09-09 12:48:35 +02:00

80 lines
2.8 KiB
Markdown
Raw Blame History

source: Extensions/Two-Factor-Auth.md
path: blob/master/doc/
# About
Over the last couple of years, the primary attack vector for internet
accounts has been static passwords. Therefore static passwords are no
longer sufficient to protect unauthorized access to accounts. Two
Factor Authentication adds a variable part in authentication
procedures. A user is now required to supply a changing 6-digit
passcode in addition to it's password to obtain access to the account.
LibreNMS has a RFC4226 conform implementation of both Time and Counter
based One-Time-Passwords. It also allows the administrator to
configure a throttle time to enforce after 3 failures exceeded. Unlike
RFC4226 suggestions, this throttle time will not stack on the amount of failures.
# Types
In general, these two types do not differ in algorithmic terms.
The types only differ in the variable being used to derive the passcodes from.
The underlying HMAC-SHA1 remains the same for both types, security
advantages or disadvantages of each are discussed further down.
## Timebased One-Time-Password (TOTP)
Like the name suggests, this type uses the current Time or a subset of
it to generate the passcodes. These passcodes solely rely on the
secrecy of their Secretkey in order to provide passcodes. An attacker
only needs to guess that Secretkey and the other variable part is any
given time, presumably the time upon login. RFC4226 suggests a
resynchronization attempt in case the passcode mismatches, providing
the attacker a range of up to +/- 3 Minutes to create passcodes.
## Counterbased One-Time-Password (TOTP)
This type uses an internal counter that needs to be in sync with the
server's counter to successfully authenticate the passcodes. The main
advantage over timebased OTP is the attacker doesn't only need to know
the Secretkey but also the server's Counter in order to create valid
passcodes. RFC4226 suggests a resynchronization attempt in case the
passcode mismatches, providing the attacker a range of up to +4
increments from the actual counter to create passcodes.
# Configuration
Enable Two-Factor:
```php
$config['twofactor'] = true;
```
Set throttle-time (in seconds):
```php
$config['twofactor_lock'] = 300;
```
# Usage
These steps imply that TwoFactor has been enabled in your `config.php`
Create a Two-Factor key:
- Go to 'My Settings' (/preferences/)
- Choose TwoFactor type
- Click on 'Generate TwoFactor Secret Key'
- If your browser didn't reload, reload manually
- Scan provided QR or click on 'Manual' to see the Key
## Google Authenticator
Installation guides for Google Authenticator can be found [here](https://support.google.com/accounts/answer/1066447?hl=en).
Usage:
- Create a key like described above
- Scan provided QR or click on 'Manual' and type down the Secret
- On next login, enter the passcode that the App provides
Reference in New Issue View Git Blame Copy Permalink