Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-4799

One Time Password (TOTP/HOTP/SKEY/others) auth plugin

    XMLWordPrintable

    Details

      Description

      This MDEV will implement a two pass auth plugin
      Allowing users to use HTOP or TOTP tokens (google authenticator for example)

      Users will grant permission and send to plugin a string that configure how OTP will work.
      The string will be something like google uri (https://code.google.com/p/google-authenticator/wiki/KeyUriFormat)

      otpauth://TYPE/?PARAMETER=value&PARAMETER=value ...
      type and parameters and values are case insensitive (convert all to lower case)
       
      TYPE
        [totp|hotp]
          totp = time based otp (RFC 6238)
          hotp = counter based otp (RFC 4226)
          skey = SKEY based (same parameters of hotp) (RFC 1760)
       
      PARAMETERS
        SECRET
          base32 encoded secret (~16 bytes)
        COUNTER
          integer [1 to 2^64-1], only used in HOTP, default value = 1
        PERIOD
          integer [1 to 86400], only use in TOTP, default value = 30 (seconds)
        ATTEMPTS
          integer [0 to 100], number of tries with different otp values (default = 3 for totp, 10 for hotp)
        ONE_ACCESS
          [0|false|off|1|true|on], enable only one access with the current token
        BRUTE_FORCE_TIMEOUT
          [0 to 86400], timeout to avoid brute force attacks, after a fail we will wait this number of seconds before accepting a new login, default = 5 seconds


      example:
      CREATE USER 'my_user'@'localhost' IDENTIFIED WITH otp_auth AS "otpauth://totp/?secret=BASE32_SECRET&period=30";

      plugin will receive uri string + user + host value, and save it to default mariadb directory, in a database/file/table, format not defined yet, maybe a ini file? or a myisam table?

      USER HOST URI TYPE SECRET CURRENT_COUNTER PERIOD BRUTE_FORCE_TIMEOUT NEXT_BRUTE_FORCE ONE_ACCESS LAST_ONE_ACCESS ATTEMPTS
      user host URI totp/hotp base32 string current hotp counter totp period brute force timeout next allowed bruteforce login (unix timestamp) one acces flag last allowed otp value number of attempts


      authentication:

      when user contact mariadb, plugin will ask:
      "Please enter OTP token value:"
      user will send the current OTP value from token (user_otp)

      1)plugin will search the user/domain/URI in otpauth table
      if it don't exists, return "deny login"
      2)if next brute force > current time, return "deny, brute force"
      3)

        for(cur_attempt=0;cur_attempt<attempts;cur_attempt++){
          totp:
            current_attempt = 
              floor(second(unixtimestamp)/period) +
              (cur_attempt-floor(attempts/2))
            hotp
              current_attempt = 
                current_counter +
                (cur_attempt-floor(attempts/2))
           calculated_otp = calculate the current otp(current_attempt,secret_key)
           if user_otp = calculated_otp {
             save NEXT_BRUTE_FORCE value (current time + BRUTE_FORCE_TIMEOUT)
             if one_access = 1 {
               if last one access = current value
      	   return "one access only per otp"
      	 save last access otp value
             }
             if hotp
               save current_counter as current_attempt
             return (login accepted); /* must check user + host + password at mysql */
           }
         }
         return "bad otp value"

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              rspadim roberto spadim
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated: