|
This MDEV will implement a two pass auth plugin
Allowing users to use HTOP or TOTP tokens (google authenticator for example)
Users will grant permission and send to plugin a string that configure how OTP will work.
The string will be something like google uri (https://code.google.com/p/google-authenticator/wiki/KeyUriFormat)
otpauth://TYPE/?PARAMETER=value&PARAMETER=value ...
|
type and parameters and values are case insensitive (convert all to lower case)
|
|
TYPE
|
[totp|hotp]
|
totp = time based otp (RFC 6238)
|
hotp = counter based otp (RFC 4226)
|
skey = SKEY based (same parameters of hotp) (RFC 1760)
|
|
PARAMETERS
|
SECRET
|
base32 encoded secret (~16 bytes)
|
COUNTER
|
integer [1 to 2^64-1], only used in HOTP, default value = 1
|
PERIOD
|
integer [1 to 86400], only use in TOTP, default value = 30 (seconds)
|
ATTEMPTS
|
integer [0 to 100], number of tries with different otp values (default = 3 for totp, 10 for hotp)
|
ONE_ACCESS
|
[0|false|off|1|true|on], enable only one access with the current token
|
BRUTE_FORCE_TIMEOUT
|
[0 to 86400], timeout to avoid brute force attacks, after a fail we will wait this number of seconds before accepting a new login, default = 5 seconds
|
—
example:
CREATE USER 'my_user'@'localhost' IDENTIFIED WITH otp_auth AS "otpauth://totp/?secret=BASE32_SECRET&period=30";
plugin will receive uri string + user + host value, and save it to default mariadb directory, in a database/file/table, format not defined yet, maybe a ini file? or a myisam table?
| USER |
HOST |
URI |
TYPE |
SECRET |
CURRENT_COUNTER |
PERIOD |
BRUTE_FORCE_TIMEOUT |
NEXT_BRUTE_FORCE |
ONE_ACCESS |
LAST_ONE_ACCESS |
ATTEMPTS |
| user |
host |
URI |
totp/hotp |
base32 string |
current hotp counter |
totp period |
brute force timeout |
next allowed bruteforce login (unix timestamp) |
one acces flag |
last allowed otp value |
number of attempts |
—
authentication:
when user contact mariadb, plugin will ask:
"Please enter OTP token value:"
user will send the current OTP value from token (user_otp)
1)plugin will search the user/domain/URI in otpauth table
if it don't exists, return "deny login"
2)if next brute force > current time, return "deny, brute force"
3)
for(cur_attempt=0;cur_attempt<attempts;cur_attempt++){
|
totp:
|
current_attempt =
|
floor(second(unixtimestamp)/period) +
|
(cur_attempt-floor(attempts/2))
|
hotp
|
current_attempt =
|
current_counter +
|
(cur_attempt-floor(attempts/2))
|
calculated_otp = calculate the current otp(current_attempt,secret_key)
|
if user_otp = calculated_otp {
|
save NEXT_BRUTE_FORCE value (current time + BRUTE_FORCE_TIMEOUT)
|
if one_access = 1 {
|
if last one access = current value
|
return "one access only per otp"
|
save last access otp value
|
}
|
if hotp
|
save current_counter as current_attempt
|
return (login accepted); /* must check user + host + password at mysql */
|
}
|
}
|
return "bad otp value"
|
|