FireBrick OTP: Difference between revisions
m (clean up, typos fixed: Event based → Event-based (2), 2 stage → 2-stage) |
|||
(11 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
[[File:2700-small.png|link=:Category:FireBrick]] |
|||
*[http://www.firebrick.co.uk/fb2700/oath.php OATH on Firebrick.co.uk] |
|||
=What is OTP/OATH= |
=What is OTP/OATH= |
||
OTP = One Time Password |
OTP = One Time Password |
||
[http://en.wikipedia.org/wiki/HOTP Wikipedia article] |
|||
=Uses on a FireBrick= |
=Uses on a FireBrick= |
||
*More secure admin login to the FireBrick - user needs a password and the OTP |
*More secure admin login to the FireBrick - user needs a password and the OTP |
||
*Users can log in to the FireBrick to open up the firewall from their IP, as a 2 |
*Users can log in to the FireBrick to open up the firewall from their IP, as a 2-stage login process to your LAN |
||
*Have normal users with passwords for access to the FB from known IPs, but allow an OTP user to login to the FireBrick from any IP address. |
*Have normal users with passwords for access to the FB from known IPs, but allow an OTP user to login to the FireBrick from any IP address. |
||
Line 12: | Line 17: | ||
There free apps available for iPhone, Nokia, Android etc. |
There free apps available for iPhone, Nokia, Android etc. |
||
(These listed apps are a little old now, there may be better ones available...) |
|||
*[https://itunes.apple.com/us/app/authenticator/id766157276?mt=8 Authenticator] is a free iPhone app (verified working with FireBrick 20 December 2016) |
|||
*[http://itunes.apple.com/us/app/oath-token/id364017137?mt=8 OATH Token] is a free iPhone app - (there are others too) |
|||
⚫ | |||
=== Configuring the app === |
|||
[[IPhone OATH]] info about the OATH Token App |
|||
Your app's config needs to match that of the FireBrick for: |
|||
⚫ | |||
*Secret - this is usually the base32 encoding of the HEX key which you enter into your FireBrick. (You could use [http://tomeko.net/online_tools/hex_to_base32.php?lang=en this] to do the conversion for you.] |
|||
*Digits - how many digits you want to use |
|||
*Interval - the time in seconds that the OTP changes, or set to Event-based. |
|||
You can also use something like [http://dan.hersam.com/tools/gen-qr-code.html this] to generate a QR code for your app to scan. Use the following settings: |
|||
*Label: something which identifies the token (e.g. "Office FireBrick") |
|||
*User: it does not matter, but it might be sensible to set it to the Serial Number you are giving the OTP in the FireBrick config, or the FireBrick user to which you will attach the token |
|||
*Key: the base32 encoding of the HEX key which you enter into your FireBrick |
|||
*URL: a URL of the form: otpauth://totp/Example:[user]?secret=[base32 of hex secret]&issuer=[Label] |
|||
= Configuring the FireBrick = |
= Configuring the FireBrick = |
||
Line 21: | Line 39: | ||
Once you have your OTP device, then on the FireBrick click on Config and then Configure OATH/OTP |
Once you have your OTP device, then on the FireBrick click on Config and then Configure OATH/OTP |
||
The fields on this form are: |
The fields on this form are: |
||
*Serial Number - the name you want to give to this OTP - you can use the serial number on the OTP, or simply a name, |
*Serial Number - the name you want to give to this OTP - you can use the serial number on the OTP, or simply a name, e.g. Andrews iPhone, up to you. |
||
*Key - this is the HEX key that will be given to you from the OTP device. |
*Key - this is the HEX key that will be given to you from the OTP device. |
||
*Digits - how many digits the OTP device gives you. |
*Digits - how many digits the OTP device gives you. |
||
*Interval - the time in seconds that the OTP changes, or set to Event |
*Interval - the time in seconds that the OTP changes, or set to Event-based. |
||
*Validate - these are the 3 sequential values from the device - |
*Validate - these are the 3 sequential values from the device - i.e., enter in the current value, wait for it to update, enter in the new value, and then the same for the third value. |
||
Click update, and should be set. |
Click update, and should be set. |
||
==Configuring OTP devices against FireBrick Users== |
==Configuring OTP devices against FireBrick Users== |
||
===OTP example=== |
===OTP example=== |
||
You can use the OTP instead of a password, |
You can use the OTP instead of a password, e.g.: |
||
<syntaxhighlight> |
<syntaxhighlight lang="xml"> |
||
<user name="bob" otp="Bobs keyring" comment="OTP token"/> |
<user name="bob" otp="Bobs keyring" comment="OTP token"/> |
||
</syntaxhighlight> |
</syntaxhighlight> |
||
===Password and OTP example=== |
===Password and OTP example=== |
||
<syntaxhighlight> |
<syntaxhighlight lang="xml"> |
||
<user name="bob" otp="Bobs keyring" password="secret" comment="OTP token and password required"/> |
<user name="bob" otp="Bobs keyring" password="secret" comment="OTP token and password required"/> |
||
</syntaxhighlight> |
</syntaxhighlight> |
||
With this, bob will need to log in to the FireBrick using the password of <otp><password> - |
With this, bob will need to log in to the FireBrick using the password of <otp><password> - i.e. the OTP value followed by his password, e.g. 123456secret |
||
===Restricting Access=== |
===Restricting Access=== |
||
This isn't really OTP related, but user related. |
This isn't really OTP related, but user related. |
||
A user can be given a list of IPs (or an IP group) that they are only allowed to log in from. |
A user can be given a list of IPs (or an IP group) that they are only allowed to log in from. |
||
So, we may want a user that doesn't use the OTP, but is restricted to certain IPs that he can log in from. |
So, we may want a user that doesn't use the OTP, but is restricted to certain IPs that he can log in from. e.g., we can list the LAN IPs, and perhaps some known remote IPs too. -this will also help in the event of the OTP device being lost! |
||
We can then set a user that is not restricted by IP address, which means that you can log in to the FireBrick from anywhere as long as you use the OTP as well -so security is tighter as both a password and the OTP are required. |
We can then set a user that is not restricted by IP address, which means that you can log in to the FireBrick from anywhere as long as you use the OTP as well -so security is tighter as both a password and the OTP are required. e.g. |
||
<syntaxhighlight> |
<syntaxhighlight lang="xml"> |
||
<user name="bob" password="secret" access="192.0.2.0/28" comment="access with just a password from the LAN"/> |
<user name="bob" password="secret" access="192.0.2.0/28" comment="access with just a password from the LAN"/> |
||
<user name="bob2" otp="Bobs keyring" password="secret" comment="Access from anywhere with OTP and password"/> |
<user name="bob2" otp="Bobs keyring" password="secret" comment="Access from anywhere with OTP and password"/> |
||
</syntaxhighlight> |
</syntaxhighlight> |
||
== Logging in to the FireBrick using OTP == |
|||
When you have a user configured, log out and try to log back in again. |
|||
In the "Username" field, put in your username as usual. |
|||
In the "Password" field, put in your OTP code followed (with no space in between) by your password. |
|||
== Using FireBrick login to access your LAN == |
== Using FireBrick login to access your LAN == |
||
Line 57: | Line 83: | ||
These are the config lines that will make this work: |
These are the config lines that will make this work: |
||
<syntaxhighlight> |
<syntaxhighlight lang="xml"> |
||
<user name="John" otp="Johns keyring" password="secret" level="guest" comment="A remote user for accessing the LAN"/> |
<user name="John" otp="Johns keyring" password="secret" level="guest" comment="A remote user for accessing the LAN"/> |
||
<ip-group name="RemoteUsers" users="John" comment="List of users that will be allowed to access the LAN"/> |
<ip-group name="RemoteUsers" users="John" comment="List of users that will be allowed to access the LAN"/> |
||
Line 65: | Line 91: | ||
*If your FireBrick is not doing the PPP, then set the source-interface to your WAN interface. |
*If your FireBrick is not doing the PPP, then set the source-interface to your WAN interface. |
||
*The rule here allows the user full access to all IPs and ports on your LAN, this rule can be set to specify target-ip(s) and target-port(s) as required. |
*The rule here allows the user full access to all IPs and ports on your LAN, this rule can be set to specify target-ip(s) and target-port(s) as required. |
||
*Also add Johns keyring to the FireBrick first, through the |
*Also add Johns keyring to the FireBrick first, through the 'Configure OATH/OTP' page. |
||
[[Category:FireBrick|OTP]] |
Latest revision as of 00:00, 15 March 2017
What is OTP/OATH
OTP = One Time Password
Uses on a FireBrick
- More secure admin login to the FireBrick - user needs a password and the OTP
- Users can log in to the FireBrick to open up the firewall from their IP, as a 2-stage login process to your LAN
- Have normal users with passwords for access to the FB from known IPs, but allow an OTP user to login to the FireBrick from any IP address.
OTP Devices
Keyring type
Apps
There free apps available for iPhone, Nokia, Android etc. (These listed apps are a little old now, there may be better ones available...)
- Authenticator is a free iPhone app (verified working with FireBrick 20 December 2016)
- OATH Token is a free iPhone app - (there are others too)
- DS3 OATHDSSS is an event-based OATH token for J2ME capable phones
Configuring the app
Your app's config needs to match that of the FireBrick for:
- Secret - this is usually the base32 encoding of the HEX key which you enter into your FireBrick. (You could use this to do the conversion for you.]
- Digits - how many digits you want to use
- Interval - the time in seconds that the OTP changes, or set to Event-based.
You can also use something like this to generate a QR code for your app to scan. Use the following settings:
- Label: something which identifies the token (e.g. "Office FireBrick")
- User: it does not matter, but it might be sensible to set it to the Serial Number you are giving the OTP in the FireBrick config, or the FireBrick user to which you will attach the token
- Key: the base32 encoding of the HEX key which you enter into your FireBrick
- URL: a URL of the form: otpauth://totp/Example:[user]?secret=[base32 of hex secret]&issuer=[Label]
Configuring the FireBrick
Setting up the OTP
Once you have your OTP device, then on the FireBrick click on Config and then Configure OATH/OTP The fields on this form are:
- Serial Number - the name you want to give to this OTP - you can use the serial number on the OTP, or simply a name, e.g. Andrews iPhone, up to you.
- Key - this is the HEX key that will be given to you from the OTP device.
- Digits - how many digits the OTP device gives you.
- Interval - the time in seconds that the OTP changes, or set to Event-based.
- Validate - these are the 3 sequential values from the device - i.e., enter in the current value, wait for it to update, enter in the new value, and then the same for the third value.
Click update, and should be set.
Configuring OTP devices against FireBrick Users
OTP example
You can use the OTP instead of a password, e.g.:
<user name="bob" otp="Bobs keyring" comment="OTP token"/>
Password and OTP example
<user name="bob" otp="Bobs keyring" password="secret" comment="OTP token and password required"/>
With this, bob will need to log in to the FireBrick using the password of <otp><password> - i.e. the OTP value followed by his password, e.g. 123456secret
Restricting Access
This isn't really OTP related, but user related. A user can be given a list of IPs (or an IP group) that they are only allowed to log in from. So, we may want a user that doesn't use the OTP, but is restricted to certain IPs that he can log in from. e.g., we can list the LAN IPs, and perhaps some known remote IPs too. -this will also help in the event of the OTP device being lost! We can then set a user that is not restricted by IP address, which means that you can log in to the FireBrick from anywhere as long as you use the OTP as well -so security is tighter as both a password and the OTP are required. e.g.
<user name="bob" password="secret" access="192.0.2.0/28" comment="access with just a password from the LAN"/>
<user name="bob2" otp="Bobs keyring" password="secret" comment="Access from anywhere with OTP and password"/>
Logging in to the FireBrick using OTP
When you have a user configured, log out and try to log back in again.
In the "Username" field, put in your username as usual.
In the "Password" field, put in your OTP code followed (with no space in between) by your password.
Using FireBrick login to access your LAN
It is possible to log in to a FireBrick, which in turn then allows a firewall filter to be enabled on that users source IP address. It's therefore possible to set the Firebrick up so that you can be allowed access the LAN side once you've successfully logged in to the FireBrick.
We need to make a user, an ip-group, and a rule in your normall firewall filters <rule-set ...>
These are the config lines that will make this work:
<user name="John" otp="Johns keyring" password="secret" level="guest" comment="A remote user for accessing the LAN"/>
<ip-group name="RemoteUsers" users="John" comment="List of users that will be allowed to access the LAN"/>
<rule name="Remote User Access" source-ip="RemoteUsers" source-interface="pppoe" target-interface="self LAN" log="true"/>
- If your FireBrick is not doing the PPP, then set the source-interface to your WAN interface.
- The rule here allows the user full access to all IPs and ports on your LAN, this rule can be set to specify target-ip(s) and target-port(s) as required.
- Also add Johns keyring to the FireBrick first, through the 'Configure OATH/OTP' page.