Revision as of 12:07, 17 February 2011

What is OTP/OATH

OTP = One Time Password

Uses on a FireBrick

More secure admin login to the FireBrick - user needs a password and the OTP
Users can log in to the FireBrick to open up the firewall from their IP, as a 2 stage login process to your LAN
Have normal users with passwords for access to the FB from known IPs, but allow an OTP user to login to the FireBrick from any IP address.

OTP Devices

Keyring type

Apps

There free apps available for iPhone, Nokia, Android etc.

iPhone OATH info about the OATH Token App

Configuring the FireBrick

Setting up the OTP

Once you have your OTP device, then on the FireBrick click on Config and then Configure OATH/OTP The fields on this form are:

Serial Number - the name you want to give to this OTP - you can use the serial number on the OTP, or simply a name, eg Andrews iPhone, up to you.
Key - this is the HEX key that will be given to you from the OTP device.
Digits - how many digits the OTP device gives you.
Interval - the time in seconds that the OTP changes, or set to Event based.
Validate - these are the 3 sequential values from the device - ie, enter in the current value, wait for it to update, enter in the new value, and then the same for the third value.

Click update, and should be set.

Configuring OTP devices against FireBrick Users

OTP example

You can use the OTP instead of a password, eg:

  <user name="bob" otp="Bobs keyring" comment="OTP token"/>

Password and OTP example

  <user name="bob" otp="Bobs keyring" comment="OTP token" password="secret"/>

With this, bob will need to log in to the FireBrick using the password of <opt><password> - is the opt value followed by his password.

Restricting Access

This isn't really OTP related, but user related. A user can be given a list of IPs (or an IP group) that they are only allowed to log in from. So, we may want a user that doesn't use the OTP, but is restricted to certain IPs that he can log in from. eg, we can list the LAN IPs, and perhaps some known remote IPs too. -this will also help in the event of the OTP device being lost! We can then set a user that is not restricted by IP address, which means that you can log in to the FireBrick from anywhere as long as you use the OTP as well -so security is tighter as both a password and the OTP are required. eg

  <user name="bob" comment="access with just a password from the LAN" password="secret" access="192.0.2.0/28"/>
  <user name="bob2" otp="Bobs keyring" password="secret" comment="Access from anywhere with OTP and password"/>

@@ Line 29: / Line 29: @@
 You can use the OTP instead of a password, eg:
 <syntaxhighlight>
-  <user name="bob" timeout="PT1H" otp="Bobs keyring" comment="OTP token"/>
+  <user name="bob" otp="Bobs keyring" comment="OTP token"/>
 </syntaxhighlight>
 ===Password and OTP example===
 <syntaxhighlight>
-  <user name="bob" timeout="PT1H" otp="Bobs keyring" comment="OTP token" password="secret"/>
+  <user name="bob" otp="Bobs keyring" comment="OTP token" password="secret"/>
 </syntaxhighlight>
 With this, bob will need to log in to the FireBrick using the password of <opt><password> - is the opt value followed by his password.
@@ Line 44: / Line 44: @@
 We can then set a user that is not restricted by IP address, which means that you can log in to the FireBrick from anywhere as long as you use the OTP as well -so security is tighter as both a password and the OTP are required. eg
 <syntaxhighlight>
-  <user name="bob" timeout="PT1H" otp="Bobs keyring" comment="OTP token" password="secret"/>
+  <user name="bob" comment="access with just a password from the LAN" password="secret" access="192.0.2.0/28"/>
+  <user name="bob2" otp="Bobs keyring" password="secret" comment="Access from anywhere with OTP and password"/>
 </syntaxhighlight>