editor
698
edits
FireBrick OTP: Difference between revisions
m
clean up, typos fixed: ie, → i.e., (2), eg → e.g. (5)
No edit summary |
m (clean up, typos fixed: ie, → i.e., (2), eg → e.g. (5)) |
||
|
Once you have your OTP device, then on the FireBrick click on Config and then Configure OATH/OTP
The fields on this form are:
*Serial Number - the name you want to give to this OTP - you can use the serial number on the OTP, or simply a name,
*Key - this is the HEX key that will be given to you from the OTP device.
*Digits - how many digits the OTP device gives you.
*Interval - the time in seconds that the OTP changes, or set to Event based.
*Validate - these are the 3 sequential values from the device -
Click update, and should be set.
==Configuring OTP devices against FireBrick Users==
===OTP example===
You can use the OTP instead of a password,
<syntaxhighlight>
<user name="bob" otp="Bobs keyring" comment="OTP token"/>
<user name="bob" otp="Bobs keyring" password="secret" comment="OTP token and password required"/>
</syntaxhighlight>
With this, bob will need to log in to the FireBrick using the password of <otp><password> -
===Restricting Access===
This isn't really OTP related, but user related.
A user can be given a list of IPs (or an IP group) that they are only allowed to log in from.
So, we may want a user that doesn't use the OTP, but is restricted to certain IPs that he can log in from.
We can then set a user that is not restricted by IP address, which means that you can log in to the FireBrick from anywhere as long as you use the OTP as well -so security is tighter as both a password and the OTP are required.
<syntaxhighlight>
<user name="bob" password="secret" access="192.0.2.0/28" comment="access with just a password from the LAN"/>
| |||