[horde] Login with security token: advice wanted [long]

Wed Apr 27 22:30:28 UTC 2011

Quoting Michele Bergonzoni <bergonz at labs.it>:

> I have Horde 4.0 configured to accept logins with username +  
> password + security token. My setup is working fine, but is "kludgy"  
> because I directly modified a source file, so it will probably be  
> overwritten at each upgrade, is difficult to maintain, etc.
>
> I am seeking advice about how to do this "properly" with the hooks  
> and config parameters available if possible. What follows is a  
> description of the problem and how I currently solved it.
>
> Our users login with a username, a password, and a string of digits  
> coming out of a security token (those little devices that look like  
> a keyfob and give you a different number each time you press the  
> button). I don't think it matters, but we are using Feitian c100 and  
> c200 tokens. What matters is that the number that is valid now will  
> not be valid later (this is an essential property of this kind of  
> setup, and the specific definition of "later" can vary).
>
> We have users and passwords in LDAP, and we set up a RADIUS server  
> to verify the token digits: it takes username, "password" made with  
> LDAP password + space + digits, and then accepts or rejects. This  
> double setup is intended to accomodate both services that have a  
> deliberate and distinguished act of login from the user (e.g.,  
> horde, any session-based web app, ssh, some VPNs, etc.) and services  
> where the credentials are stored somewhere and verified without user  
> intervention (e.g. web with HTTP basic auth, IMAP with most clients  
> including IMP).
>
> Back to horde, we want the user to insert the password, that IMP  
> will use for IMAP, and the digits, that we will check (together with  
> the password) against the RADIUS server.
>
> What I did was to setup horde to use an app (imp) for  
> authentication, and then modify ./imp/lib/Application.php so that:
>
> * at line 375, before the js_code assignment, a new $params entry is  
> added as follows:
>
> $params['token_digits'] = array(
>         'label' => _("Token digits"),
>         'type' => 'password',
> );

As of right now, there is not an easy way to alter the login page to  
add fields.  So adding to authLoginParams() is the proper way of  
handling this.

> * in authAuthenticate, in the "if ($new_session) {" block, check  
> credentials (fetched from the $credentials array) against RADIUS. If  
> rejected throw REASON_FAILED, if accepted do what was previously in  
> that block.

This is handled much cleaner in the postauthenticate hook.  See  
horde/config/hooks.php.dist for further details.  In that hook, you  
should do your local token check.  If it fails, have postauthenticate  
return false - the authentication will fail.

michael

___________________________________
Michael Slusarz [slusarz at horde.org]