Details
-
Type:
Task
-
Status: Open
-
Priority:
Trivial
-
Resolution: Unresolved
-
Fix Version/s: None
-
Component/s: None
-
Labels:
Description
This MDEV will implement a two pass auth plugin
Allowing users to use HTOP or TOTP tokens (google authenticator for example)
Users will grant permission and send to plugin a string that configure how OTP will work.
The string will be something like google uri (https://code.google.com/p/google-authenticator/wiki/KeyUriFormat)
otpauth://TYPE/?PARAMETER=value&PARAMETER=value ... type and parameters and values are case insensitive (convert all to lower case) TYPE [totp|hotp] totp = time based otp (RFC 6238) hotp = counter based otp (RFC 4226) skey = SKEY based (same parameters of hotp) (RFC 1760) PARAMETERS SECRET base32 encoded secret (~16 bytes) COUNTER integer [1 to 2^64-1], only used in HOTP, default value = 1 PERIOD integer [1 to 86400], only use in TOTP, default value = 30 (seconds) ATTEMPTS integer [0 to 100], number of tries with different otp values (default = 3 for totp, 10 for hotp) ONE_ACCESS [0|false|off|1|true|on], enable only one access with the current token BRUTE_FORCE_TIMEOUT [0 to 86400], timeout to avoid brute force attacks, after a fail we will wait this number of seconds before accepting a new login, default = 5 seconds
—
example:
CREATE USER 'my_user'@'localhost' IDENTIFIED WITH otp_auth AS "otpauth://totp/?secret=BASE32_SECRET&period=30";
plugin will receive uri string + user + host value, and save it to default mariadb directory, in a database/file/table, format not defined yet, maybe a ini file? or a myisam table?
| USER | HOST | URI | TYPE | SECRET | CURRENT_COUNTER | PERIOD | BRUTE_FORCE_TIMEOUT | NEXT_BRUTE_FORCE | ONE_ACCESS | LAST_ONE_ACCESS | ATTEMPTS |
|---|---|---|---|---|---|---|---|---|---|---|---|
| user | host | URI | totp/hotp | base32 string | current hotp counter | totp period | brute force timeout | next allowed bruteforce login (unix timestamp) | one acces flag | last allowed otp value | number of attempts |
—
authentication:
when user contact mariadb, plugin will ask:
"Please enter OTP token value:"
user will send the current OTP value from token (user_otp)
1)plugin will search the user/domain/URI in otpauth table
if it don't exists, return "deny login"
2)if next brute force > current time, return "deny, brute force"
3)
for(cur_attempt=0;cur_attempt<attempts;cur_attempt++){ totp: current_attempt = floor(second(unixtimestamp)/period) + (cur_attempt-floor(attempts/2)) hotp current_attempt = current_counter + (cur_attempt-floor(attempts/2)) calculated_otp = calculate the current otp(current_attempt,secret_key) if user_otp = calculated_otp { save NEXT_BRUTE_FORCE value (current time + BRUTE_FORCE_TIMEOUT) if one_access = 1 { if last one access = current value return "one access only per otp" save last access otp value } if hotp save current_counter as current_attempt return (login accepted); /* must check user + host + password at mysql */ } } return "bad otp value"
Gliffy Diagrams
Attachments
Issue Links
- links to
| 1. | base16, base32, base64 functions |  |
Open | Unassigned |
|
Activity
- All
- Comments
- Work Log
- History
- Activity
- Transitions
hmac_sha1 function from google authenticator:
https://code.google.com/p/google-authenticator/source/browse/libpam/sha1.c
https://code.google.com/p/google-authenticator/source/browse/libpam/hmac.c
https://code.google.com/p/google-authenticator/source/browse/libpam/sha1.h
https://code.google.com/p/google-authenticator/source/browse/libpam/hmac.h
easy to port (i don't know if there's a sha1 funciton in mariadb, but i think that we have one function for this... must check)