This repository has been archived by the owner on Nov 25, 2020. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
85 additions
and
187 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,202 +1,100 @@ | ||
| <h1> | ||
| Authentication plugin for Pydio</h1> | ||
| <p> | ||
| Based on the auth.serial + the google authenticator reference implementation + yubikey demo php implementation. With this plugin you can authenticate users 4 different ways:</p> | ||
| <ul> | ||
| <li> | ||
| Password authentication: it works as the auth.serial</li> | ||
| <li> | ||
| Password + Google Authenticator: to the password field write the password first, then the six digits from Google Authenticator</li> | ||
| <li> | ||
| Password + YubiKey: to the password filed write your password then press yubikey</li> | ||
| <li> | ||
| Password + (YubiKey OR Google Authenticator): if both method enabled for a user, the plugin can recognize whether YubiKey or Google Authenticator is used. (it is simple, Google Authenticator uses numbers, YubiKey uses letters)</li> | ||
| </ul> | ||
| <p> | ||
| The authentication method can be set up per users, so it is possible that someone authenticate with password, other user authenticate with YubiKey, and someone else authenticate with both YubiKey and Google Authenticator.<br /> | ||
| </p> | ||
| <h2> | ||
| AjaXplorer upgrade from 4.x to 5.x</h2> | ||
| <p> | ||
| Before the upgrade you have to disable serial_otp module. In the <strong>bootstrap_plugins.php</strong> replace the authentication driver from serial_otp to serial. You should leave the USERS_FILEPATH unchanged because its format compatible with serial auth plugin. After the modification the relevant part of bootsrap_plugins.php should look similar to this:</p> | ||
| <pre> | ||
| "AUTH_DRIVER" => array( | ||
| "NAME" => "serial", | ||
| "OPTIONS" => array( | ||
| "LOGIN_REDIRECT" => false, | ||
| "USERS_FILEPATH" => "AJXP_DATA_PATH/plugins/auth.serial_otp/users.ser", | ||
| "AUTOCREATE_AJXPUSER" => false, | ||
| "TRANSMIT_CLEAR_PASS" => true, | ||
| "YUBICO_SECRET_KEY" => "xxxxxxxxxxxxxxxxxxxxxxxxxxx", | ||
| "YUBICO_CLIENT_ID" => "1111" | ||
| ) | ||
| ), | ||
| </pre> | ||
| <h1>Authfront OTP plugin for Pydio</h1> | ||
|
|
||
| <p>With authfront.otp, you can cooperate with any backend auth like ldap, mysql...</p> | ||
|
|
||
| <p>Based on the google authenticator reference implementation + yubikey demo php implementation. With this plugin you can authenticate users 4 different ways:</p> | ||
|
|
||
| <ul> | ||
| <li> | ||
| Try wheter you are able to log in with your password</li> | ||
| <li> | ||
| Upgrade AjaXplorer</li> | ||
| <li> | ||
| Try wheter you are able to log in with your password</li> | ||
| <li> | ||
| Remove <strong>bootsrap_plugins.php</strong>: you are able to configure everything in web interfrace</li> | ||
| <li> | ||
| Replace the whole plugins/auth.serial_otp directory to this new one.</li> | ||
| <li> | ||
| Follow the Configuration instructions</li> | ||
| <li>Password authentication: it works as the auth.serial</li> | ||
| <li>Password + Google Authenticator: to the password field write the password first, then the six digits from Google Authenticator</li> | ||
| <li>Password + YubiKey: to the password filed write your password then press yubikey</li> | ||
| <li>Password + (YubiKey OR Google Authenticator): if both method enabled for a user, the plugin can recognize whether YubiKey or Google Authenticator is used. (it is simple, Google Authenticator uses numbers, YubiKey uses letters)</li> | ||
| </ul> | ||
| <p> | ||
| <strong>IMPORTANT:</strong> Users yubikey / Google Authenticator informations are <strong>NOT</strong> migrated during upgrade. You have to set up them again.</p> | ||
| <p> | ||
| <style type="text/css"> | ||
| P { margin-bottom: 0.21cm; } </style> | ||
| (Theoretically possible to migrate the yubikey / GA informations too. But I have less than 10 users and migrating them by hand was much less effort than writing a migration code)</p> | ||
| <p> | ||
| </p> | ||
| <h2> | ||
| Installation</h2> | ||
| <p> | ||
| You need to install php-yubico from <a href="http://code.google.com/p/php-yubico/">http://code.google.com/p/php-yubico/</a><br /> | ||
| </p> | ||
| <pre> | ||
| wget http://php-yubico.googlecode.com/files/Auth_Yubico-2.4.tgz | ||
|
|
||
| <p>The authentication method can be set up per users, so it is possible that someone authenticate with password, other user authenticate with YubiKey, and someone else authenticate with both YubiKey and Google Authenticator.<br /> | ||
| </p> | ||
|
|
||
| <h2>Installation yubico package</h2> | ||
|
|
||
| <p>You need to install php-yubico from <a href="http://code.google.com/p/php-yubico/">http://code.google.com/p/php-yubico/</a></p> | ||
|
|
||
| <pre> | ||
| wget http://php-yubico.googlecode.com/files/Auth_Yubico-2.4.tgz | ||
| pear install Auth_Yubico-2.4.tgz | ||
| </pre> | ||
| <p> | ||
| <br /> | ||
| Do not forget to install or enable php-curl for Auth_Yubico.</p> | ||
| <ul> | ||
| <li> | ||
| Copy the auth.serial_otp modul to the plugin directory</li> | ||
| <li> | ||
| Clear the cache</li> | ||
| </ul> | ||
| <h2> | ||
| Configuration</h2> | ||
|
|
||
| <p><br /> | ||
| Do not forget to install or enable php-curl for Auth_Yubico.</p> | ||
|
|
||
| <ul> | ||
| <li> | ||
| Backup your current AjaXplorer instance just for sure</li> | ||
| <li> | ||
| Enable the Serial One-Time-Password (auth.serial_otp) modul in <em>Global configurations >> Core Plugins >> Auth</em></li> | ||
| <li> | ||
| In the <em>Global configurations >> Core Configs >> Authentication >> Main instance section</em> | ||
| <ul> | ||
| <li> | ||
| <p> | ||
| Instance Type: <strong>Serial One-time-password</strong></p> | ||
| </li> | ||
| <li> | ||
| <p> | ||
| Users: <strong>AJXP_DATA_PATH/plugins/auth.serial_otp/users.ser</strong></p> | ||
| </li> | ||
| <li> | ||
| <p> | ||
| Yubico Secret Key: your Yubico Secret Key generated at <a href="http://api.yubico.com/get-api-key/">http://api.yubico.com/get-api-key/</a> or blank when you don't plan to use YubiKey</p> | ||
| </li> | ||
| <li> | ||
| <p> | ||
| Yubico Client Id: your Yubico Client Id generated at <a href="http://api.yubico.com/get-api-key/">http://api.yubico.com/get-api-key/</a> or blank when you don't plan to use YubiKey</p> | ||
| </li> | ||
| <li> | ||
| <p> | ||
| Google Authenticator, Google Authenticator Last, YubiKey 1, YubiKey 2: leave them blank.</p> | ||
| </li> | ||
| <li> | ||
| <p> | ||
| Transmit Clear Pass: <strong>Yes</strong></p> | ||
| </li> | ||
| </ul> | ||
| </li> | ||
| <li> | ||
| <p> | ||
| <strong>Just for new auth.serial_otp users:</strong> copy all files and directories from data/auth.serial to data/auth.serial_otp</p> | ||
| </li> | ||
| <li> | ||
| <p> | ||
| Try it: logout and login again with your password</p> | ||
| </li> | ||
| <li>Copy the auth.serial_otp modul to the plugin directory</li> | ||
| <li>Clear the cache</li> | ||
| </ul> | ||
| <p> | ||
| </p> | ||
| <h3> | ||
| Google authenticator</h3> | ||
| <p> | ||
| Add the "Google Authenticator" and "Google Authenticator Last" fields to users. You can do it one by one, or you can add a group of users by adding it to a role. Adding it to all users use the Root Role:</p> | ||
| <p> | ||
| <em>Workspaces & Users >> Roles >> Root Role >> Parameters tab</em></p> | ||
|
|
||
| <h2>Configuration</h2> | ||
|
|
||
| <ul> | ||
| <li> | ||
| Plugin Identifier: <strong>auth.serial_otp</strong></li> | ||
| <li> | ||
| Parameter name: <strong>google (Google Authenticator)</strong></li> | ||
| <li> | ||
| Repository Scope: <strong>All Workspaces</strong></li> | ||
| <li> | ||
| Add parameter</li> | ||
| <li>Backup your Pydio instance just for sure</li> | ||
| <li>Enable the Authfront One-Time-Password (authfront.otp) modul in <em>Global configurations >> Extensions importantes >> AuthFront >> Authentication One-Time-Password</em> | ||
| <ul> | ||
| <li> | ||
| <p>Enabled: <strong>Yes</strong></p> | ||
| </li> | ||
| <li> | ||
| <p>Order:<strong>default is 13 (</strong>don't change it<strong>)</strong></p> | ||
| </li> | ||
| <li> | ||
| <p>Protocol type: Sessions only</p> | ||
| </li> | ||
| <li> | ||
| <p>Yubico secret KEY</p> | ||
| </li> | ||
| <li> | ||
| <p>Yubico Client Id: your Yubico Client Id generated at <a href="http://api.yubico.com/get-api-key/">http://api.yubico.com/get-api-key/</a> or blank when you don't plan to use YubiKey</p> | ||
| </li> | ||
| <li> | ||
| <p>Modify login page: <strong>Yes (</strong>There is a line added into login page "* OTP enabled"<strong>)</strong></p> | ||
| </li> | ||
| </ul> | ||
| </li> | ||
| </ul> | ||
|
|
||
| <h2>Per user configuration</h2> | ||
|
|
||
| <h3>Google authenticator</h3> | ||
|
|
||
| <p>in Users & Groups, select user to configuration</p> | ||
|
|
||
| <p>In the tab bar: Account info ||| ACL ||| Actions ||| Parameters => select Parameters</p> | ||
|
|
||
| <ul> | ||
| <li> | ||
| Plugin Identifier: <strong>auth.serial_otp</strong></li> | ||
| <li> | ||
| Parameter name: <strong>google_last (Google Authenticator Last)</strong></li> | ||
| <li> | ||
| Repository Scope: <strong>All Workspaces</strong></li> | ||
| <li> | ||
| Add parameter</li> | ||
| <li>plugin identifier: authfront.otp</li> | ||
| <li>parameter name: google (Google Authenticator)</li> | ||
| <li>repository scope: All</li> | ||
| </ul> | ||
| <p> | ||
| Leave both parameter blank in All Workspaces tab.</p> | ||
| <p> | ||
| Hint: Adding this parameters to all users does not means all users have to use GA. Leave this parameters blank in per user configuration and user can log in with his/her password or password + yubikey if the yubikey if it is enabled.</p> | ||
| <p> | ||
| </p> | ||
| <h3> | ||
| YubiKey</h3> | ||
| <p> | ||
| Add the "YubiKey 1" and "YubiKey 2" fields to users. You can do it one by one, or you can add a group of users by adding it to a role. Adding it to all users use the Root Role:</p> | ||
| <p> | ||
| <em>Workspaces & Users >> Roles >> Root Role >> Parameters tab</em></p> | ||
|
|
||
| <p>then click Add parameter</p> | ||
|
|
||
| <ul> | ||
| <li> | ||
| Plugin Identifier: <strong>auth.serial_otp</strong></li> | ||
| <li> | ||
| Parameter name: <strong>yubikey1 (YubiKey 1)</strong></li> | ||
| <li> | ||
| Repository Scope: <strong>All Workspaces</strong></li> | ||
| <li> | ||
| Add parameter</li> | ||
| <li>plugin identifier: authfront.otp (ex: AAAABBBBCCCCDDDD)</li> | ||
| <li>parameter name: google_last</li> | ||
| <li>repository scope: All</li> | ||
| </ul> | ||
|
|
||
| <p>then click Add parameter</p> | ||
|
|
||
| <p>In the same window, session "All workspaces"</p> | ||
|
|
||
| <ul> | ||
| <li> | ||
| Plugin Identifier: <strong>auth.serial_otp</strong></li> | ||
| <li> | ||
| Parameter name: <strong>yubikey2 (YubiKey 2)</strong></li> | ||
| <li> | ||
| Repository Scope: <strong>All Workspaces</strong></li> | ||
| <li> | ||
| Add parameter</li> | ||
| <li>open authfront.otp</li> | ||
| <li>input the google secret</li> | ||
| <li>Don't touch the "Google Authenticator Last" field, it is updating automatically. It is used internally for the defense against replay attack.</li> | ||
| </ul> | ||
| <p> | ||
| Leave both parameter blank in All Workspaces tab.</p> | ||
| <p> | ||
| Hint: Adding this parameters to all users does not means all users have to use yubikey. Leave this parameters blank in per user configuration and user can log in with his/her password or password + GA if the GA enabled.</p> | ||
| <p> | ||
| </p> | ||
| <h2> | ||
| Per user configuration</h2> | ||
| <p> | ||
| You can set up per user configuration at <em>Workspaces & Users >> Users & Groups >> <user> >> Parameters tab >> All Workspaces tab</em></p> | ||
| <h3> | ||
| Google Authenticator</h3> | ||
| <p> | ||
| Fill the Google Authenticator field with the Google Authenticator secret. It is a 16 charater long string, like P47IZDN4ZIXWLCCN</p> | ||
| <p> | ||
| <strong>!! DO NOT USE THE SAME SECRET AS YOUR GOOGLE ACCOUNT !!</strong><br /> | ||
| <br /> | ||
| Don't touch the "Google Authenticator Last" field, it is updating automatically. It is used internally for the defense against replay attack.</p> | ||
| <h3> | ||
| YubiKey</h3> | ||
| <p> | ||
| Use your in the YubiKey 1 or the YubiKey 2 field. Maximum two YubiKeys can be assigned to one user.</p> | ||
|
|
||
| <p>then click save</p> | ||
|
|
||
| <p><strong>!!! DO NOT USE THE SAME SECRET AS YOUR GOOGLE ACCOUNT !!</strong></p> | ||
|
|
||
| <h3>Do the same to add YubiKey parameters</h3> | ||
|
|
||
| <p>Use your in the YubiKey 1 or the YubiKey 2 field. Maximum two YubiKeys can be assigned to one user.</p> |