PHP Classes

File: raspberry/how-to-build-a-raspberry-strong-authentication-server.txt

Recommend this page to a friend!
  Classes of André Liechti   multiOTP PHP class   raspberry/how-to-build-a-raspberry-strong-authentication-server.txt   Download  
File: raspberry/how-to-build-a-raspberry-strong-authentication-server.txt
Role: Documentation
Content type: text/plain
Description: Documentation
Class: multiOTP PHP class
Authenticate and manage OTP strong user tokens
Author: By
Last change: New release 5.9.7.1
FIX: Command line number of parameters detection corrected
ENH: It's now possible to define the number of digits for new created PIN
(multiotp -config default-pin-digits=n)
ENH: It's now possible to generate the HTML provisioning file by command line
(multiotp -htmlinfo username /full/path/to/username.html or
multiotp -htmlinfo /full/path/to/folder/ to generate files for all users)
ENH: Embedded Windows nginx edition updated to version 1.25.3
ENH: Embedded Windows internal tools updated (wget 1.21.4 and fart 1.99d)
ENH: Embedded Windows freeradius is now launched using NSSM (instead of SRVANY)
New release 5.9.7.0
FIX: Better Windows nginx configuration support (path backslashes replaced by slashes)
ENH: Embedded Windows nginx edition updated to version 1.24.0
ENH: Embedded Windows PHP edition updated to version 8.2.13
ENH: Better hardware/model detection
ENH: Documentation enhanced with instructions for RDWeb on Windows
ENH: Upgrade of some internal tools
ENH: Better internal configuration organization
New release 5.9.6.7
ENH: Documentation updated for "Configuring multiOTP with FreeRADIUS 3.x under Linux"
ENH: Without2FA tokens cannot be used for multi_account connection
ENH: Added documentation for SSH login with multiOTP
New release 5.9.6.5
FIX: Better Raspberry Pi support
FIX: ShowLog() method (used by -showlog option) was buggy
New release 5.9.6.1
FIX: Automated concurrent access for the same user with "Without2FA" token could corrupt the user file
FIX: Any files backend operation is now secured with explicit lock mechanism
ENH: Template updated to print bigger QRcode for "MOTP-XML" tokens
New release 5.9.5.7
FIX: Weekly anonymized stats date was not always updated
FIX: Adding -tokenslist command in CLI mode (mas missing)
FIX: Remove a debug line displaying sometimes "COMMDN:$command\n";
FIX: Some minor PHP notice corrections
ENH: Adding on-premises smsgateway (https://github.com/multiOTP/SMSGateway) as a new SMS provider
ENH: Better warning messages when CheckUserLdapPassword failed
ENH: Embedded documentation enhanced
ENH: Template updated to display correct information for WITHOUT2FA tokens
Date: 1 month ago
Size: 3,526 bytes
 

Contents

Class file image Download 
How to build a Raspberry Pi RADIUS strong two factors authentication server in some easy steps ?
================================================================================================

(c) 2010-2023 SysCo systemes de communication sa
https://www.multiotp.net/

Current build: 5.9.7.1 (2023-12-03)

Supported Raspberry Pi hardware: 1B/1B+/2B/3B/3B+/4B

0) If you want to download a multiOTP Raspberry Pi image ready to use, follow this URL:
   https://download.multiotp.net/raspberry/
   
   Nano-computer name: multiotp
   IP address: 192.168.1.44 (netmask: 255.255.255.0, default gateway: 192.168.1.1)
   Username: pi
   Password: raspberry
   
   You can now flash the SD Card (check point 3) and 4) if needed), put the SD Card
   into the Raspberry Pi and boot it. You can go directly to point 15)
   
1) If you want to use a battery backed up Real Time Clock, install it now in your
   Raspberry Pi, the drivers for these models are included in the package:
     https://afterthoughtsoftware.com/products/rasclock
     http://www.cjemicros.co.uk/micros/products/rpirtc.shtml
     https://www.robotshop.com/ca/en/elecrow-ds3231-high-precision-rtc-clock-module-raspberry-pi-b.html
     https://learningdevelopments.co.nz/products/rtc-clock-module-for-raspberry-pi
   
2) Download the last image of Raspbian Lite to be flashed
   https://downloads.raspberrypi.org/raspios_lite_armhf_latest (currently 2021-03-04-raspios-buster-armhf-lite.zip)

3) Format your SD Card using the SD Card Association’s formatting tool
   https://www.sdcard.org/downloads/formatter/

4) Flash the raw image using the universal Windows/macOS/Linux Etcher from Balena: https://www.balena.io/etcher/
   or Win32DiskImager for Windows: https://sourceforge.net/projects/win32diskimager/files/latest/download
   or the dd UNIX tool
   This should take about 10 minutes.

5) Copy all files from multiotp/raspberry/boot-part to the root of the SD Card
   (it could overwrite some files like config.txt, were we have already enabled the I2C)

6) When copy is done, eject the SD Card

7) Connect the Raspberry Pi to the local network

8) Put the SD card into the Raspberry Pi and boot it

9) Login directly on your Raspberry Pi, or using SSH, with the default username "pi" and the password "raspberry"

10) Launch the initial configuration by typing sudo raspi-config

11) Choose the following options
    1) Change User Password
    2) Network options
       N1) N1 Hostname (change the hostname to your favorite name, for example "multiotp")
    4) Localization Options (if needed)
    7) Advanced Options
       A1) Expand Filesystem

12) Select Finish and answer "<Yes>" to reboot, or type "sudo reboot"

13) Login again directly (after about 30 seconds) on your Raspberry Pi, or using SSH, with the default username "pi" and your new password

14) Type "sudo /boot/install.sh"
    Everything is done automatically (it will take about 35 minutes) and the Raspberry Pi will reboot automatically at the end

15) The fixed IP address is set to 192.168.1.44, with a default gateway at 192.168.1.1
    To adapt the network configuration, edit the file /etc/network/interfaces

16) Congratulations! You have now an open source and fully OATH compliant
    strong two factors authentication server!
    Surf on http(s)://192.168.1.44 to use the basic interface (admin / 1234)

17) The default radius secret is set to myfirstpass for the subnet 192.168.0.0/16.
    To adapt the freeradius configuration, edit the file /etc/freeradius/clients.conf.