Tag Archives: FOAS

Use the PHP agent with the FEITIAN OTP Authentication System (FOAS)

Leave a reply

Summary

Password authentication is getting close to impossible in these days. Systems require large difficult passwords that people simply “have” to write down as they become impossible to remember.

A good solution is to use one time password tokens. These tokens produce an inlog number that is only known to the server. This way a user only needs to remember to bring his/her token with him and also a simple pin code to protect the token from some one stealing the token.

This article describes how to test the Feitian FOAS server with one time password tokens like the OATH C100 and C200. The server comes in a demo version that has 10 tokens for free and the average price of a token is between the $10 and $20. All very reasonable priced and ideal for any size company. And they fully supports Open Authentication (OATH)

Otp200

Feitian OATH C200

Installing the FOAS server is not covered in this article and is well documented with the documentation that comes with the server.

The SDK for PHP is available through your Feitian supplier.

Special thanks to http://www.usbtoken.ro and Kejia from Feitian for helping me to get the 64bits agent to work with the FOAS server. 

 

Installation on Debian 64bits

The PHP Agent for Debian otpphpagent-sdk-3.0.1.20120221-debain6.0-x86-64bit.tar.gz contains 3 files:

  • libotpagent.so.3.0.1
  • libphp_otpagent.so.3.0.1 
  • FT_FOASStandard_OTPAgent_PHP_Developer_Guide.pdf

Inside is the description how to install it for Windows, Linux, FreeBSD and Solaris. In this article I’ll focus on installing it on Debian stable 6.x X86-64bits

First we need to create an agent file on the FOAS server. This file contains the shared secret between the server and the connection details from both ends. Generate the file on the FOAS web-interface and save it as: otpagent.acf 

Copy this file to your web-server that will run the PHP Agent and place it under /usr/lib/apache2/modules/otpagent.acf

Now try if this file is working by using the agenttest that comes with the FOAS server like this:

agenttest -m 0 -u <username> -o <token number> -p<your pin> -f /usr/lib/apache2/modules/otpagent.acf  

If the acf is correct and you are using the correct username, pin and token response the agenttest should answer:

Authenticate ok 

Anything else means you missed something, or your working through NAT which I couldn’t get to work with my version.

The otpagent.acf file can also be used with the OTPApacheFilter module that also comes with the FOAS server. This module adds to apache a new Authorization, Authentication, and Access control module using the FOAS server for authentication of token users.

Now we have the authentication acf file in place let’s modify PHP to use the module.

Create a new file otpagent.ini in the directory of PHP (Debian):

vi /etc/php5/conf.d/otpagent.ini

Inside the file add:

2012-02-23_12-47-37

 And save the file.

Now copy the lib file to the extension_dir, the default Debian location is:

cp libphp_otpagent.so.3.0.1 /usr/lib/php5/20090626/

Please note, the red number can vary from your installation just check if you see modules inside this directory like mysql.so or pdo.so

Now do some magic linking:

ln -s libphp_otpagent.so.3.0.1 libphp_otpagent.so.3
ln -s libphp_otpagent.so.3.0.1 libphp_otpagent.so

Now check if you have the libotpagent.so.3.0.1 in the standard Debian lib directory. If you are using the agenttest changes are you already had this library available.

If not, copy it to /usr/lib/

cp libotpagent.so.3.0.1 /usr/lib/
cd /usr/lib/
ln -s libotpagent.so.3.0.1 libotpagent.so.3
ln -s libotpagent.so.3.0.1 libotpagent.so
 

Now give PHP a first test run, just type php on the command line:

# php 
If it gives the following warning:
PHP Warning:  PHP Startup: Unable to load dynamic library ‘/usr/lib/php5/20090626/libphp_otpagent.so’ – /usr/lib/php5/20090626/libphp_otpagent.so: wrong ELF class: ELFCLASS32 in Unknown on line 0 

It means you are trying to load a 32bit OTP_PHP lib inside a 64bit PHP version. Ask your supplier for the 64b version ( like i did 🙂 

Now have a more detailed look:
# php –info | grep OTP

Your output should read:

2012-02-23_13-14-00

And a test on the command line if PHP knowns about the new functions:

# php –rf oa_init
Function [ <internal:PHP_OTPAgent> function oa_init ] {}

 

# php –rf otp_agent_set_config

Function [ <internal:PHP_OTPAgent> function otp_agent_set_config ] {}

 

# php –rf otp_agent_auth
Function [ <internal:PHP_OTPAgent> function otp_agent_auth ] {}

Now let’s test if Apache knows the new PHP functions

Before you proceed, RESTART Apache!!!! Else the old version of PHP will remain active that does not have the OTP module loaded. 

Create a mini php script and put it on your apache web server:

# cat info.php 

<?php 
phpinfo();
?>

Put your browser to http://<your server>/info.php
And find the line that should read:

2012-02-23_13-46-59

Great!, our install is finished! and working, now get to some serious PHP coding and test the module.. A lot of examples come with the manual included with the PHP agent.