24.6 NMAS HOTP Based Login

24.6.1 Overview

HOTP is an HMAC-based one-time password (OTP) algorithm. An OTP is a password that is valid for only one login session or transaction. An OTP provides better performance than the traditional (static) passwords because there are less chances of security attacks associated with it. A potential intruder who records an OTP that has been used to log into a service or to conduct a transaction, cannot manipulate it because it has already been used once and is no longer valid.Every OTP based authentication requires an OTP server and an OTP client (hardware/software ). Implementation of OTP based authentication in NMAS is based on the RFC 4226 standard. Traditionally, the NDS password that was individually presented to the server is now appended to the OTP to enhance the password based authentication by retaining all the client components and their user interface.The authentication to eDirectory server is done through the HOTP feature by using LDAP-based login.

LDAP-Based Login

Prerequisites

NOTE:This is set by default with eDirectory 9.0 or later.

Login Method

An HOTP-enabled user can perform LDAP bind by concatenating the NDS password with the HOTP value.

For example,

ldapsearch -D cn=user1,o=novell -w secret40338314 -h 164.99.91.165 -p 389 -b   "o=novell" -s sub -LLL dn

NCP-Based Login

A HOTP-ready/enabled user can perform NCP login by concatenating the NDS Password with the HOTP value by using any of the following utilities:

  • ndslogin

    For example,

    ndslogin user1.org -h org.com -p secret40338314
  • iManager

  • iMonitor

NOTE:iManager plug-ins that perform LDAP authentication will fail if used by HOTP-enabled users.

24.6.2 Installation

Server Installation

The HOTP server module is a part of the NMAS server component. The server module validates the OTP presented from the client.

The following attributes are available on the NMAS HOTP server:

  • sasOTPCounter (per user attribute)

  • sasOTPEnabled (per user/immediate parent container/partition root/Login Policy object)

  • sasOTPDigits (per user/immediate parent container/partition root/Login Policy object)

  • asOTPLookAheadWindow (tree wide set at the Login Policy object)

  • sasOTPResync (9 per user attribute)

Obtaining and Using nmashotpconf Utility

The nmashotpconf utility is a configuration utility that configures the OTP attributes on the eDirectory server.

NOTE:The HOTP utility is available only for the Linux 64-bit platforms.

To execute the nmashotpconf utility, perform the following steps:

  1. Obtain the nmashotpconf utility and specify the directory where you unzipped the NMAS HOTP utility.

    NOTE:nnmashotpconf utility is bundled with the NMAS. To download this utility, refer https://sld.microfocus.com.

    The unzipped file contains the linux and linux_x64 directories for the 32-bit and 64-bit Linux machines.

    The linux and linux_x64 directories contain the nmashotpconf executable and libnmasext.so files.

  2. Go to the linux/final directory on a Linux 32-bit machine, else go to the linux_x64/final directory on a Linux 64-bit machine.

  3. Download the trusted root certificate and store it locally.

    For more information, see Exporting a Trusted Root or Public Key Certificate.

    For usage,

     nmashotpconf -h <host_name> [-p <ssl_port>] -D <login_dn> [-w <password>]
      -e <trusted_cert> -t <cert_type> [-r <resync_window>] [-y
      <user_resync_window>] [-u <hotp_dn> [-o <hotp_options>] [-d digits] [-c
      <counter>] [-s <secret> -f <secret_format>]] 

    Option

    Description

    host_name

    Specifies the LDAP server name or the IP address of the server.

    ssl_port

    Specifies the SSL port on the LDAP server. The default value is 636.

    login_dn

    Specifies the DN for the user.

    password

    Specifies the password for the user DN.

    trusted_cert

    Specifies the trusted root certificate file.

    cert_type

    Specifies the trusted root certificate encoding type. For example, DER means der-encoded file, and B64 means b64-encoded file.

    encoded file digits

    Specifies the number of digits used as the HOTP value.

    NOTE:This setting is applicable to all the users in the tree.

    resync_window

    Specifies the counter re-synchronization look-ahead window.

    user_resync_window

    Specifies the counter user re-synchronization look-ahead window.

    hotp_dn

    Specifies the target DN for which you are configuring the HOTP attributes. To configure the HOTP at the tree level, enable/disable HOTP at the tree level, or configure digits at tree level, then specify the DN as cn=Login Policy,cn=Security.

    hotp_options

    Enables or disables the HOTP for the hotp_dn option. Specify ENABLE to enable the HOTP, and DISABLE to disable HOTP.

    counter

    Specifies the HOTP counter value. The vaild range of the counter value is between 0 and 2147483647. The counter value is set through the hotp_dn option.

    hotp_dn secret

    Specifies the OATH HOTP secret. For example, the raw byte value of secret in the hexadecimal format is 3132333435363738393031323334353637383930, or the corresponding ASCII/Extended ASCII string is 12345678901234567890.

    secret_format

    Specifies the format of the OATH HOTP secret.

    • STRING: This format is used for an ASCII/Extended ASCII string. For example, 12345678901234567890.

    • RAW: This format is used for raw byte values in a hexadecimal format. For example, 3132333435363738393031323334353637383930, where hexadecimal value of the first character is 31, the value of the second character is 32, and so on.

24.6.3 Resynchronization of the Counter

The counter value of the server is incremented only after successful HOTP authentication, and the counter on the client is incremented every time a new HOTP is requested by the user. The counter values on the server and the counter on the client might be out of synchronization.

To address this, you should have a tree-wide look-ahead or a resynchronization window setting in place. If the server finds that the received HOTP does not correspond to the server counter value, the server can recalculate the next few HOTP values that are within the resynchronization window, and check them against the received HOTP. If there is a match, authentication succeeds and the server counter is set to the counter value that corresponds to the matched HOTP.

For successful authentication the server counter is set to the next counter value at which the authentication succeeds.

The tree-wide resynchronization window setting should be as low as possible in order to restrict the space of possible solutions for an attacker trying to recreate the HOTP values.If the mismatch between the client and server counters is beyond the tree-wide resynchronization window setting, resynchronization can be achieved by temporarily setting a user- specific resynchronization window to a large value and then attempting an HOTP-based authentication.

The nmashotpconf utility should be used for configuring HOTP-based authentication. For more information, read the Configuration section.

24.6.4 Configuration

To provision an eDirectory user for an HOTP-based authentication, do the following configuration settings according to the RFC 4226 standard.

  • Enable HOTP on the user/container/partition root/Login Policy object in the same order of precedence.

  • Set the HOTP-shared secret key and counter on the user. These two settings together determine the HOTP value.

  • Configure the number of digits in HOTP values on the user/ container/partition root/Login Policy object.The valid range of digits is from 6 to 9.

  • Set the resynchronization windows as follows:

    • Set the tree-wide resynchronization window at the Login Policy object.

    • Set the user-specific resynchronization window at the user level. This is needed only when the client and server are out of sync.

Examples:

  • To configure a secret and a counter on the user object, run the following command:

    ./nmashotpconf -h 192.168.1.1 -p 636 -D cn=admin,o=novell -w novell   -e   /var/opt/novell/eDirectory/data/SSCert.der  -t  DER  -u cn=user1,o=novell  -c 0   -s   3132333435363738393031323334353637383930 -f  RAW
  • To enable the OTP for a user object, run the following command:

    ./nmashotpconf -h 192.168.1.1 -p 636 -D cn=admin,o=novell -w novell   -e   /var/opt/novell/eDirectory/data/SSCert.der  -t  DER  -u cn=user1,o=novell  -o ENABLE 
  • To disable the OTP for a user object, run the following command:

    ./nmashotpconf -h 192.168.1.1 -p 636 -D cn=admin,o=novell -w novell   -e   /var/opt/novell/eDirectory/data/SSCert.der  -t  DER  -u cn=user1,o=novell  -o DISABLE
    

    Similarly, you can enable or disable the OTP for a container/partition or a root/Login Policy object.

  • To configure an OTP digit for a user object, run the following command:

    ./nmashotpconf -h 192.168.1.1 -p 636 -D cn=admin,o=novell -w novell   -e /var/opt/novell/eDirectory/data/SSCert.der  -t  DER  -u cn=user1,o=novell  -d 6

    Similarly, you can set the OTP digit for a parent container/partition root/ Login Policy object.

  • To configure the user resyncronization window, run the following command:

    ./nmashotpconf -h 192.168.1.1 -p 636 -D cn=admin,o=novell -w novell   -y 5 -e   /var/opt/novell/eDirectory/data/SSCert.der  -t  DER  -u cn=user1,o=novell  
  • To configure the counter re-synchronization look ahead window, run the following command:

    ./nmashotpconf -h 192.168.1.1 -p 636 -D cn=admin,o=novell -w novell     -r 6          

NOTE:To test the configuration, you can use HOTP s generated by any hardware or software which is compliant to the HOTP standards.

24.6.5 Known issues

ndsconfig add fails for an HOTP enabled administrative user

For HOTP enabled users, the OTP digit is used for authentication. The ndsconfig utility uses the same OTP digit for subsequent authentication, which causes the ndsconfig add to fail. Similarly, ndsconfig upgrade also fails.

To work around this issue, do not enable HOTP for the user through which you are performing ndsconfig add/ upgrade.

Login through HOTP-enabled user to a read-only replica fails

If you perform LDAP login through the HOTP-enabled user by sending a request to the read-only replica, the LDAP chaining does not happen. The read-only replica does not forward the request to the server where the actual user resides. The replica fails giving an illegal replica type error.

24.6.6 nmashotpconf utility cannot modify the user resynchronization window

If the value of the user resynchronization window is already set (say 2) and its value is changed by using the nmashotpconf utility, it displays the following error:

ldap_modify_ext_s on HOTP DN failed: error code=19: Constraint violation

One of the reasons for the error could be using a combination of the -o (the OTP enable or disable option), -d (OTP digit), -c (otpcouter) and -y (user_resync_window) options for modifying the user resynchronization value.