RAdmin can optionally TOTP and HOTP tokens developed by OATH [
https://openauthentication.org/ ]. TOTP and HOTP
are defined by RFCs 6238 and 4226, respectively. Such tokens provide much
higher levels of security than static passwords. OATH tokens are supported
on all RAdmin platforms. These tokens are typically provisioned to a
mobile device app, such as Google Authenticator or Microsoft
Authenticator.
Each token has a secret seed value and associated information, such as
counter for detecting replay attempts. In order to authenticate a TOTP or
HOTP token, the RAdmin database must contain a table named RADOATH with a
token record that stores the seed and its associated information. You can
add new tokens into the RAdmin database when creating or listing users.
When a token is created, it must be allocated to a user before that user
can use the token to authenticate. You can view all currently existing
tokens with the RAdmin ‘List OATH tokens’ page.
In order to enable TOTP and HOTP token support:
- Install Radiator in the usual way
- Install the MIME-Base32 and Imager-QRCode modules from CPAN (www.cpan.org )
on the RAdmin host.
- Install RAdmin as described above in this document.
- On the ‘Edit Radmin Configuration’ page enable the ‘Support OATH
(TOTP and HOTP)’ option. Click ‘Update’.
- RAdmin web pages will now include ‘List OATH tokens’ and the Edit
User page will include some new options for allocating and listing
allocated OATH tokens.
- Configure Radiator based on the example configuration file
Radiator/goodies/radmin-totp.cfg
which shows how to
authenticate using TOTP token data held in the RAdmin database. HOTP
token authentication is in hotp.cfg and it can be updated to work with
RAdmin’s RADOATH table schema. Exactly which OATH token actions are
available to a particular RAdmin user depends on the Permissions profile
assigned to them. The Permissions profile individually controls whether
a user can List, Allocate, Deallocate, and Delete tokens.