<divclass="noteimportant">This module has been replaced by <ahref="yubikey2f.html"class="wikilink1"title="documentation:2.0:yubikey2f">Yubikey Second Factor</a>
The <ahref="http://www.yubico.com/yubikey"class="urlextern"title="http://www.yubico.com/yubikey"rel="nofollow">Yubikey</a> is a small material token shipped by <ahref="http://www.yubico.com"class="urlextern"title="http://www.yubico.com"rel="nofollow">Yubico</a>. It sends an OTP, which is validated against Yubico server.
</p>
<p>
You need <ahref="http://search.cpan.org/~massyn/Auth-Yubikey_WebClient/"class="urlextern"title="http://search.cpan.org/~massyn/Auth-Yubikey_WebClient/"rel="nofollow">Auth::Yubikey_WebClient</a> package.
</p>
<p>
You need to get an client ID and a secret key from Yubico. See <ahref="https://upgrade.yubico.com/getapikey/"class="urlextern"title="https://upgrade.yubico.com/getapikey/"rel="nofollow">Yubico API</a> page.
</p>
<divclass="notetip">To use your Yubikeys as “second factor”, use <ahref="u2f.html"class="wikilink1"title="documentation:2.0:u2f">Universal 2nd Factor Authentication (U2F)</a> instead of this module
<liclass="level1"><divclass="li"><strong>OTP public ID part size</strong>: Part of Yubikey OTP that will be used as the media identifier (default: 12)</div>
</li>
</ul>
<divclass="notetip">You have to register the media identifier in your user backend (LDAP or SQL) to match the yubikey with a real user. For example it can be stored as a second value of the uid attribute in the LDAP directory:<ul>
Launch it with <ahref="https://github.com/miyagawa/Starman"class="urlextern"title="https://github.com/miyagawa/Starman"rel="nofollow">Starman</a> for example:
@@ -77,6 +77,8 @@ All parameters are configured in “General Parameters » Portal Parameters » E
</li>
<liclass="level1"><divclass="li"><strong>Authentication Level</strong>: if you want to overwrite the value sent by your authentication module, you can define here the new authentication level. Example: 5</div>
</li>
<liclass="level1"><divclass="li"> Logo (Optional): logo file <em>(in static/<skin> directory)</em></div>
</li>
</ul>
<divclass="noteimportant">The command line is split in an array and launch with exec(). So you don't need to enclose arguments in “” and this protects your system against shell injection. However, you can not use any space except to separate arguments.
@@ -85,10 +85,12 @@ All parameters are configured in “General Parameters » Portal Parameters » S
</li>
<liclass="level1"><divclass="li"><strong>Authentication Level</strong>: if you want to overwrite the value sent by your authentication module, you can define here the new authentication level. Example: 5</div>
</li>
<liclass="level1"><divclass="li"> Logo (optional): logo file <em>(in static/<skin> directory)</em></div>
<tdclass="col0"><del><ahref="authyubikey.html"class="wikilink1"title="documentation:2.0:authyubikey">Yubikey</a></del></td><tdclass="col1 centeralign"colspan="3"><em>Deprecated, replaced by Yubikey second factor</em></td>
<tdclass="col0"><ahref="rest2f.html"class="wikilink1"title="documentation:2.0:rest2f">REST Second Factor</a><ahref="new.png"class="media"title="documentation:2.0:new.png"><imgsrc="new.edf565b3f89a0ad56df9a5e7a31a6de8.png"class="media"alt=""width="35"/></a></td><tdclass="col1 centeralign">✔</td><tdclass="col2"></td><tdclass="col3"></td>
<tdclass="col0"><ahref="devopshandler.html"class="wikilink1"title="documentation:2.0:devopshandler">DevOps</a><ahref="new.png"class="media"title="documentation:2.0:new.png"><imgsrc="new.edf565b3f89a0ad56df9a5e7a31a6de8.png"class="media"alt=""width="35"/></a></td><tdclass="col1 centeralign"> ✔ </td><tdclass="col2 centeralign"> ✔ </td><tdclass="col3 leftalign"></td><tdclass="col4"> Allows application developers to define their rules within the application </td><tdclass="col5"></td>
<tdclass="col0"><ahref="devopshandler.html"class="wikilink1"title="documentation:2.0:devopshandler">DevOps</a><em>(SSOaaS)</em><ahref="new.png"class="media"title="documentation:2.0:new.png"><imgsrc="new.edf565b3f89a0ad56df9a5e7a31a6de8.png"class="media"alt=""width="35"/></a></td><tdclass="col1 centeralign"> ✔ </td><tdclass="col2 centeralign"> ✔ </td><tdclass="col3 leftalign"></td><tdclass="col4"> Allows application developers to define their rules within the application </td><tdclass="col5"></td>
</tr>
<trclass="row5 rowodd">
<tdclass="col0"><ahref="securetoken.html"class="wikilink1"title="documentation:2.0:securetoken">Secure Token</a></td><tdclass="col1 centeralign"> ✔ </td><tdclass="col2 centeralign"> ✔ </td><tdclass="col3 leftalign"></td><tdclass="col4"> Designed to secure dialog between a LLNG reverse-proxy and a remote app </td><tdclass="col5"></td>
...
...
@@ -449,7 +455,7 @@ Handlers are software control agents to install on your web servers <em>(Nginx,
<em>(*): <ahref="nodehandler.html"class="wikilink1"title="documentation:2.0:nodehandler">Node.js handler</a> has not yet reached the same level of functionality.</em>
</p>
...
...
@@ -459,7 +465,7 @@ Handlers are software control agents to install on your web servers <em>(Nginx,
@@ -505,7 +511,7 @@ Handlers are software control agents to install on your web servers <em>(Nginx,
<tdclass="col0 centeralign"><ahref="restconfbackend.html"class="wikilink1"title="documentation:2.0:restconfbackend">REST</a><ahref="new.png"class="media"title="documentation:2.0:new.png"><imgsrc="new.edf565b3f89a0ad56df9a5e7a31a6de8.png"class="media"alt=""width="35"/></a></td><tdclass="col1 centeralign"> ✔ </td><tdclass="col2 leftalign"> Proxy backend to be used in conjunction with another configuration backend. <br/><strong>Can be used to secure another backend</strong> for remote servers. </td>
</tr>
</table></div>
<!-- EDIT14 TABLE [6706-7688] --><divclass="notetip">You can not start with an empty configuration, so read <ahref="changeconfbackend.html"class="wikilink1"title="documentation:2.0:changeconfbackend">how to change configuration backend</a> to convert your existing configuration into another one.
<!-- EDIT14 TABLE [6884-7866] --><divclass="notetip">You can not start with an empty configuration, so read <ahref="changeconfbackend.html"class="wikilink1"title="documentation:2.0:changeconfbackend">how to change configuration backend</a> to convert your existing configuration into another one.
</div>
<p>
</div></div>
...
...
@@ -560,13 +566,13 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
<strong>Can be used to secure another backend</strong> for remote servers. </td>
<h3class="sectionedit17"id="well_known_compatible_applications">Well known compatible applications</h3>
<divclass="level3">
<divclass="noteclassic">Here is a list of well known applications that are compatible with <abbrtitle="LemonLDAP::NG">LL::NG</abbr>. A full list is available on <ahref="applications.html"class="wikilink1"title="documentation:2.0:applications">vendor applications page</a>.
...
...
@@ -693,7 +699,7 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</p>
</div>
<!-- EDIT17 SECTION "Well known compatible applications" [10752-12965] -->
<!-- EDIT17 SECTION "Well known compatible applications" [10930-13143] -->
<liclass="level1"><divclass="li"><ahref="servertoserver.html"class="wikilink1"title="documentation:2.0:servertoserver">Handling server webservice calls</a></div>
</li>
...
...
@@ -746,7 +752,7 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
@@ -81,7 +81,7 @@ In the manager (advanced parameters), you just have to enable it:
<ul>
<liclass="level1"><divclass="li"> TOTP ⇒ Activation: set it to “on”</div>
</li>
<liclass="level1"><divclass="li"> TOTP ⇒ Self registration: set it to “on” <em>(to display this application on the menu, create an application that points to <ahref="https://auth.your.domain/totpregister.html"class="urlextern"title="https://auth.your.domain/totpregister.html"rel="nofollow">https://auth.your.domain/totpregister.html</a>)</em></div>
<liclass="level1"><divclass="li"> TOTP ⇒ Self registration: set it to “on” if users are authorizated to generate themselves TOTP secret</div>
</li>
<liclass="level1"><divclass="li"> TOTP ⇒ Authentication level: you can overwrite here auth level for TOTP registered users. Leave it blank keeps auth level provided by first authentication module <em>(default: 2 for user/password based modules)</em>. <strong>It is recommended to set an higher value here if you want to give access to some apps only to users enrolled</strong></div>
</li>
...
...
@@ -93,11 +93,15 @@ In the manager (advanced parameters), you just have to enable it:
</li>
<liclass="level1"><divclass="li"> TOTP ⇒ Digits: number of digit of codes (default: 6)</div>
<liclass="level1"><divclass="li"> TOTP ⇒ Change existing secret: authorize a user to change its already registered TOTP secret</div>
</li>
</ul>
<divclass="noteimportant">If you want to use a custom rule for “activation” and want to keep self-registration, you must include this in your rule that <code>$_totp2fSecret</code> is set, else TOTP will be required even if users are not registered. This is automatically done when “activation” is simply set to “on”.
@@ -88,12 +88,12 @@ This feature uses <a href="https://metacpan.org/pod/Crypt::U2F::Server::Simple"
<divclass="level2">
<p>
In the manager (advanced parameters), you just have to enable it:
In the manager (second factors), you just have to enable it:
</p>
<ul>
<liclass="level1"><divclass="li"> U2F ⇒ Activation: set it to “on”</div>
</li>
<liclass="level1"><divclass="li"> U2F ⇒ Self registration: set it to “on” <em>(to display this application on the menu, create an application that points to <ahref="https://auth.your.domain/u2fregister.html"class="urlextern"title="https://auth.your.domain/u2fregister.html"rel="nofollow">https://auth.your.domain/u2fregister.html</a>)</em></div>
<liclass="level1"><divclass="li"> U2F ⇒ Self registration: set it to “on” if users are authorizated to register their keys</div>
</li>
<liclass="level1"><divclass="li"> U2F ⇒ Authentication level: you can overwrite here auth level for U2F registered users. Leave it blank keeps auth level provided by first authentication module <em>(default: 2 for user/password based modules)</em>. <strong>It is recommended to set an higher value here if you want to give access to some apps only to users enrolled</strong></div>
</li>
...
...
@@ -101,7 +101,7 @@ In the manager (advanced parameters), you just have to enable it:
<divclass="noteimportant">If you want to use a custom rule for “activation” and want to keep self-registration, you must include this in your rule: <code>$_u2fKeyHandle and $_u2fUserKey</code>, else U2F will be required even if users are not registered. This is automatically done when “activation” is simply set to “on”.
@@ -111,9 +111,9 @@ In the manager (advanced parameters), you just have to enable it:
<ul>
<liclass="level2"><divclass="li"> 38 to 56 with <ahref="https://addons.mozilla.org/fr/firefox/addon/u2f-support-add-on/"class="urlextern"title="https://addons.mozilla.org/fr/firefox/addon/u2f-support-add-on/"rel="nofollow">U2F Support Add-on</a></div>
</li>
<liclass="level2"><divclass="li"> 57 to 58, with “security.webauth.u2f” set to “true” in “about:config” <em>(see <ahref="https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/"class="urlextern"title="https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/"rel="nofollow">Yubico explanations</a>)</em></div>
<liclass="level2"><divclass="li"> 57 to 59, with “security.webauth.u2f” set to “true” in “about:config” <em>(see <ahref="https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/"class="urlextern"title="https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/"rel="nofollow">Yubico explanations</a>)</em></div>
</li>
<liclass="level2"><divclass="li"> probably enabled by default for versions >= 59</div>
<liclass="level2"><divclass="li"> probably enabled by default for versions >= 60</div>
</li>
</ul>
</li>
...
...
@@ -122,7 +122,7 @@ In the manager (advanced parameters), you just have to enable it:
