How To Run LinOTP On OpenSuSE 12.3 With PostgreSQL

Want to support HowtoForge? Become a subscriber!
 
Submitted by cornelinux (Contact Author) (Forums) on Tue, 2013-04-09 17:06. :: SuSE | Security

How To Run LinOTP On OpenSuSE 12.3 With PostgreSQL

This tutorial describes the installation of LinOTP on OpenSUSE 12.3 using PostgreSQL as a token database. LinOTP is a two factor authentication solution with One Time Passwords. In the following Howto we are showing how to enable SSH authentication with LinOTP.

 

Getting prepared

We need to install the following packages:

zypper install python-virtualenv
zypper install gcc
zypper install python-devel
zypper install zlib-devel

 

Setting up postgresql

LinOTP uses a database to store the token information. You can use any database on another server, you can use an existing database or you can install a database on the very same machine. In this example we are using  PostgreSQL on the same machine.

So we install the necessary packages:

zypper install postgresql postgresql-server
zypper install postgresql-devel

linux-6a8c:/opt/LINOTP # su - postgres
postgres@linux-6a8c:~> initdb -D /var/lib/pgsql/data/

The database cluster will be initialized with locale "en_US.UTF-8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".
creating directory /var/lib/pgsql/data ... ok
creating subdirectories ... ok
selecting default max_connections ... 100
selecting default shared_buffers ... 24MB
creating configuration files ... ok
creating template1 database in /var/lib/pgsql/data/base/1 ... ok
initializing pg_authid ... ok
initializing dependencies ... ok
creating system views ... ok
loading system objects' descriptions ... ok
creating collations ... ok
creating conversions ... ok
creating dictionaries ... ok
setting privileges on built-in objects ... ok
creating information schema ... ok
loading PL/pgSQL server-side language ... ok
vacuuming database template1 ... ok
copying template1 to template0 ... ok
copying template1 to postgres ... ok
WARNING: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.
Success. You can now start the database server using:
postgres -D /var/lib/pgsql/data
or
pg_ctl -D /var/lib/pgsql/data -l logfile start

postgres@linux-6a8c:~> pg_ctl -D /var/lib/pgsql/data -l pglog.log start

Now, create a postgres user, create the database and grant access to this database:

postgres@linux-6a8c:~> createuser -P linotp2

postgres=# CREATE DATABASE LinOTP2;

CREATE DATABASE

postgres=# GRANT ALL ON DATABASE LinOTP2 TO linotp2;

GRANT

 

Setting up linotp

We are setting up LinOTP using a virtual python environment. This is also described here:

linux-6a8c:~ # mkdir /opt/LINOTP

linux-6a8c:~ # cd /opt/

linux-6a8c:/opt # virtualenv /opt/LINOTP/

linux-6a8c:/opt # cd LINOTP/

linux-6a8c:/opt/LINOTP # source bin/activate

(LINOTP)linux-6a8c:/opt/LINOTP

The changed prompt (LINOTP) indicates, that you are now in the python virtual environment.

Now you can install linotp from PyPI. All dependencies are also installed.

(LINOTP)linux-6a8c:/opt/LINOTP # pip install linotp linotpuseridresolver pil configobj psycopg2

Create necessary directories and config file:

(LINOTP)linux-6a8c:/opt/LINOTP # mkdir /var/log/linotp

(LINOTP)linux-6a8c:/opt/LINOTP # cp etc/linotp2/linotp.ini.example etc/linotp2/linotp.ini

Start postgres and make it start at boot time:

(LINOTP)linux-6a8c:/opt/LINOTP # service postgresql start

(LINOTP)linux-6a8c:/opt/LINOTP # chkconfig postgresql on

Create a local postgres user:

useradd -r linotp2

Now you need to edit the linotp.ini configuration file and adapt the following line:

sqlalchemy.url = postgresql+psycopg2://linotp2:test123!@localhost/linotp2

Please note: PostgreSQL uses small characters for the database name!

Now you need to create the encryption key:

(LINOTP)linux-6a8c:/opt/LINOTP # dd if=/dev/urandom of=etc/linotp2/encKey bs=1 count=96

Then create the database tables:

(LINOTP)linux-6a8c:/opt/LINOTP # paster setup-app etc/linotp2/linotp.ini
Running setup_app() from linotp.websetup

Now you can test your server:

(LINOTP)linux-6a8c:/opt/LINOTP # paster serve etc/linotp2/linotp.ini
Starting server in PID 12355.
serving on 0.0.0.0:5001 view at http://127.0.0.1:5001

Now you can point your browser to http://127.0.01:5001/manage and start to configure your LinOTP-Server, create a new useridresolver, a realm and enroll tokens for the users.

See the how to do the first steps at linotp.org.

 

Configuring Apache

You might want to run LinOTP within Apache or any other web server, that supports wsgi. Thus you get authentication and encryption.

First we need to install some packages and activate modules:

zypper install apache2 apache2-mod_wsgi
a2enmod wsgi
a2enmod ssl

chkconfig apache2 on
service apache2 start

Open the https port in the firewall and restart the firewall:

SuSEfirewall2 open EXT TCP https
SuSEfirewall2
SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
SuSEfirewall2: Firewall rules successfully set

 

Certificate

Create a self signed certificate:

cp etc/apache2/sites-available/linotp2 /etc/apache2/vhosts.d/linotp.conf
openssl genrsa -out /etc/ssl/private/linotpserver.key 2048
chmod 400 /etc/ssl/private/linotpserver.key
openssl req -x509 -new -key /etc/ssl/private/linotpserver.key -out /etc/ssl/certs/linotpserver.pem

 

Config

Now edit your /etc/apache2/vhosts.d/linotp.conf:

 WSGIPythonHome /opt/LINOTP
<VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
        ServerName linux-6a8c.az.local

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        <Directory /opt/LINOTP/etc/linotp2/>
          Order allow,deny
          Allow from all
        </Directory>

        WSGIScriptAlias /       /opt/LINOTP/etc/linotp2/linotpapp.wsgi
        #
        # The daemon is running as user 'linotp'
        # This user should have access to the encKey database encryption file
        WSGIDaemonProcess linotp processes=1 threads=15 display-name=%{GROUP} user=linotp
        WSGIProcessGroup linotp
        WSGIPassAuthorization On

        <Location /admin>
                AuthType Digest
                AuthName "LinOTP2 admin area"
                AuthDigestProvider file
                AuthUserFile /opt/LINOTP/etc/linotp2/admins
                Require valid-user
        </Location>

        <Location /audit>
                AuthType Digest
                AuthName "LinOTP2 admin area"
                AuthDigestProvider file
                AuthUserFile /opt/LINOTP/etc/linotp2/admins
                Require valid-user
        </Location>

        <Location /gettoken>
                AuthType Digest
                AuthName "LinOTP2 gettoken"
                AuthDigestProvider file
                AuthUserFile /opt/LINOTP/etc/linotp2/gettoken-api
                Require valuid-user
        </Location>

        <Location /mlogout>
                AuthType Digest
                AuthName "LinOTP2 admin area"
                AuthDigestProvider file
                AuthUserFile /etc/linotp2/admins
                AuthDigestProvider file
                AuthUserFile /etc/linotp2/admins
                Require user EXIT
        </Location>

        <Location /manage>
                AuthType Digest
                AuthName "LinOTP2 admin area"
                AuthDigestProvider file
                AuthUserFile /opt/LINOTP/etc/linotp2/admins
                Require valid-user
        </Location>

        <Location /selfservice>
                # THe authentication for selfservice is done from within the application
        </Location>

        <Location /system>
                AuthType Digest
                AuthName "LinOTP2 admin area"
                AuthDigestProvider file
                AuthUserFile /opt/LINOTP/etc/linotp2/admins
                Require valid-user
        </Location>


        <Location /license>
                # This should have at least the same access rights like /system
               AuthType Digest
               AuthName "LinOTP2 admin area"
               AuthDigestProvider file
               AuthUserFile /opt/LINOTP/etc/linotp2/admins
               Require valid-user
        </Location>

        <Location /validate>
        # No Authentication
        </Location>



        LogLevel info
        ErrorLog /var/log/apache2/error_log

        # Do not use %q! This will reveal all parameters, including setting PINs and Keys!
        # Using SSL_CLINET_S_DN_CN will show you, which administrator did what task
        LogFormat "%h %l %u %t %>s \"%m %U %H\"  %b \"%{Referer}i\" \"%{User-agent}i\" \"%{SSL_CLIENT_S_DN_CN}x\"" LinOTP2
        CustomLog /var/log/apache2/ssl_access.log LinOTP2

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on

        #   If both key and certificate are stored in the same file, only the
        #   SSLCertificateFile directive is needed.
        SSLCertificateFile    /etc/apache2/ssl.crt/server.crt
        SSLCertificateKeyFile /etc/apache2/ssl.key/server.key

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch ".*MSIE.*" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0

        ErrorDocument 500 "<h1>Internal Server Error</h1> Possible reasons can be missing modules or bad access rights on LinOTP configuration files or log files. Please check the apache logfile <pre>/var/log/apache2/error.log</pre> for more details."

</VirtualHost>

Create your first administrator account:

htdigest2 -c etc/linotp2/admins "LinOTP2 admin area" admin

Create a local account, under which the LinOTP wsgi runs:

useradd -r linotp

Do some Apache stuff:

a2enmod mod_auth_digest

a2dismod php5

a2dismod cgi

a2dismod userdir
a2dismod auth_basic

Edit /etc/sysconfig/apache2 to make Apache start using SSL:

APACHE_SERVER_FLAGS="-D SSL"

Finally, make the services start at boot time and adapt access rights on files:

chkconfig postgresql on
chkconfig apache2 on
chown -R linotp /var/log/linotp
chown -R linotp /opt/LINOTP/etc/linotp2/data/


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.