LinOTP Two-Factor Authorization Server


Today I want to share how to configure a two-factor authentication server to protect the corporate network, sites, services, ssh. The server will run a bunch: LinOTP + FreeRadius.

Why do we need it?
This is a completely free, convenient solution within your network, independent of third-party providers.

This service is very convenient, quite visual, unlike other open source products, and also supports a huge number of functions and policies (for example, login + password + (PIN + OTPToken)). Through the API it integrates with sms sending services (LinOTP Config-> Provider Config-> SMS Provider), generates codes for mobile applications such as Google Autentificator and much more. I think it is more convenient than the service considered in the article .

This server works fine with Cisco ASA, OpenVPN server, Apache2, and indeed with almost everything that supports authentication via a RADIUS server (for example, for SSH in the data center).

It is required:

1) Debian 8 (jessie) - Required! (a trial installation on debian 9 is described at the end of the article)


Installing Debian 8.

Add LinOTP repository:

# echo 'deb jessie linotp' > /etc/apt/sources.list.d/linotp.list 

Add keys:

 # gpg --search-keys 913DFF12F86258E5 

Sometimes with a “clean” installation, after executing this command, Debian issues:

 gpg:   `/root/.gnupg' gpg:     `/root/.gnupg/gpg.conf' gpg: :   `/root/.gnupg/gpg.conf'       gpg:    `/root/.gnupg/secring.gpg' gpg:    `/root/.gnupg/pubring.gpg' gpg:     ( --keyserver) gpg:      :  URI 

This is the initial setup of gnupg. Nothing wrong. Just run the command again.
Asked by Debiana:

 gpg:  "913DFF12F86258E5"  hkp (1) LSE LinOTP2 Packaging <> 2048 bit RSA key F86258E5, : 2010-05-10 Keys 1-1 of 1 for "913DFF12F86258E5".  , N)   Q) > 

Answer: 1


 # gpg --export 913DFF12F86258E5 | apt-key add - 

 # apt-get update 

Install mysql. In theory, you can use a different sql server, but for simplicity I will use it as recommended for LinOTP.

(additional information, including about reconfiguring the LinOTP database, can be found in the official documentation at the link . In the same place, you can find the command: dpkg-reconfigure linotp to change the settings if you already installed mysql).

 # apt-get install mysql-server 

 # apt-get update 
(Checking updates again will not hurt)
Install LinOTP and add-on modules:

 # apt-get install linotp 

We answer the questions of the installer:
Use Apache2: yes
Create a password for admin Linotp: "YourPassword"
Generate self-signed certificate ?: yes
Use MySQL ?: yes
Where is the database: localhost
Create the LinOTP database (database name) on the server: LinOTP2
Create a separate user for the database: LinOTP2
We set the password to the user: "YourPassword"
Should I create a base now? (something like “Are you sure you want ...”): yes
Enter the MySQL root password that was created during its installation: “YourPassword”

(optional, you can not set)

 # apt-get install linotp-adminclient-cli 

(optional, you can not set)

 # apt-get install libpam-linotp 

And so our Linotp web interface is now available at:

 "<b>https</b>: //IP_/manage" 

I’ll talk about the settings in the web interface a bit later.

Now, the most important thing! Raise FreeRadius and link it to Linotp.

Install FreeRadius and the LinOTP module

 # apt-get install freeradius linotp-freeradius-perl 

backup client and Users radius configs.

 # mv /etc/freeradius/clients.conf /etc/freeradius/clients.old 

 # mv /etc/freeradius/users /etc/freeradius/users.old 

Create an empty client file:

 # touch /etc/freeradius/clients.conf 

We edit our new config file (a backup config can be used as an example)

 # nano /etc/freeradius/clients.conf 

 client { secret = passwd #     } 

Next, create the users file:

 # touch /etc/freeradius/users 

We edit the file, telling the radius that we will use perl for authentication.

 # nano /etc/freeradius/users 

 DEFAULT Auth-type := perl 

Next, edit the file / etc / freeradius / modules / perl

 # nano /etc/freeradius/modules/perl 

We need to write the path to the perl linotp script in the module parameter:

 Perl { ....... ......... <source lang="bash">module = /usr/lib/linotp/ 

Next, we create a file in which we say from which (domain, database or file) to take data.

 # touch /etc/linotp2/rlm_perl.ini 

 # nano /etc/linotp2/rlm_perl.ini 

 URL=https://IP__LinOTP_(192.168.XX)/validate/simplecheck REALM=webusers1c RESCONF=LocalUser Debug=True SSL_CHECK=False 

Here I will dwell in more detail, since this is important:

Full description of the file with comments:
#IP of the linotp server (IP address of our LinOTP server)
URL = https: //
# Our area that we will create in the LinOTP web interface.)
REALM = rearm1
# The name of the juzverej group that is created in the LinOTP webmord.
RESCONF = flat_file
#optional: comment out if everything seems to work fine
Debug = True
#optional: use this, if you have selfsigned certificates, otherwise comment out (SSL if we create our certificate and want to verify it)

Next, create the file / etc / freeradius / sites-available / linotp

 # touch /etc/freeradius/sites-available/linotp 

 # nano /etc/freeradius/sites-available/linotp 

And copy the config into it (edit nothing inappropriately):

 authorize { #normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess') preprocess # If you are using multiple kinds of realms, you probably # want to set "ignore_null = yes" for all of them. # Otherwise, when the first style of realm doesn't match, # the other styles won't be checked. #allows a list of realm (see '/etc/freeradius/modules/realm') IPASS #understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm') suffix #understands USER\REALM and can tell the components apart (see '/etc/freeradius/modules/realm') ntdomain # Read the 'users' file to learn about special configuration which should be applied for # certain users (see '/etc/freeradius/modules/files') files # allows to let authentification to expire (see '/etc/freeradius/modules/expiration') expiration # allows to define valid service-times (see '/etc/freeradius/modules/logintime') logintime # We got no radius_shortname_map! pap } #here the linotp perl module is called for further processing authenticate { perl } 

Next, make a sim link:

 # ln -s ../sites-available/linotp /etc/freeradius/sites-enabled 

Personally, I kill the default radius sites, but if you need them, you can either edit their config or disable them.

 # rm /etc/freeradius/sites-enabled/default 

 # rm /etc/freeradius/sites-enabled/inner-tunnel 

 # service freeradius reload 

Now back to the web face and consider it in more detail:
In the upper right corner, click LinOTP Config -> UserIdResolvers -> New
Choose what we want: LDAP (AD win, LDAP samba), or SQL, or local Flatfile users.

Fill in the required fields.

Next, create REALMS:
In the upper right corner, click LinOTP Config -> Realms -> New.
and give a name to our REALMS, as well as click on the UserIdResolvers created earlier.

FreeRadius needs all this data in the /etc/linotp2/rlm_perl.ini file, which I wrote about above, so if you have not edited it then do it now.

All server is configured.


Setting up LinOTP on Debian 9 :


 # echo 'deb stretch linotp' > /etc/apt/sources.list.d/linotp.list 

 # apt-get install dirmngr 

 # apt-key adv --recv-keys 913DFF12F86258E5 

 # apt-get update 

 # apt-get install mysql-server 
(by default, in Debian 9 mysql (mariaDB) does not offer to set a root password, of course you can leave it blank, but if you read the news, very often this leads to “epic files”, so we will install it anyway)

 # mysql -u root -p 

 use mysql; 

 UPDATE user SET Password = PASSWORD('_') WHERE User = 'root'; 


 # apt-get install linotp 

 # apt-get install linotp-adminclient-cli 

 # apt-get install python-ldap 

 # apt install freeradius 

 # nano /etc/freeradius/3.0/sites-enabled/linotp 

We paste the code (sent by JuriM, for which thanks to him!):

server linotp {
listen {
ipaddr = *
port = 1812
type = auth
listen {
ipaddr = *
port = 1813
type = acct
authorize {
update {
& control: Auth-Type: = Perl
authenticate {
Auth-Type Perl {
accounting {

Editing /etc/freeradius/3.0/mods-enabled/perl

perl {
filename = /usr/share/linotp/
func_authenticate = authenticate
func_authorize = authorize

Unfortunately, in debian 9, the library is not installed from the repositories so we will take it from github.

 # apt install git 

 # git clone 

 # cd linotp-auth-freeradius-perl/ 

 # cp /usr/share/linotp/ 

now tweak /etc/freeradius/3.0/clients.conf

client servers {
ipaddr =
secret = your password

now tweak nano /etc/linotp2/rlm_perl.ini

We paste the same code there as when installing on debian 8 (described above)

on the idea of ​​everything. (not tested yet)

I will leave below a few links on setting up systems, which most often need to be protected by two-factor authentication:
Configuring two-factor authentication in Apache2

Setup with Cisco ASA (another token generation server is used there, but the settings of the ASA itself are the same).

VPN with two-factor authentication

Setting up two-factor authentication in ssh (LinOTP is also used there) - thanks to the author. You can also find interesting things about configuring LiOTP policies there.

Also, cms of many sites support two-factor authentication (for Wordpress, LinOTP even has its own special module on github ), for example, if you want to create a secure section for company employees on your corporate website.
IMPORTANT FACT! DO NOT check the box "Google autenteficator" to use Google Authenticator! The QR code cannot be read then ... (strange fact)

To write the article, information was used from the following articles:

Thanks to the authors.


All Articles