Authentication plugin for Pydio

Based on the auth.serial + the google authenticator reference implementation + yubikey demo php implementation. With this plugin you can authenticate users 4 different ways:

The authentication method can be set up per users, so it is possible that someone authenticate with password, other user authenticate with YubiKey, and someone else authenticate with both YubiKey and Google Authenticator.
 

AjaXplorer upgrade from 4.x to 5.x

Before the upgrade you have to disable serial_otp module. In the bootstrap_plugins.php replace the authentication driver from serial_otp to serial. You should leave the USERS_FILEPATH unchanged because its format compatible with serial auth plugin. After the modification the relevant part of bootsrap_plugins.php should look similar to this:

		"AUTH_DRIVER" => array(
   "NAME" => "serial",
   "OPTIONS" => array(
   "LOGIN_REDIRECT" => false,
   "USERS_FILEPATH" => "AJXP_DATA_PATH/plugins/auth.serial_otp/users.ser",
   "AUTOCREATE_AJXPUSER" => false,
   "TRANSMIT_CLEAR_PASS" => true,
   "YUBICO_SECRET_KEY" => "xxxxxxxxxxxxxxxxxxxxxxxxxxx",
   "YUBICO_CLIENT_ID" => "1111"
   )
  ),

IMPORTANT: Users yubikey / Google Authenticator informations are NOT migrated during upgrade. You have to set up them again.

(Theoretically possible to migrate the yubikey / GA informations too. But I have less than 10 users and migrating them by hand was much less effort than writing a migration code)

 

Installation

You need to install php-yubico from http://code.google.com/p/php-yubico/
 

		wget http://php-yubico.googlecode.com/files/Auth_Yubico-2.4.tgz
pear install Auth_Yubico-2.4.tgz


Do not forget to install or enable php-curl for Auth_Yubico.

Configuration

 

Google authenticator

Add the "Google Authenticator" and "Google Authenticator Last" fields to users. You can do it one by one, or you can add a group of users by adding it to a role. Adding it to all users use the Root Role:

Workspaces & Users >> Roles >> Root Role >> Parameters tab

Leave both parameter blank in All Workspaces tab.

Hint: Adding this parameters to all users does not means all users have to use GA. Leave this parameters blank in per user configuration and user can log in with his/her password or password + yubikey if the yubikey if it is enabled.

 

YubiKey

Add the "YubiKey 1" and "YubiKey 2" fields to users. You can do it one by one, or you can add a group of users by adding it to a role. Adding it to all users use the Root Role:

Workspaces & Users >> Roles >> Root Role >> Parameters tab

Leave both parameter blank in All Workspaces tab.

Hint: Adding this parameters to all users does not means all users have to use yubikey. Leave this parameters blank in per user configuration and user can log in with his/her password or password + GA if the GA enabled.

 

Per user configuration

You can set up per user configuration at Workspaces & Users >> Users & Groups >> <user> >> Parameters tab >> All Workspaces tab

Google Authenticator

Fill the Google Authenticator field with the Google Authenticator secret. It is a 16 charater long string, like P47IZDN4ZIXWLCCN

!! DO NOT USE THE SAME SECRET AS YOUR GOOGLE ACCOUNT !!

Don't touch the "Google Authenticator Last" field, it is updating automatically. It is used internally for the defense against replay attack.

YubiKey

Use your in the YubiKey 1 or the YubiKey 2 field. Maximum two YubiKeys can be assigned to one user.