Nice! some one :D well i will explain... (i'm brazilian so please consider some english typo errors) think about you connect to your database from a untrusted network (yes your're travelling to a nice nice place), you don't want to connect and leave you password unchanged but if you do this your new password will be a bit unsecure since someone can listen your packages (ok i'm considering that you are a very unlucky guy) nice. the point of one time password is "don't ask to user to change the password" , but change the password always. ok this is something every body can read in any OTP blog
well the implementation part... in mariadb we have a example of pam authentication, and with pam we can use s/key or google autenticator or any other OTP password. the problem is the mariadb running in windows or in a system that we can't change pam authentication and only allow auth plugins. (here a example of mariadb pam with google autentication in mariadb blog from a very nice guy (sergei) http://blog.mariadb.org/security-with-two-step-verification/ ) ok no more considerations let's talk about implementation 1) creating user in mariadb we should create use with the mariadb interface... CREATE USER user_name INDENTIFIED VIA oathtool nice this will create the user at mysql.user table in this table we have a field just for external authentication plugins, the field is named as "auth_string" what i'm thinking... inside this auth_string field we could put data like google autenticator put in .google_authenticator file what should have inside? 1)base32 key 2)information about if key is time based or counter based like in oath toolkit website: - RFC 4226 on HOTP: An HMAC-Based One-Time Password Algorithm<http://tools.ietf.org/html/rfc4226> . - RFC 6238 on TOTP: Time-Based One-Time Password Algorithm<http://tools.ietf.org/html/rfc6238> . 3)for counter type, information about current counter value 4)for time type, information about the last logged in time, if user don't want to have the same time value used twice, in other words if he connect at time 1, he will connect again only at time 2 5)a bigger time or counter validation, in the case of we have a difference from mariadb utc time and user utc time we could try to find the next time and check if the OTP is ok 6)in google autenticator, there's one more option of password, some passwords fixed, when used they are removed from file and user can loggin, this type of password is a fail-safe password when user lost the KEY or when TIME/COUNTER isn't in sync and user can't sync it again, in this case he loggin with a fixed password and restart the information from "auth_string" well what's the difference from pam authentication from sergei? not much just the point of we aren't using pam system, and we are putting the information inside mysql.user table, in other words we don't need to know the filesystem and don't need more files for each user, just a mysql connect to database the oath-toolkit have the tools to generate the keys and get the current key, that's is enought to user login and create a password it's easier than google autenticator since we don't have to change /etc/pam.d/mysql service to allow mysql user autentication (this create some problems with passwd/shadow files permission in unix, in some unix we need to put mysql to read information from shadow... and if we are using windows we don't have pam.d) well i think that's all about high level idea, there's more to do, i think that sergei blog have a nice piece of code to start (it have the mysql part that we need, but don't explain how to read and change information from "auth_string" column) thanks guys 2012/12/19 Simon Josefsson <[email protected]> > Roberto Spadim <[email protected]> writes: > > > hi guys, i'm new here, but > > could we implment otp in mariadb? like a autenticator plugin? > > > > it should use the one time password + user password (from mysql table) > > > > any help? > > i put a feature request in mariadb too > > if anyone could help, please contact me > > https://mariadb.atlassian.net/browse/MDEV-3949#comment-28930 > > > > maybe a donation for developing this code > > That should be possible to do, the components should be available in > OATH Toolkit -- but to get useful help from this list, you need to > describe more in detail what it is you are trying to do. The majority > of the work is likely on the MariaDB side to integrate everything. > > /Simon > -- Roberto Spadim Spadim Technology / SPAEmpresarial
