otp-thing
One time password generator, validator, and qrcode generator that has no web dependencies (self-contained) in PHP
Introduction
This started out as a straight drop-in class which you can still download from here, however it has been developed into a full admin/usercp system using the gentelella theme converted to smarty 3.
Attribution to other Authors
- The license for the gentelella theme is located inside
/templates/gentelella/LICENSE.TXT
and can be viewed here - The method
otp::GenerateQRCode()
inside otp.class.php is based off code written in QR code class library for PHP4 / 5 ver. 0.50beta14 (C)2002-2013,Y.Swetake , and has been modified to output base64 encoded image as well as load data from the included sqlite database. - Smarty is Licensed under LGPL
All other 3rd party libraries (jquery, jquery extensions, etc) and languages (javascript/ecma, css, etc) are under their respective licenses having attribution included in the respective file(s), or in the directory containing the file(s). Absense of said license does not mean that no license applies, but it is assumed the strongest license in this project would then apply where no other license is available. If a license file/attribution was not included and you believe this to be an error, please submit it as a bug report or pull request with any license details that may have been omitted.
Installation
Download the application, and set the appropriate values in config.inc.php
, then run /app/install
. If everything passes, the database will be installed if it doesn't exist, and a new user admin
with the the password admin
will be created using ACL 9999
which should give plenty of access levels to play with for lower level users or admins.
Once installed, all users and administrators have access to add an authenticator to their account, and edit the following basic settings for their own account : Name, Password, Email
Requirements
This was tested and runs well on the following detailed lists of all modules and extensions loaded for Apache and PHP. Many of the modules or extensions come pre-loaded but since this varies between distributions, I have included a more comprehensive list which you can tweak.
Apache/2.4.10
- access_compat_module (shared)
- actions_module (shared)
- alias_module (shared)
- auth_basic_module (shared)
- authn_core_module (shared)
- authn_file_module (shared)
- authz_core_module (shared)
- authz_host_module (shared)
- authz_user_module (shared)
- autoindex_module (shared)
- core_module (static)
- deflate_module (shared)
- dir_module (shared)
- env_module (shared)
- fastcgi_module (shared)
- filter_module (shared)
- headers_module (shared)
- http_module (static)
Loaded Modules:
- log_config_module (static)
- logio_module (static)
- mime_module (shared)
- mpm_event_module (shared)
- negotiation_module (shared)
- rewrite_module (shared)
- setenvif_module (shared)
- socache_shmcb_module (shared)
- so_module (static)
- ssl_module (shared)
- status_module (shared)
- unixd_module (static)
- version_module (static)
- watchdog_module (static)
PHP 5.6.17
[PHP Modules]
- bcmath
- bz2
- calendar
- Core
- ctype
- date
- dba
- dom
- ereg
- exif
- fileinfo
- filter
- ftp
- gd
- gettext
- hash
- iconv
- json
- libxml
- mbstring
- mhash
- mysql
- mysqli
- mysqlnd
- openssl
- pcntl
- pcre
- PDO
- pdo_mysql
- pdo_sqlite
- Phar
- posix
- readline
- Reflection
- session
- shmop
- SimpleXML
- soap
- sockets
- SPL
- sqlite3
- standard
- sysvmsg
- sysvsem
- sysvshm
- tokenizer
- wddx
- xml
- xmlreader
- xmlwriter
- Zend OPcache
- zip
- zlib
[Zend Modules]
- Zend OPcache
MariaDB 10.0.23
This should not matter too much which database platform you choose either MariaDB or MySQL, however you will need it compiled with mysqlnd (native driver) support as well as compiled into PHP.
Login
If an authenticator is not on the users account, the authenticator code field is disregarded. If any part of the credentials fail including if the authenticator code is invalid or not a valid scratch code, a generic message is displayed stating 'Invalid Credentials' so that no clue is given making it more difficult for an attacker to guess which part of the credential system was correct by messages such as 'Invalid Password'.
Dashboard
Settings
Authenticator
If no authenticator is on the users account
If an authenticator exists on the users account:
Accounts : Add
Accounts : Added
Accounts : List
Notifications
Generic Error Page handles
410 Gone instead of 404 for pages that do not have a valid modal. This script only checks for the physical existence of resource files (jpg, png, js, etc.) and denies any direct access to physical php/html/etc files. As you can see in the screenshot, if the physical resource file is missing, it will also trigger a 410 gone, showing the missing element and virtual path in the address bar.
400 error message for resources that the user does not have permission to access.