File	Date	Author	Commit
auth	2013-11-15	Dmitriy Stremkovskiy	[6b0557] nothing chenged just comment
bin	2013-11-15	Dmitriy Stremkovskiy	[b5fced] Recommiting with correct author
conf	2013-11-15	Dmitriy Stremkovskiy	[e65df2] Configs addon
gauth	2013-11-02	Dmitriy Stremkovskiy	[7678c4] Code addon
html	2013-10-20	Dmitriy Stremkovskiy	[69b81e] Major release.
README	2013-11-15	Dmitriy Stremkovskiy	[27e7b7] README

Read Me

SimSim Authenticator by Dmitriy Stremkovskiy.

README
------
This project provides you ability to use pin+token authentication in your web
projects.
All you have to remember is your pin.
You token renew every 30 seconds by google authenticator.
Now, you can safely visit your pages at public/unsecure places.
You can forget about password stealing.
Also, all your sessions will be forcibly expired by redis core in a time you
specify.

I. Algorythm:
-------------
0) Visiting /auth/ location without TokenKey cookie or with wrong cookie
value, you get 401 and redirect to /gauth/

1) /gauth/ location. Authenticate through pin (Your predefined pin) + token
(Google Authenticator).
- If no pin + token provided, you get 401
- If login or pin+token pair incorrect, you get 401
- If token OK, but pin wrong, you get 401
- If token outdate, you get 401
- If pin+token are OK for provided login, you get 200 and cookie. That cookie
goes to redis with expiration time (CookieTTL value).
- You're redirected to /auth/ location

2) Visiting /auth/ with correct cookie, you get 200 and that's it. Redis key
renewed by RenewTTL value.
3) As soon as your cookie expired, you get 401 and redirect to /gauth/ and so
on.

How pin+token are checked.
Your token is verified by google authenticator through paramiko ssh session.
During this session wm get ~/.pin (~ = home folder for logged in user) file,
that contains your pin code.
If read pin equal provided pin, then authentication succeesful.

How can your application understand login.
REMOTE_USER variable populates by SetEnvIf directive by httpd.
It goes from TokenLogin. So, if you're using nagios or web apps, that rely on
REMOTE_USER, simply add
 SetEnvIf Cookie "TokenLogin=([a-zA-Z0-9\._-]+)" REMOTE_USER=$1
to your apache and feel happy.

An example of httpd.conf for apache instance provided. Use your IPs, ports
and email values.
An example config simsim.conf provided. Use your values.
An example of redis.conf provided. Use your values.

II. Installation notes.
-----------------------
Configure ssh google auth, httpd + mod_auth_external, redis.
Install python required modules (python-iniparse, python-paramiko,
python-redis)
Chmod 755 simsim.py, put it into /usr/bin
Run.

III. Google Authenticator and users.
1) Create user: useradd someuser-login
2) Echo some pin to /home/someuser-login/.pin . chmod it 400, chown it by
someuser-login
3) Install google authenticator
4) syncronize time via ntp.
5) generate google authenticator codes for someuser-login, check if
verification goes well.
6) Reduce pam ssh requirements, so ssh session no more require password from
users. Leave just google auth verification for them.
7) Configure ssh server to use ChallengeResponseAuthentication setting it to
Yes.

IV. Radius Support.
Instead of home google auth check you may want to use radius auth.
Then use simrad.py instead of simsim.py and fill simsim.conf with
correct values.

If you doesn't have second server for failover, then don't touch radius2_*
variables, simrad will simply try first server. It's OK.

V. Links.
http://lmgtfy.com/?q=google+authenticator+ssh
http://code.google.com/p/google-authenticator/
http://mitroko.com

Feel free to contact me. Your's Dmitriy Stremkovskiy.