If you want to subscribe to this forum, use your Facebook account, or send us an email to forum - at - multiotp - dot - net and we will send you back an invitation.
MultiOTP PIN / SEED encryption with different back-end
I have two servers, one old that I would like to replace with new one. Both of them are CentOS, multiOTP + FreeRadius.
Old (current) configuration. CentOS 6.x, PHP from CentOS repository, FreeRadius 2 from CentOS repository, multiOTP v 188.8.131.52 with "files" back-end.
New configuration: CentOS 7 Linux with PHP installed from CentOS repository, MediaDB server installed from CentOS repository and FreeRadius 3.x from CentOS repository. Both - multiOTP and FreeRadius are using MariaDB as backend, two different schemes. But FreeRadius is out of scope for this question. MultiOTP version is 184.108.40.206 - current stable. Everything is working fine, I am able to create user, authenticate, etc, but I have security concern here.
On old server with multiOTP backend - file. Create user and then look into user.db file created by multiOTP I can see SEED and PIN in encoded form, e.g.
/opt/multiotp/multiotp.php -display-log -debug -create -prefix-pin test-motp TOTP ad2eb4329f1d2zz940db5ttce6be58274ee6b228 1010 6 30
On new server with backend "mysql" (and backend_type_validated to 1) in multiotp.ini and run same command to create user I can see new records in database in multiotp_users table, but token_seed, user_pin are stored in plan text
token_seed - ad2eb4329f1d2zz940db5ttce6be58274ee6b228
user_pin - 1010
that is not that secure as files back-end version. Is there anything I am missing in configuration that can change behavior and force multiOTP store information in MariaDB table also in "encrypted" form as in files or behavior of version 220.127.116.11 is different from 18.104.22.168. I have compared multiotp.ini from both servers and cannot see a lot of difference here. Sure this is some new settings appeared in new version's ini file and this is mysql connection parameters - but that is expected.
Can anyone point me into documentation or give a hint how can I force multiOTP 22.214.171.124 with mysql back-end store account's PIN and SEED in non-plain-text form in database.
This discussion has been closed.