TOTP Console Authentication Plugin

The TOTP (Time based One Time Password) Authentication Plugin is compatible with RFC 6238. Many smartphone applications are available to store the keys and compute the TOTP code.

The standard password, possibly TLS-authentication and encryption are still used to accept an incoming console connection. Once accepted, the Console will prompt for a second level of authentication with a TOTP secret key generated from a shared token.

To enable this feature, you needed to install the bacula-enterprise-totp-dir-plugin package on your Director system, then to set the PluginDirectory directive of the Director resource and configure the AuthenticationPlugin directive of a given restricted Console in the Director configuration file.

# in bacula-dir.conf
Director {
  Name = myname-dir
  ...
  Plugin Directory = /opt/bacula/plugins
}

Console {
   Name = "totpconsole"
   Password = "xxx"

   Authentication Plugin = "totp"
}

The matching Console configuration in bconsole.conf has no extra settings compared to a standard restricted Console.

# in bconsole.conf
Console {
  Name = totpconsole
  Password = "xxx"              # Same as in bacula-dir.conf/Console
}
Director {
  Name = mydir-dir
  Address = localhost
  Password = notused
}

At the first console connection, if the TLS link is correctly setup (using the shared secret key), the plugin will generate a specific random key for the console and display a QR code in the console output. The user must then scan the QR code with his smartphone using an app such as Aegis (Opensource) or Google Authenticator. The plugin can also be configured to send the QR code via an external program.

Note

The program qrencode (>=4.0) is used to convert the otpauth URL to a QR code. If the program is not installed the QR code can’t be displayed.

More information can be found in Console Multi-Factor Authentication Plugins

To use the TOTP Authentication plugin with BWeb Management Console, it is required to perform the following steps:

• Create a system user via the adduser command named admin

• Assign a password via passwd command

• Activate the security option and thesystem_authentification parameter in the BWeb Management Console / Configuration / BWeb Configuration page

• Login with the admin user and the password defined earlier

For each user that needs to be added

• Access the User administration page in BWeb Management Console / Configuration / Manage Users

• Add a user username with the TOTP Authentication option of the Authentication parameter

• Create a TOTP authentication key on the command line with the bacula account with btotp -c -n bweb:username

  The bweb: prefix is a requirement to distinguish between different login targets, namely bconsole without a prefix and BWeb with this one. The username can be freely chosen.

  Tip

  If the btotp command to create the secret is not run under the account the web server runs as, permissions and ownership to the generated file in the TOTP key storage directory will have to be modified:

  [root@ ~]# ls -al /opt/bacula/etc/conf.d/totp/
  total 8
  drwx------.  2 bacula bacula  53  9. Mar 14:39 .
  drwx------. 10 bacula bacula 128  9. Mar 06:55 ..
  -rw-------.  1 bacula bacula  31  9. Mar 06:55 KNSWG5LSMU
  [root@ ~]# /opt/bacula/bin/btotp -c -n bweb:Newuser
  /opt/bacula/etc/conf.d/totp//MJ3WKYR2JZSXO33VONSXE
  [root@ ~]# ls -al /opt/bacula/etc/conf.d/totp/
  total 12
  drwx------.  2 bacula bacula  82 10. Mar 04:58 .
  drwx------. 10 bacula bacula 128  9. Mar 06:55 ..
  -rw-------.  1 bacula bacula  31  9. Mar 06:55 KNSWG5LSMU
  -rw-------.  1 root   root    31 10. Mar 04:58 MJ3WKYR2JZSXO33VONSXE
  [root@ ~]# chown bacula. /opt/bacula/etc/conf.d/totp/MJ3WKYR2JZSXO33VONSXE
  [root@ ~]# ls -al /opt/bacula/etc/conf.d/totp/
  total 12
  drwx------.  2 bacula bacula  82 10. Mar 04:58 .
  drwx------. 10 bacula bacula 128  9. Mar 06:55 ..
  -rw-------.  1 bacula bacula  31  9. Mar 06:55 KNSWG5LSMU
  -rw-------.  1 bacula disk    31 10. Mar 04:58 MJ3WKYR2JZSXO33VONSXE
  [root@bsys-demo ~]#
  

  For security reasons, it may be best to set up a dedicated management account with rules for sudo to be able to call the btotp program as a restricted user and have it execute with proper permissions.

• Display the TOTP QR Code on the command line with the bacula account with btotp -q -n bweb:username

Note

The program qrencode (>=4.0) is used to convert the otpauth URL to a QR code. If the program is not installed the QR code can’t be displayed.

Tip

It is possible to create additional BWeb users with administrative privileges (“Administrator” profile) and “TOTP Authentication” Password Type. Those users will be able to administer all functions of BWeb (and Bacula through it). At this point you could even disable the admin account created using the adduser command, but please note that system_authentication (enable_system_auth) needs to remain set (in the BWeb configuration) in order for the TOTP authentication to remain functional.

See also

Previous articles:

• Requirements

• Configure the HTTPD

• LDAP/Active Directory - Authentication

• BWeb Authentication Active Directory Groups

• Authentication via Pam LDAP

Go back to: BWeb Authentication Methods.