Duo Security Two Factor Authentication for Host Bill Admin Area

Started by UCG_Keith, June 24, 2013, 03:48:01 PM

UCG_Keith

Gents,

I am not a developer, but will provide the steps that our CTO did to incorporate Duo Security's Two Factor Authentication into HostBill Admin Login Page.

The following steps are directly from DuoSecurity's website:

First Steps

Before starting:

    Sign up for a Duo account (free for <10 users!)
    Create a new Web SDK integration to get an integration key, secret key, and API hostname. (See Getting Started for help.)
    Download and install a supported client library (Python, Ruby, Classic ASP, ASP.NET, Java, PHP, Node.js, ColdFusion, Perl).
    Use NTP to ensure that your server's time is correct.

Installation instruction
   
1. Generate an akey

Your application secret key (or akey) is a string that you should generate and keep secret from Duo. It should be at least 40 characters long and stored alongside your integration key and secret key in a configuration file.

2. Call sign_request()

After you perform primary authentication (e.g. look up a user's username and password in your database), you should call sign_request() which initializes the secondary authentication process.

sign_request() takes your integration key (ikey), secret key (skey), application secret key (akey), and the username of the user who just successfully completed primary authentication. (If users can change their usernames, you'll probably want to use something that won't change, like an email address or primary key.)

3. Show the IFRAME

After generating the signed request, your server should now display a second page that will contain the Duo IFRAME used for secondary authentication.

Duo's JavaScript handles the setup and communication between the IFRAME, the user, and your server. All you need to do is include a short snippet of JavaScript in the page.

<script src="/path/to/Duo-Web-v1.js"></script>
<script>
  Duo.init({
    'host': 'API_CODE_FROM_DUOSECURITY',
    'sig_request': 'sig_request',
    'post_action': 'post_action'
  });
</script>


Then put an IFRAME on the page with an id of duo_iframe. This is where the secondary authentication prompt will appear. For example:

<iframe id="duo_iframe" width="100%" height="500" frameborder="0"></iframe>

Duo.init() takes the following options:
host    Your API hostname (api-********.duosecurity.com)
sig_request    The signed request generated by sign_request()
post_action    The server-side URI of where the secondary authentication results (the signed response) should be POSTed to

When this page loads, the JavaScript snippet will automagically set up the IFRAME, prompt the user for secondary authentication, and POST back the results to your server.

4. Call verify_response()

After the user authenticates (e.g. via phone call, SMS passcode, etc.) the IFRAME will generate a signed response called sig_response and POST it back to the post_action URL. Your server-side code should then call verify_response() to verify that the signed response is legitimate.

verify_response() takes your integration key (ikey), secret key (skey), application secret key (akey), and the signed response as inputs. It will return the username of the authenticated user if the response is valid, or null (None in Python, Nil in Ruby, etc.) if the response is invalid.

The follow information is where we have it installed at in HB:

/home/***/public_html/admin/templates/default
upload the DS php directory and content (duo_php-*******)

DuoSecurity Edits
/home/***/public_html/admin/templates/default/duo_php-*******/demos/simple
There are 3 files
1. duo_web.php
2. Duo-Web-v1.bundled.min.js
3. index.php

You should place the duo_web.php and the Duo-Web-v1.bundled.min.js without editing.

The index.php is where you will need to modify the following:

Line 18:  define(AKEY,"your generated_key-40_character_length");
Line 24: define(IKEY,"from_DS_portal");
Line 25: define(SKEY,"from_DS_portal");
Line 26: define(HOST,"from_DS_portal");

Once finished, it should work.  Feel free to update this as needed as I hope I included everything that Alan did.  I copied this over a conference call so I hope I included everything.

Enjoy!

Lawrence

Excellent! Saved us all $199.10 literally. ;)

Thanks Keith for this great writeup.
Skype: sociallarry | AIM: [email]larry.aim@aim.com[/email] | Forum Rules & Information

These forums are hosted by me with no intentions to ever monetize them. These forums are here solely for the benfit of the HostBill community.

Fusionhost

fusionhost - www.fusionhost.co.uk
Leading British Cloud Web Hosting Provider