Page 1 of 1

[REDMINE ISSUE 22] Strong Auth/OTP Support

PostPosted: Fri May 20, 2011 5:27 am
by flavio.vettori
Hi all,
it would be nice to have support for some dialog box asking for one time password token, usually used to merge with simple password (the one stored in mRemote profile) in strong auth systems.

Thank you,


Re: Strong Auth/OTP Support

PostPosted: Wed May 25, 2011 3:25 pm
by thrilleratplay
What you are looking for is just a single password for encrypting passwords and nothing more? I am curious if it is just the connection conf file you are worried about or locking mRemoteNG to prevent others from accessing it when at a physical open workstation?

We hope to add in more support for other forms of storing connection information such as complete SQL Server support, mySQL and Access. With these there would be the option to store the password locally or to prompt for it when opening mRemoteNG. For XML files, I was thinking about allowing the user to encrypt the entire file by hashing it using their own password but there would need to be a great deal of testing done and safeguard of some sort added.

Re: [REDMINE ISSUE 22] Strong Auth/OTP Support

PostPosted: Mon Jun 13, 2011 1:52 am
by flavio.vettori
Sorry I wasn't checkin forum for a while so I missed you're reply.

Let me try to explain, even if this ain't my focus so I might be a little confusing (hope not)

In a strong authentication environment you cannot user a stored user/password couple to authenticate against a database: given this statement one solution is to adopt a One Time Password framework where usually the user is given a physical token-generator which algorithm is shared with a server-side machine;

when the user tries to gain access to the system tipically he must enter logon information based on username, unique and always known, and a password created from the merge of a pass-phrase and the "on-time-token".

-user= user1

Every time I log into a system I need to provide that form of "logonpassword" where "abc321" can be saved into mremoteng but "randomtoken" has to be ask every time..

Hope I was able to explain

Thank you,

Re: [REDMINE ISSUE 22] Strong Auth/OTP Support

PostPosted: Mon Jun 13, 2011 6:58 pm
by thrilleratplay
I think I understand.

I used to login using a Cisco VPN key fob system. To access the network, I entered a username, and for the password it was a four digit pin and a 6 digit token that generated every 10 seconds on a keyfob I had on me. Without the generated token for that 10 second window, I would not be able to login using the user name and pin.

This type of system this is implemented on it is typically manufactured by a network security company (Cisco, RSA,...). This is more of a VPN tunnel and I can not see this being added to mRemote. There are many different remote systems and vpn types to be able to implement or support it.

Re: [REDMINE ISSUE 22] Strong Auth/OTP Support

PostPosted: Mon Jun 13, 2011 8:49 pm
by rmcardle
There are some systems that work by just adding the OTP to the end of a normal password. That could be accommodated by mRemoteNG, but I'll have to think about the UI design for configuring that.

Re: [REDMINE ISSUE 22] Strong Auth/OTP Support

PostPosted: Tue Jun 14, 2011 4:43 am
by flavio.vettori
Actually we're using this method to access every machine in our systems which can rely on an external authentication authority (radius, tacacs, kerberos) such appliances, servers, devices..that means rdp, ssh or telnet sessions.

This situation made me hunt a workaround for a while: the fix in my case was to keep mremoteng as database for classic username/pw couples but to refer at a custom external app (with some scripting support, even a .vbs) for everything about the connection type, basing choice on "Port" parameter.

So I run my ext_app from "mremoteng command line" passing %hostname% %username% %password% %port% to a script, popping OTP request and so on. Ugly solution.

Thanks, bye

Re: [REDMINE ISSUE 22] Strong Auth/OTP Support

PostPosted: Wed Jul 20, 2011 12:40 am
by ctux

Even in some of my cases would be very convenient a popup that asks for a password (or OTP), used alone or as a suffix with a previously saved.

I would like the implementation of this feature! ;-)