For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

One Time Passwords via an SMS Gateway with BIG-IP Access Policy Manager

One time passwords, or OTP, are used (as the name indicates) for a single session or transaction.  The plus side is a more secure deployment, the downside is two-fold—first, most solutions involve a ...
Published Feb 08, 2011
Version 1.0
adn
automation
BIG-IP
BIG-IP Access Policy Manager (APM)
dev
industry
management
monitoring
news
security
JRahm's avatar
Icon for Admin rankAdmin
Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.
View Profile
JRahm's avatar
Icon for Admin rankAdmin
Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.
View Profile
Ferg_104721's avatar
Ferg_104721
Icon for Nimbostratus rankNimbostratus
Apr 10, 2012
Hi,

 

 

I would like to add some additional info I have experienced during the implementation of the email based OTP design. The build I have implemented is based on a version of the F5 Tutorial provided with a slight difference. My client is not using a sms gateway or email server to send emails to the user but a mixture of both: the principle is still the same for the email based OTP.

 

 

My build works like this, the F5 points to an smtp server as a relay server, which sends an email to mysmsserviceonline@telco.com to send the text message to the user.

 

 

I followed the instructions to setup mail relay from the guide

 

 

http://support.f5.com/kb/en-us/solutions/public/3000/600/sol3664.html

 

ltm01 ~ cat /etc/postfix/main.cf | grep relay

 

relayhost = [smtp.server.com]

 

 

To provide accountability and auditable for my client, I created a custom log, using the guide below:

 

 

https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1084377/Writing-to-and-rotating-custom-log-files.aspx

 

 

OTP EMAIL Scipt

 

 

I amended the script to my needs,

 

 

!/bin/bash

 

while true

 

do

 

tail -n0 -f /var/log/customlog | while read line

 

do

 

var2=`echo "$line" | grep -i otp | awk -F'[,]' '{ print $2 }'`

 

var3=`echo "$line" | grep -i otp | awk -F'[,]' '{ print $3 }'`

 

var4=`echo "$line" | grep -i otp | awk -F'[,]' '{ print $4 }'`

 

Mobile number from AD

 

var6=`echo "$line" | grep -i otp | awk -F'[,]' '{ print $6 }'`

 

Strips whitespaces from mobile number

 

var6=`echo "$var6" | sed 's/ //g'`

 

if [ "$var3" = "otp" -a -n "$var4" ]; then

 

I was required to amend header to lock down who was requiring access by using '-- -f ', email address pulled from AD

 

echo One Time Password is $var4 | mail $var6@telcosmsgateway.com -- -f user@myclient.com

 

fi

 

done

 

done

 

 

I had several issues with the script being called; basically, if I ran it manually it would work however the script wouldn’t get called automatically. I tried several options before I came up with my solution; one suggestion was to use user_alerf config file to call my program, this worked in a fashion, but the delay between when it was called was too great for the APM session.

 

 

https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/44/aft/1178752/showtab/groupforums/Default.aspx1227184

 

https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/256/Custom-SNMP-Traps.aspx

 

 

To get round my issue I came up with two custom scripts to ensure the script ruan in the background. The first would run every 5 minutes to check the script is still running and restart if necessary and the other would restart the script at 4:05am.

 

 

The reason for the second script was I encountered some issues with the log file rollover; the script was still running but would not process requests. I believe the issue was due to the customlog being tarred and so the ‘while true’ was no longer valid.

 

 

I tested this by manually deleting the log and testing. It held true, I had to manually restart syslog-ns to make the script write to the log again.

 

 

These are the scripts I used:

 

 

OTPEmailCheck.sh

 

 

!/bin/bash

 

RUNNING=`ps -ef | grep OTPEmail.sh | grep -v grep | awk '{print $2}'`

 

 

echo $RUNNING

 

 

If the variable RUNNING has not been define i.e. is empy then run

 

if [[ -z $RUNNING ]]; then

 

/config/OTPEmail.sh &

 

echo "script stated"

 

else

 

echo "already running"

 

fi

 

 

OTPEmailRestart.sh

 

 

!/bin/bash

 

 

RUNNING=`ps -ef | grep OTPEmail.sh | grep -v grep | awk '{print $2}'`

 

echo $RUNNING

 

if [[ -z $RUNNING ]]; then

 

echo "OTPEmail.sh is not running. OTPEmailCheck.sh will start program within 5mins"

 

else

 

KILL=`kill -9 $RUNNING`

 

echo $KILL

 

/config/OTPEmail.sh &

 

echo "OTPEmail.sh was restated"

 

fi

 

 

Crontab

 

 

5 * * * * /bin/bash /root/scripts/OTPEmailCheck.sh

 

5 4 * * * /bin/bash /root/scripts/OTPEmailRestart.sh

 

 

After that it worked as desired.

 

 

Hope this helps someone else who’s having issues

 

 

Ferg.