This basic plugin can be used to add a second factor authentication device (SMS, OTP,...). It uses external commands to send or validate a second factor. Any language is allowed to call your 2nd factor system.
Commands receive arguments on command line and must return a 0 code if succeed, another else. Nothing must be written to STDOUT, STDERR is reported in logs (but may be lost with FastCGI server).
All parameters are configured in "General Parameters » Portal Parameters » Extensions » External 2nd Factor".
/usr/local/bin/sendOtp --uid $uid
or /usr/local/bin/sendCode --uid $uid --code $code
if code is generated by the Portal/usr/local/bin/verify --uid $uid --code $code
If your server is enforcing SELinux policies, make sure your external script has a label that is allowed to be executed by httpd
.
For example, storing your script in /usr/local/bin/
will give it a bin_t
label that will work correctly.
If your script has a httpd_sys_script_exec_t
type, it will only be able to do external network requests if the SELinux boolean httpd_can_network_connect
is enabled.
If your script has any other label, it will probably not work at all.