-
Notifications
You must be signed in to change notification settings - Fork 549
Server Authentication
This resource describes how King Phisher users authenticate to the server in order to use the provided RPC interface.
The King Phisher server utilizes PAM to authenticate it's users. Users that wish to log into the server must have a valid system account. The client uses the credentials that are provided to it to open an SSH connection to the server for port-forwarding RPC requests. Each RPC request is also authenticated using the same credential pair.
Starting in version 1.0.0 King Phisher supports authenticating users with Time-base One Time Passwords that are compatible with popular applications such as Google Authenticator. In order to use this feature, users must use the tools/otp_enroll.py script on the server to set a new TOTP secret. This secret must then be entered into the TOTP application the user would like to use. Once a TOTP secret is set on the account, the King Phisher client will require it to be specified when logging in. A OTP field will be made available after the user provides a valid username and password combination.
The following command can be used to enroll a user in TOTP by generating a random OTP secret and assigning it to their account.
tools/otp_enroll.py -c SERVER_CONFIG_FILE USERNAME set
The OTP enrollment script will also provide a provisioning URI which can optionally be converted to a QR code suitable to be scanned into most applications. Converting the URI to a QR code is not supported by King Phisher but can be accomplished using available tools.