This example is for Gentoo.
Download and install mod_authn_otp. Ebuild for gentoo is available in my overlay.
Enable it in apache configuration
LoadModule authn_otp_module modules/mod_authn_otp.so`
Gentoo way: add “-D AUTHN_OTP” in /etc/conf.d/apache2
Creating OTP users file
cd /etc/apache2 mkdir otp chown apache:apache otp
I agree, it’s not really secure to let apache create files in this directory, but it’s required by mod_authn_otp.
Place otp.users in this directory
#Token Types: # HOTP - HOTP event-based token with six digit OTP # HOTP/E - HOTP event-based token with six digit OTP # HOTP/E/8 - HOTP event-based token with eight digit OTP # HOTP/T30 - HOTP time-based token with 30 second interval and six digit OTP # HOTP/T60 - HOTP time-based token with 60 second interval and six digit OTP # HOTP/T60/5 - HOTP time-based token with 60 second interval and five digit OTP # MOTP - Mobile-OTP time-based token 10 second interval and six digit OTP # MOTP/E - Mobile-OTP event-based token with six digit OTP #Type Username PIN Seed #we are using time-based token with 30 seconds and our user has no PIN. HOTP/T30 user - bfdc1e7020e88dfaa4785136156929020258121d
If you are using PIN, you have to prefix your token with this PIN
Change the permissions
chown root:apache otp.users chmod 660 otp.users
Authentication configuration with Apache
Create authentication configuration like here
<Directory "/protected/stuff">` AuthType basic AuthName "My Protected Area" AuthBasicProvider OTP Require valid-user OTPAuthUsersFile /etc/apache2/otp/otp.users OTPAuthLogoutOnIPChange On OTPAuthMaxLinger 600 </Directory>
- Problems with time-based software tokens because clock offset on the mobile. Workaround is to use ClockSync on Android