Using One-Time-Password with Apache

· by Artem Sidorenko · Read in about 2 min · (315 words)
linux security apache otp

We are going to implement authentication with One-Time-Passwords generated via the HOTP/OATP algoritm(see RFC) with Apache. We will use mod_authn_otp for it.

This example is for Gentoo.

Installation

Download and install mod_authn_otp. Ebuild for gentoo is available in my overlay.

Enable it in apache configuration

LoadModule authn_otp_module modules/mod_authn_otp.so`

Gentoo way: add “-D AUTHN_OTP” in /etc/conf.d/apache2

Tokens

You can get a hardware token(really cheap 10-20€), list with some of them is available here. Otherwise it’s also possible to use software tokens for example on smartphones, for example Android Token.

Server configuration

Creating OTP users file

cd /etc/apache2
mkdir otp
chown apache:apache otp

I agree, it’s not really secure to let apache create files in this directory, but it’s required by mod_authn_otp.

Place otp.users in this directory

#Token Types:

#       HOTP            - HOTP event-based token with six digit OTP
#       HOTP/E          - HOTP event-based token with six digit OTP

#       HOTP/E/8        - HOTP event-based token with eight digit OTP
#       HOTP/T30        - HOTP time-based token with 30 second interval and six digit OTP

#       HOTP/T60        - HOTP time-based token with 60 second interval and six digit OTP
#       HOTP/T60/5      - HOTP time-based token with 60 second interval and five digit OTP

#       MOTP            - Mobile-OTP time-based token 10 second interval and six digit OTP
#       MOTP/E          - Mobile-OTP event-based token with six digit OTP

#Type Username PIN Seed

#we are using time-based token with 30 seconds and our user has no PIN.
HOTP/T30 user - bfdc1e7020e88dfaa4785136156929020258121d

If you are using PIN, you have to prefix your token with this PIN

Change the permissions

chown root:apache otp.users
chmod 660 otp.users

Authentication configuration with Apache

Create authentication configuration like here

<Directory "/protected/stuff">`
    AuthType basic
    AuthName "My Protected Area"
    AuthBasicProvider OTP
    Require valid-user
    OTPAuthUsersFile /etc/apache2/otp/otp.users
    OTPAuthLogoutOnIPChange On
    OTPAuthMaxLinger 600
</Directory>

Known issues

  • Problems with time-based software tokens because clock offset on the mobile. Workaround is to use ClockSync on Android
Table of contents
Recent posts
Tags