vrijdag 22 juli 2011

Adding One Time Passwords to Apache

If you have some restricted information on your website then you would want to protect access to it. The standard procedure to just add a static user/password pair is not very secure. Even when using an encrypted HTTPS site the password is not fully secure from being intercepted. The transmission over the internet is encrypted, but in many cases you are not in full control over the browser you use.

When you are using a browser in an Internet cafe it may have been tampered with and it might pass information you enter to others. Even in some corporate environments the browser has been modified to use a proxy with so called Deep Packet Inspection. The IT department will install a new trusted CA certificate in the browser you use and with or without your knowledge all HTTPS traffic (including private passwords) will be decrypted and inspected for eg virus contamination or other suspicious activities.

So using a static password is not very safe. A common solution for this problem is using One Time Passwords combined with Two Factor authentication.

The concept is simple, allow a password to be used only once or let it have a very limited lifetime. When your password has been intercepted and an intruder wants to use it, then he'll discover that it is no longer valid.

So how do we get One Time passwords?

Simply use an App on your smart-phone. Each time you need to login you enter your 4 digit PIN in the App and you'll receive a one time password in return.

Many OTP apps exist, you should start at http://motp.sourceforge.net to find one for your device. My favorite is DroidOTP for my Android device. You can find it in the Android market.

The other part of the solution is configuring your Apache for MOTP. I'll describe the procedure for an installed Apache22 on FreeBSD, but the Linux procedure would be the same.

http://code.google.com/p/mod-authn-otp/ hosts the code you need. Download the file (currently mod_authn_otp-1.1.4.tar.gz) and extract it in a directory of your choice.

Simply executing:

make install

installed it without any problems or warnings on my machine.

The next step is to adapt the httpd.conf.

Add the following line to load the module:

LoadModule authn_otp_module libexec/apache22/mod_authn_otp.so

Now we need to create the OTP user configuration. Create a directory


and create a file users in it. The owner should be www and the permissions should be 600. The information in it should only be readable by the Apache server because it contains the secret information for the One Time password generation for each user.

cd /usr/local/etc/apache22/otp/users
touch users
chown www users
chmod 600 users

Now add a single line for each user to this file, eg:

MOTP yourname 1234 1234abcdef567812

The first field specifies that we are using the MOTP implementation, the second field is the name of the user, the third a private PIN you have choosen and finally the secret which is used to configure the smart-phone App. How you get this secret depends on the App you use. Most Apps generate this secret for you when you start using them. They show it once and you should copy it to the users file.

With all this in place usage is quite simple. Just enter the following configuration in the .htaccess file in the directory with content you want to protect:

AuthType Basic
AuthName "My restricted data"
AuthBasicProvider OTP
OTPAuthUsersFile /usr/local/etc/apache22/otp/users
OTPAuthLogoutOnIPChange on
OTPAuthMaxOTPFailure 4
OTPAuthMaxLinger 1800
Require user yourname

When you access the content with your browser then you need to enter your username and the OTP password. Grab your phone and start your MOTP App. Enter your pin and type the 6 character string you receive from the App in the password field.

Now you can browse for 1800 seconds. After this period you are asked to enter a new OTP password. If you are paranoid you can lower the 1800 interval.

Dynamic Desktop Background

Some Linux distributions have the option to refresh your desktop background wallpaper with a random image from a list of images or a specified directory. Ubuntu Natty (11.04) does not offer that option, but even if it did, I have some extra requirements:

  • Load the image recursively from a tree of directories

  • Skip portrait orientation images (these will not show nicely on you wide screen)

  • Skip small images (thumbnails)

So I wrote my own script to dust of my (bash) scripting skills:

It requires the installation of ImageMagick and jhead from your distribution. These are needed for determining the orientation of the image.
Store the script on your computer ($HOME/bin is a good place) and invoke it with two arguments, the image directory (tree) and the delay in seconds between refreshments, e.g.:

RandomBG /data/MyImageCollection 300

You can start the script when you login on your desktop by adding it to the list of startup programs. On Ubuntu Natty you can find this setting as Startup Applications under System Settings.

The default minimum size of an image is 200k. You can easily change it in the script on line 44 by adapting the find command.
Adapting it for KDE or XFCE would require just replacing the single gconftool command.

Update for Ubuntu 11.10 Oneiric Ocelot Unity desktop:

replace the gconftool line with

dconf write /org/gnome/desktop/background/picture-uri "'file:///$foto'"


DIR=${1:?Need an image dir for this arg}

function Ori()
ORI=`jhead -v "$FILE"|grep "Orientation ="`
set `identify -format "%w %h" "$FILE"`

if [[ "$ORI" == "" || "$ORI" =~ 256 ]]
if (( $W > $H ))
echo "l"
echo "p"
if [[ "$ORI" =~ 1 ]]
if (( $W > $H ))
echo "l"
echo "p"
if [[ "$ORI" =~ 6 ]]
echo "p"
echo "-p"

fotos=( $(find $DIR \( -name '*.jpg' -o -name '*.JPG' \) -size +200k) )

while :
while test $ori != "l";
foto="${fotos[ $RANDOM % ${#fotos[@]} ]}"
ori=$(Ori "$foto");
echo $foto
gconftool -t string -s /desktop/gnome/background/picture_filename "$foto"
sleep $SLEEP