vrijdag 22 juli 2011

Adding One Time Passwords to Apache

If you have some restricted information on your website then you would want to protect access to it. The standard procedure to just add a static user/password pair is not very secure. Even when using an encrypted HTTPS site the password is not fully secure from being intercepted. The transmission over the internet is encrypted, but in many cases you are not in full control over the browser you use.

When you are using a browser in an Internet cafe it may have been tampered with and it might pass information you enter to others. Even in some corporate environments the browser has been modified to use a proxy with so called Deep Packet Inspection. The IT department will install a new trusted CA certificate in the browser you use and with or without your knowledge all HTTPS traffic (including private passwords) will be decrypted and inspected for eg virus contamination or other suspicious activities.

So using a static password is not very safe. A common solution for this problem is using One Time Passwords combined with Two Factor authentication.

The concept is simple, allow a password to be used only once or let it have a very limited lifetime. When your password has been intercepted and an intruder wants to use it, then he'll discover that it is no longer valid.

So how do we get One Time passwords?

Simply use an App on your smart-phone. Each time you need to login you enter your 4 digit PIN in the App and you'll receive a one time password in return.

Many OTP apps exist, you should start at http://motp.sourceforge.net to find one for your device. My favorite is DroidOTP for my Android device. You can find it in the Android market.

The other part of the solution is configuring your Apache for MOTP. I'll describe the procedure for an installed Apache22 on FreeBSD, but the Linux procedure would be the same.

http://code.google.com/p/mod-authn-otp/ hosts the code you need. Download the file (currently mod_authn_otp-1.1.4.tar.gz) and extract it in a directory of your choice.

Simply executing:

make
make install

installed it without any problems or warnings on my machine.

The next step is to adapt the httpd.conf.

Add the following line to load the module:

LoadModule authn_otp_module libexec/apache22/mod_authn_otp.so

Now we need to create the OTP user configuration. Create a directory

/usr/local/etc/apache22/otp/users

and create a file users in it. The owner should be www and the permissions should be 600. The information in it should only be readable by the Apache server because it contains the secret information for the One Time password generation for each user.

cd /usr/local/etc/apache22/otp/users
touch users
chown www users
chmod 600 users

Now add a single line for each user to this file, eg:

MOTP yourname 1234 1234abcdef567812


The first field specifies that we are using the MOTP implementation, the second field is the name of the user, the third a private PIN you have choosen and finally the secret which is used to configure the smart-phone App. How you get this secret depends on the App you use. Most Apps generate this secret for you when you start using them. They show it once and you should copy it to the users file.

With all this in place usage is quite simple. Just enter the following configuration in the .htaccess file in the directory with content you want to protect:

AuthType Basic
AuthName "My restricted data"
AuthBasicProvider OTP
OTPAuthUsersFile /usr/local/etc/apache22/otp/users
OTPAuthLogoutOnIPChange on
OTPAuthMaxOTPFailure 4
OTPAuthMaxLinger 1800
Require user yourname


When you access the content with your browser then you need to enter your username and the OTP password. Grab your phone and start your MOTP App. Enter your pin and type the 6 character string you receive from the App in the password field.

Now you can browse for 1800 seconds. After this period you are asked to enter a new OTP password. If you are paranoid you can lower the 1800 interval.

1 opmerking:

  1. hi tom
    i am using motp and set my linger time 1800 and actived OTPAuthLogoutOnIPChange but i it doesn't works. i must enter password every 5 minutes and i can access my server using different ip. why tom?

    BeantwoordenVerwijderen