ワンタイムパスワードメモ書き
googleの認証システムアプリ+mod_authn_otpでbasic認証をする
mod-authn-otp
https://code.google.com/p/mod-authn-otp/
端末(スマホなど)ワンタイムパスワードアプリ
https://support.google.com/accounts/answer/1066447?hl=ja
参考
nazx様
http://nazx.jp/x/apache_tips_000
現在の環境
cat /etc/redhat-release
CentOS release 6.5 (Final)
httpd -v
Server version: Apache/2.2.15
//rpm作成
# yum -y install rpm-build httpd-devel
$ cd /home/rpm
$ mkdir -p rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
//ソースなど用意しrpm作成(specファイルはnazx様より拝借)
$ rpmbuild -bb mod_authn_otp.spec
//ローカルyumにて管理
# yum -y install createrepo
mkdir -p /home/yum/rpm/
mkdir -p /home/yum/extra/
//新規作成
vi /etc/yum.repos.d/local.repo
[local-rpm]
name=CentOS-6.5 – local rpm
baseurl=file:///home//yum/rpm/
gpgcheck=0
enabled=1
[local-extra]
name=CentOS-6.5 – local extra
baseurl=file:///home//yum/extra/
gpgcheck=0
enabled=0
//作成したrpmを移動しyumのDB更新
createrepo -v /home/yum/rpm/
createrepo -v /home/yum/extra/
//mod_authn_otpインストール
# yum -y install mod_authn_otp
//ファイルに追記もしくはconf.dへ
vi /etc/httpd/conf/httpd.conf
LoadModule authn_otp_module modules
/mod_authn_otp
.so
//apache再起動
service httpd restart
//確認
# httpd -M
suexec_module (shared)
disk_cache_module (shared)
cgi_module (shared)
version_module (shared)
authn_otp_module (shared) ←これ
dnssd_module (shared)
perl_module (shared)
php5_module (shared)
//認証用トークンファイル作成
# mkdir /var/www/hoge
# chown apache. /var/www/hoge
//下記sampleファイルを参考に
# 1. Token Type See below
# 2. Username User’s username
# 3. PIN User’s PIN, or “-” if user has no PIN, or “+” to verify PIN via “OTPAuthPINAuthProvider”
# 4. Token Key Secret key for the token algorithm (see RFC 4226)
# 5. Counter/Offset Next expected counter value (event tokens) or counter offset (time tokens)
# 6. Failure counter Number of consecutive wrong OTP’s provided by this users (for “OTPAuthMaxOTPFailure”)
# 7. Last OTP The previous successfully used one-time password
# 8. Time of Last OTP Local timestamp when the last OTP was generated (in the form 2009-06-12T17:52:32L)
# 9. Last IP address IP address used during the most recent successful attempt
#
# Fields 5 and beyond are optional. Fields 6 and beyond should be omitted for new users.
#
# Token Type Field:
#
# This field contains a string in the format: ALGORITHM [ / COUNTERINFO [ / DIGITS ] ]
#
# The ALGORITHM is either “HOTP” (RFC 4226) or “MOTP” (http://motp.sourceforge.net/).
#
# The COUNTERINFO is either “E” for an event-based token, or “TNN” for a time based token
# where “NN” is the number of seconds in one time interval. For HOTP, the default is “E”;
# for MOTP, the default is “T10”.
#
# The DIGITS is the number of digits in the one-time password; the default is six.
#
# Examples:
#
# HOTP – HOTP event-based token with six digit OTP
# HOTP/E – HOTP event-based token with six digit OTP
# HOTP/E/8 – HOTP event-based token with eight digit OTP
# HOTP/T30 – HOTP time-based token with 30 second interval and six digit OTP
# HOTP/T60 – HOTP time-based token with 60 second interval and six digit OTP
# HOTP/T60/5 – HOTP time-based token with 60 second interval and five digit OTP
# MOTP – Mobile-OTP time-based token 10 second interval and six digit OTP
# MOTP/E – Mobile-OTP event-based token with six digit OTP
#
# For more info see: http://code.google.com/p/mod-authn-otp/wiki/UsersFile
#
# Some users who have logged in at least once.
HOTP barney 1234 8a2d55707a9084982649dadc04b426a06df19ab2 21 0 820658 2009-06-12T17:52:32L 192.168.1.1
HOTP fred 5678 acbd18db4cc2f85cedef654fccc4a4d8bd537891 78 0 617363 2009-06-04T21:17:03L 192.168.1.2
HOTP/T joe 999999 ef654fccdef654fccc4a4d8acbd18db4cc2f85ce -2 2 883913 2009-06-04T21:17:03L 10.1.1.153
# Wilma and Betty are new users. Note betty does not have a PIN so “-” is used instead as a placeholder
HOTP wilma 5678 a4d8acbddef654fccc418db4cc2f85cea6339f00
HOTP betty – 54fccc418a4d8acbddef6db4cc2f85ce99321d64
# Here is a user who’s PIN is verified externally using whatever “OTPAuthPINAuthProvider” list you have configured.
# E.g. to use an htpasswd type file, specify “OTPAuthPINAuthProvider file” and then “AuthUserFile /some/file”.
HOTP bambam + d8acbddef6db4cc254fccc418a4f85ce99321d64
//上記を参考に(ファイル名の指定無し)
# vi /var/www/hoge/users.txt
#TokenType Username PIN TokenKey
HOTP/T30 username1 – d8acbddef6db4cc254fccc418
//PINは”-”+”1234”など
//”-“はPINなし ”+”は.htpasswdなどで作成 ”1234”文字列を入れた場合それがPINになる
//PIN+ワンタイムパスワードになる
//アクセス権設定
# chown apache:apache /var/www/hoge/users.txt
# chmod 0600 /var/www/hoge/users.txt
//トークンジェネレーター
One-Time Passwords
こちらでトークン、QRコードを作成し端末ワンタイムパスワードアプリにてQRコードを読み込んで設定(users.txtにも)
/必要なら/# htpasswd -c /var/www/hoge/users.pin username1
//testする
# vi /etc/httpd/conf.d/test.conf
<Directory “/var/www/html/test/”>
AuthType basic
AuthName “otp”
AuthBasicProvider OTP
Require valid-user
OTPAuthUsersFile “/var/www/hoge/users.txt”
</Directory>
//テストする
#service httpd restart
アプリにて表示された数字を入れ認証(PINに”+”や文字列を入れた場合は”それプラス”数字)
うまくいくとusers.txtに入力されたpass、カウント、IP、時間などが追加される
#TokenType Username PIN TokenKey
HOTP/T30 username1 – d8acbddef6db4cc254fccc418 0 0 626391 2014-05-16T14:01:44L 192.168.1.59
終了