ワンタイムパスワード apache basic認証

ワンタイムパスワードメモ書き
googleの認証システムアプリ+mod_authn_otpでbasic認証をする

mod-authn-otp
https://code.google.com/p/mod-authn-otp/

端末(スマホなど)ワンタイムパスワードアプリ
https://support.google.com/accounts/answer/1066447?hl=ja

参考
nazx様
http://nazx.jp/x/apache_tips_000

現在の環境
cat /etc/redhat-release
CentOS release 6.5 (Final)

httpd -v
Server version: Apache/2.2.15

//rpm作成
# yum -y install rpm-build httpd-devel

$ cd /home/rpm
$ mkdir -p rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}

//ソースなど用意しrpm作成(specファイルはnazx様より拝借)

$ rpmbuild -bb mod_authn_otp.spec

//ローカルyumにて管理
# yum -y install createrepo

mkdir -p /home/yum/rpm/
mkdir -p /home/yum/extra/

//新規作成
vi /etc/yum.repos.d/local.repo

[local-rpm]
name=CentOS-6.5 – local rpm
baseurl=file:///home//yum/rpm/
gpgcheck=0
enabled=1

[local-extra]
name=CentOS-6.5 – local extra
baseurl=file:///home//yum/extra/
gpgcheck=0
enabled=0

//作成したrpmを移動しyumのDB更新
createrepo -v /home/yum/rpm/
createrepo -v /home/yum/extra/

//mod_authn_otpインストール
# yum -y install mod_authn_otp

//ファイルに追記もしくはconf.dへ
vi /etc/httpd/conf/httpd.conf

LoadModule authn_otp_module modules/mod_authn_otp.so

//apache再起動
service httpd restart

//確認
# httpd -M
suexec_module (shared)
disk_cache_module (shared)
cgi_module (shared)
version_module (shared)
authn_otp_module (shared) ←これ
dnssd_module (shared)
perl_module (shared)
php5_module (shared)

//認証用トークンファイル作成
# mkdir /var/www/hoge
# chown apache. /var/www/hoge

//下記sampleファイルを参考に

#   1. Token Type         See below
#   2. Username           User’s username
#   3. PIN                User’s PIN, or “-” if user has no PIN, or “+” to verify PIN via “OTPAuthPINAuthProvider”
#   4. Token Key          Secret key for the token algorithm (see RFC 4226)
#   5. Counter/Offset     Next expected counter value (event tokens) or counter offset (time tokens)
#   6. Failure counter    Number of consecutive wrong OTP’s provided by this users (for “OTPAuthMaxOTPFailure”)
#   7. Last OTP           The previous successfully used one-time password
#   8. Time of Last OTP   Local timestamp when the last OTP was generated (in the form 2009-06-12T17:52:32L)
#   9. Last IP address    IP address used during the most recent successful attempt
#
#   Fields 5 and beyond are optional. Fields 6 and beyond should be omitted for new users.
#
# Token Type Field:
#
#   This field contains a string in the format: ALGORITHM [ / COUNTERINFO [ / DIGITS ] ]
#
#   The ALGORITHM is either “HOTP” (RFC 4226) or “MOTP” (http://motp.sourceforge.net/).
#
#   The COUNTERINFO is either “E” for an event-based token, or “TNN” for a time based token
#   where “NN” is the number of seconds in one time interval. For HOTP, the default is “E”;
#   for MOTP, the default is “T10”.
#
#   The DIGITS is the number of digits in the one-time password; the default is six.
#
#   Examples:
#
#       HOTP            – HOTP event-based token with six digit OTP
#       HOTP/E          – HOTP event-based token with six digit OTP
#       HOTP/E/8        – HOTP event-based token with eight digit OTP
#       HOTP/T30        – HOTP time-based token with 30 second interval and six digit OTP
#       HOTP/T60        – HOTP time-based token with 60 second interval and six digit OTP
#       HOTP/T60/5      – HOTP time-based token with 60 second interval and five digit OTP
#       MOTP            – Mobile-OTP time-based token 10 second interval and six digit OTP
#       MOTP/E          – Mobile-OTP event-based token with six digit OTP
#
# For more info see: http://code.google.com/p/mod-authn-otp/wiki/UsersFile
#

# Some users who have logged in at least once.

HOTP    barney        1234    8a2d55707a9084982649dadc04b426a06df19ab2 21      0 820658  2009-06-12T17:52:32L 192.168.1.1
HOTP    fred          5678    acbd18db4cc2f85cedef654fccc4a4d8bd537891 78      0 617363  2009-06-04T21:17:03L 192.168.1.2
HOTP/T  joe           999999  ef654fccdef654fccc4a4d8acbd18db4cc2f85ce -2      2 883913  2009-06-04T21:17:03L 10.1.1.153

# Wilma and Betty are new users. Note betty does not have a PIN so “-” is used instead as a placeholder

HOTP    wilma         5678    a4d8acbddef654fccc418db4cc2f85cea6339f00
HOTP    betty         –       54fccc418a4d8acbddef6db4cc2f85ce99321d64

# Here is a user who’s PIN is verified externally using whatever “OTPAuthPINAuthProvider” list you have configured.
# E.g. to use an htpasswd type file, specify “OTPAuthPINAuthProvider file” and then “AuthUserFile /some/file”.
HOTP    bambam        +       d8acbddef6db4cc254fccc418a4f85ce99321d64

 

 

//上記を参考に(ファイル名の指定無し)
# vi /var/www/hoge/users.txt

#TokenType  Username  PIN    TokenKey
HOTP/T30 username1  –   d8acbddef6db4cc254fccc418

//PINは”-”+”1234”など
//”-“はPINなし ”+”は.htpasswdなどで作成 ”1234”文字列を入れた場合それがPINになる
//PIN+ワンタイムパスワードになる

//アクセス権設定
# chown apache:apache /var/www/hoge/users.txt
# chmod 0600 /var/www/hoge/users.txt

//トークンジェネレーター
One-Time Passwords
こちらでトークン、QRコードを作成し端末ワンタイムパスワードアプリにてQRコードを読み込んで設定(users.txtにも)

/必要なら/# htpasswd -c /var/www/hoge/users.pin username1

//testする
# vi /etc/httpd/conf.d/test.conf

<Directory “/var/www/html/test/”>
AuthType            basic
AuthName            “otp”
AuthBasicProvider   OTP
Require             valid-user
OTPAuthUsersFile    “/var/www/hoge/users.txt”
</Directory>

//テストする
#service httpd restart
アプリにて表示された数字を入れ認証(PINに”+”や文字列を入れた場合は”それプラス”数字)

うまくいくとusers.txtに入力されたpass、カウント、IP、時間などが追加される
#TokenType  Username  PIN    TokenKey
HOTP/T30 username1  –  d8acbddef6db4cc254fccc418 0   0  626391  2014-05-16T14:01:44L 192.168.1.59
終了

コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です