Support for OPENOTP on Apache ?

[longjoej]

> I am having a linux web server with SSH and tried to use OPENOTP on it.
> But i using OPENOTP with SSH and it is working good but i having problem with OPENOTP with apache.
> Do you have HOWTOs for Apache using OPENOTP.
> I try using follow the SSH guide on Apache and fail.
> My config is as below:
> *******************************************
> /etc/pam.d/apache2:
> @include common-account
> auth required pam_openotp.so server_url="http://172.168.10.1:8080/openotp/" client_id="Apache" password_mode=3
> apache config:
>
> AuthPAM_Enabled on
> AuthType Basic
> AuthName "OTP Login"
> Require valid-user
> AuthBasicAuthoritative Off
> AuthUserFile /dev/null
>
> Options Indexes FollowSymLinks MultiViews
> AllowOverride None
> Order allow,deny
> allow from all
>
> ***********************************************
> I load the webpage, i will get a prompt for my username and password. However the authorization will fail.

[Administrators]

In your /etc/pam.d/apache2 use:auth       required     pam_env.soauth
      sufficient   ppam_openotp.so server_url="http://
172.168.10.1:8080/openotp/" client_id="Apache" password_mode=3auth    
  required     pam_deny.so
One important thing is that with PAM in Apache, the authenticating
users must exists at the Linux level.
So you Linux should rely on the PAM-LDAP with posixAccounts managed
through WebADM, or you should have local users in /etc/passwd with the
same uid as the WebADM users.

One better alternative is to use the radius plugin for Apache. Because
with RADIUS, the users do not need to exist at the Linux level.

So if you use Linux users, PAM is a good approach. If you use virtual
users, RADIUS is preferred.

[longjoej]

I am using it with PAM-LDAP and it appear to be working now.
But there seems to be another problem. Once login, when surfing the
pages, it will prompt for authentication again.
How can it be configure to only request for authentication only once.

[Administrators]

So you mean the authentication succeeds and after, you are prompted
for an authentication?
Check that that the auth succeeds in /opt/webadm/logs/soapd.log.
If it succeeds, the problem at the Apache or browser level. Sound more
like a cookie problem on your browser.
As the mod_auth_pam Apache module uses cookies, check that you accept
cookies.

[longjoej]

Yes.
I believe it is so, due to HTTP being stateless.
Upon a suceesful authentication, when request of another page will be
prompted for authentciation again. Though the initial passw

If i am going to use APache with Radius Authentication will it solved
the issue ? Is there any HOW-TO for it.
I am looking at something similar to that of the OTP IIS plugin, where
user will just need to authenticate once for their web session.

I'm looking at this as well:
http://code.google.com/p/mod-authn-otp/
http://www.wikidsystems.com/support/wikid-support-center/how-to/two-factor-authentication-for-apache-2.2-or-higher
Will OpenOTP will have something similar ?

[Administrators]

Apache is not stateless regarding the authentication because it uses
cookies (and you authenticate once for the life-time of the session
cookie). We have some OTP-protected Apache working fine here. That's
why I told you to look at the browser (i.e cookie settings).
The problem is certainly not at the OTP/Apache level so even with
Radius module or using the mod_authn_otp or the Wikid variant you will
behave the same issue. You should try with another browser.

On Dec 22, 8:54 am, longjoej <longjoe...@yahoo.com> wrote:
> Yes.
> I believe it is so, due to HTTP being stateless.
> Upon a suceesful authentication, when request of another page will be
> prompted for authentciation again. Though the initial passw
>
> If i am going to use APache with Radius Authentication will it solved
> the issue ? Is there any HOW-TO for it.
> I am looking at something similar to that of the OTP IIS plugin, where
> user will just need to authenticate once for their web session.
>

> I'm looking at this as well:http://code.google.com/p/mod-authn-otp/http://www.wikidsystems.com/support/wikid-support-center/how-to/two-f...

[Administrators]

It does not work correctly with PAM. But works fine with RADIUS.
Download the radius plugin for apache here:
http://www.rcdevs.com/downloads/download.php?type=1&id=3e7eb096e5af504d492c941254c8795e

Use "apxs -i -a -c mod_auth_radius.c" to compile the module.

Copy the mod_auth_radius.so in your Apache modules dir.

Create a /etc/httpd/conf.d/auth_radius.conf file with:
## This Loads mod_auth_radius into Apache
LoadModule radius_auth_module modules/mod_auth_radius.so
AddRadiusAuth localhost:1812 testing123 5:0
AddRadiusCookieValid 60

Create a .htaccess file in your site with:
AuthName "Private Area"
AuthType basic
AuthBasicProvider radius
AuthRadiusActive On
require valid-user

On Dec 22, 10:52 am, Administrators <adm...@rcdevs.com> wrote:
> Apache is not stateless regarding the authentication because it uses
> cookies (and you authenticate once for the life-time of the session
> cookie). We have some OTP-protected Apache working fine here. That's
> why I told you to look at the browser (i.e cookie settings).
> The problem is certainly not at the OTP/Apache level so even with
> Radius module or using the mod_authn_otp or the Wikid variant you will
> behave the same issue. You should try with another browser.
>
> On Dec 22, 8:54 am, longjoej <longjoe...@yahoo.com> wrote:
>
>
>
>
>
>
>
> > Yes.
> > I believe it is so, due to HTTP being stateless.
> > Upon a suceesful authentication, when request of another page will be
> > prompted for authentciation again. Though the initial passw
>
> > If i am going to use APache with Radius Authentication will it solved
> > the issue ? Is there any HOW-TO for it.
> > I am looking at something similar to that of the OTP IIS plugin, where
> > user will just need to authenticate once for their web session.
>

> > I'm looking at this as well:http://code.google.com/p/mod-authn-otp/http://www.wikidsystems.com/su......

[longjoej]

This method works !

But there is a small issue here on the radius logging in the
request.log file. Apparently the users login info is being logged in
clear. While this is good for inital testing and troubleshooting, it
don't fits the operational security. Any toggling level that can be
set in the config to select the logging details level ?

On Dec 28, 5:56 pm, Administrators <adm...@rcdevs.com> wrote:
> It does not work correctly with PAM. But works fine with RADIUS.

> Download the radius plugin for apache here:http://www.rcdevs.com/downloads/download.php?type=1&id=3e7eb096e5af50...

[Administrators]

Edit the /opt/radiusd/conf/radiusd.conf file and change:
auth_badpass = yes
auth_goodpass = yes
To:
auth_badpass = no
auth_goodpass = no

[Andres Gorostidi]

So, the suggested configuration method for Apache and OpenOTP is to use radius ?

If so..  That this means that I have to install also RADIUS ?  What Radius do you suggest ?    

Does it has sense to have also OpenLDAP installed if  ?  (I have my users on OpenLDAP, should I move them to Radius ?)

[Administrators]

Both RADIUS and PAM implementations should work.

- Apache RADIUS plugin connected to OpenOTP RADIUS Bridge

- Or Apache with PAM auth and the OpenOTP PAM plugin.

With PAM, the users must be unix users (i.e. PAM-LDAP should be implemented and users must be extended to posixAccounts in WebADM).

[carrera4life]

Hi,

(Using the all-in-one-vm download 12/11/2015)

I have tried following your instructions for protecting a web page with access via OpenOTP.

I have installed mod_auth_radius and included a <location> construct for the page I wish to protect.

When I access the page, I get the uname/passwd challenge but no token challenge. In the radius log file I see:

Sun Nov 15 13:04:46 2015 : Auth: rlm_openotp: OpenOTP Authentication failed

Sun Nov 15 13:14:10 2015 : Auth: rlm_openotp: OpenOTP Authentication challenge

Sun Nov 15 13:15:01 2015 : Auth: rlm_openotp: OpenOTP Authentication failed

Sun Nov 15 13:15:10 2015 : Auth: rlm_openotp: OpenOTP Authentication challenge

Sun Nov 15 13:15:13 2015 : Auth: rlm_openotp: Invalid "User-Password" attribute (bad length)

Sun Nov 15 15:23:17 2015 : Auth: rlm_openotp: OpenOTP Authentication failed

Sun Nov 15 15:23:29 2015 : Auth: rlm_openotp: OpenOTP Authentication challenge

Sun Nov 15 15:27:58 2015 : Auth: rlm_openotp: OpenOTP Authentication challenge

Sun Nov 15 15:28:17 2015 : Auth: rlm_openotp: Invalid "User-Password" attribute (bad length)

Sun Nov 15 15:28:46 2015 : Auth: rlm_openotp: OpenOTP Authentication failed

I was expecting to get a second dialog box with a token challenge... Have I missed something ?

Thanks

[Spyridon Gouliarmis (RCDevs)]

Stop the radiusd service and restart it with "service radiusd debug" for more detailed output. Then keep that terminal open and try an authentication again, then tell us what you see.

(Did you put the right RADIUS secret in AddRadiusAuth?)

[carrera4life]

Hi,

Thanks for the pointer. If I change the authentication mechanism to "just" LDAP, it authenticates correctly.
When I set it to LDAPOTP, I am confused as to what to expect. From the image below (which captures the radius debug information), you can see that Radius is indeed looking for a OTP response.

However, what gets presented is a username/password dialog: am I expecting a tailored challenge dialog box or do I have to enter something into the one that is presented?

[Spyridon Gouliarmis (RCDevs)]

Sorry, I didn't pay attention: you can't handle challenges if you have to translate them to HTTP basic auth, so the Apache module is probably considering the challenge as an error.

In these cases, you can use LDAPOTP, but after create a client policy with the OpenOTP client ID as name (or alias). You can find that ID in the SQL logs, Database tab. Then in the Application Settings of the policy, in the OTP & U2F section, check the No Challenge Mode directive.

[Spyridon Gouliarmis (RCDevs)]

... this should tell OpenOTP to expect both the LDAP password and the OTP concatenated.

[carrera4life]

Hi,

Thanks, I will give that go later on today.