![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2014-10-23
目錄
- 介紹
- Perpare and Install
- Apache Setting
- Secret key files
- Key files Format
- Testing & Checking
介紹
Homepage:
https://code.google.com/p/google-authenticator-apache-module/
Download:
wget http://google-authenticator-apache-module.googlecode.com/files/GoogleAut...
認證的原理:
1. Make the keys valid for much longer periods of time
2. Write an authentication cookie to the user's browser, and work with that after the first request.
Perpare and Install
yum install httpd-devel gcc
yum groupinstall "Development tools"
mkdir googleauthapache
cd googleauthapache
svn co http://google-authenticator-apache-module.googlecode.com/svn/trunk
cd trunk
# 只是 make 後, 是未會出 so 的 !!
make
make install
# make install 後 so 檔會建立到
/usr/lib/httpd/modules/mod_authn_google.so
Apache Setting:
/etc/httpd/conf/httpd.conf
Loadmodule authn_google_module modules/mod_authn_google.so
/etc/httpd/conf.d/vhosts.conf
# Basic Authentication
<Directory />
Options FollowSymLinks -ExecCGI
AllowOverride None
Order deny,allow
Allow from all
AuthType Basic
AuthName "My Login"
AuthBasicProvider "google_authenticator"
Require valid-user
# GoogleAuthPath is the root directory to hold user authentication(secret key files)
# User "abc" login 時就會讀 /usr/local/apache2/ga_auth/abc <-- secret key files
GoogleAuthUserPath ga_auth
# seconds, needed re-authentication
GoogleAuthCookieLife 3600
# Default value is "1"
# "2" would accept entries +/- 60 seconds
# This is only used for Basic authentication (在 Digest authentication 時唔 work 的)!!
GoogleAuthEntryWindow 2
</Directory># restart service
/etc/init.d/httpd restart
P.S.
* NTP is highly recommended
Secret key files:
mkdir /etc/httpd/ga_auth
# gen key
google-authenticator
cp ~/.google_authenticator /etc/httpd/ga_auth/foo
Key files Format
# starts with a double-quote
# 16-digit Base32-encoded key
abcdefabcdef2345
# tatic password is used in conjunction
# static password immediately followed by the 6-digit one-time
abcdefabcdef2345 "PASSWORD=mySecret
testing:
user input:
mySecret123456
NOTE: The static password option is only present in release "r21" and up!!
Testing & Checking
error log:
# 不存在的 user
[Thu Oct 23 18:32:13 2014] [error] [client x.x.x.x] getUserSecret with username "test"\n [Thu Oct 23 18:32:13 2014] [error] [client x.x.x.x] (2)No such file or directory: OPENING FILENAME /etc/httpd/ga_auth/test [Thu Oct 23 18:32:13 2014] [error] [client x.x.x.x] (2)No such file or directory: check_password: Couldn't open password file: /etc/httpd/ga_auth/test [Thu Oct 23 18:32:13 2014] [error] [client x.x.x.x] user test: authentication failure for "/": Password Mismatch
# pw 錯或傻 Browser
[Thu Oct 23 18:31:43 2014] [error] [client x.x.x.x] getUserSecret with username "admin"\n [Thu Oct 23 18:31:43 2014] [error] [client x.x.x.x] OPENING FILENAME /etc/httpd/ga_auth/admin [Thu Oct 23 18:31:43 2014] [error] [client x.x.x.x] user admin: authentication failure for "/": Password Mismatch
