google-authenticator-apache-module

最後更新: 2014-10-23

 

目錄

  • 介紹
  • Perpare and Install
  • Apache Setting
  • Secret key files
  • Key files Format
  • Testing & Checking

 

介紹

Homepage:

https://code.google.com/p/google-authenticator-apache-module/

Download:

wget http://google-authenticator-apache-module.googlecode.com/files/GoogleAut...

認證的原理:

1. Make the keys valid for much longer periods of time
2. Write an authentication cookie to the user's browser, and work with that after the first request.


Perpare and Install

 

yum install httpd-devel gcc

yum groupinstall "Development tools"

mkdir googleauthapache

cd googleauthapache

svn co http://google-authenticator-apache-module.googlecode.com/svn/trunk

cd trunk

# 只是 make 後, 是未會出 so 的 !!

make

make install

# make install 後 so 檔會建立到

/usr/lib/httpd/modules/mod_authn_google.so

 


Apache Setting:

/etc/httpd/conf/httpd.conf

Loadmodule authn_google_module modules/mod_authn_google.so

/etc/httpd/conf.d/vhosts.conf

# Basic Authentication
   <Directory />
    Options FollowSymLinks -ExecCGI
    AllowOverride None
    Order deny,allow
    Allow from all
    
    AuthType Basic
    AuthName "My Login"
    AuthBasicProvider "google_authenticator"
    Require valid-user
    
    # GoogleAuthPath is the root directory to hold user authentication(secret key files)
    # User "abc" login 時就會讀 /usr/local/apache2/ga_auth/abc <-- secret key files
    GoogleAuthUserPath ga_auth
    
    # seconds, needed re-authentication
    GoogleAuthCookieLife 3600
    
    # Default value is "1"
    # "2" would accept entries +/- 60 seconds
    # This is only used for Basic authentication (在 Digest authentication 時唔 work 的)!!
    GoogleAuthEntryWindow 2
    
   </Directory>

# restart service

/etc/init.d/httpd restart

P.S.

* NTP is highly recommended


Secret key files:

 

mkdir /etc/httpd/ga_auth

# gen key

google-authenticator

cp ~/.google_authenticator /etc/httpd/ga_auth/foo


Key files Format

# starts with a double-quote
# 16-digit Base32-encoded key

abcdefabcdef2345

# tatic password is used in conjunction
# static password immediately followed by the 6-digit one-time

abcdefabcdef2345
"PASSWORD=mySecret

testing:

user input:

mySecret123456

NOTE: The static password option is only present in release "r21" and up!!


Testing & Checking

error log:

# 不存在的 user

[Thu Oct 23 18:32:13 2014] [error] [client x.x.x.x] getUserSecret with username "test"\n
[Thu Oct 23 18:32:13 2014] [error] [client x.x.x.x] (2)No such file or directory: OPENING FILENAME /etc/httpd/ga_auth/test
[Thu Oct 23 18:32:13 2014] [error] [client x.x.x.x] (2)No such file or directory: check_password: Couldn't open password file: /etc/httpd/ga_auth/test
[Thu Oct 23 18:32:13 2014] [error] [client x.x.x.x] user test: authentication failure for "/": Password Mismatch

# pw 錯或傻 Browser

[Thu Oct 23 18:31:43 2014] [error] [client x.x.x.x] getUserSecret with username "admin"\n
[Thu Oct 23 18:31:43 2014] [error] [client x.x.x.x] OPENING FILENAME /etc/httpd/ga_auth/admin
[Thu Oct 23 18:31:43 2014] [error] [client x.x.x.x] user admin: authentication failure for "/": Password Mismatch