################################################################################# # Searchable Keywords: two factor authentication apache security token # ################################################################################# Two Factor Authentication Using a Cell Phone as a Token Author: Gary Keen Date: Sept 20 2008 Purpose: The purpose of the 2factor code was to provide simple two factor authentication to a Apache web server using https, htaccess security features of Apache and a cell phone as a token. SECURITY: Two factor authentication is a good thing to have but I will be the first to admit that there are wholes in this and is NOT without risk. Once you enter your password into the site the script goes back and changes your password to another random number after 60 seconds. So you cannot use the same password over again. At least not after 60 seconds. How it works: The first thing I did is install Apache web server. This code was originally built and tested on a Centos 5 Linux system, 700mhz, 512mb memory. Nothing special was done in the configuration of Apache. I created a directory on the system I wanted to protect or only wanted to allow selected users. In this directory I created a .htaccess file. The one that follows is similar to the one I originally used. Step 1) # cat .htaccess AuthType Basic AuthUserFile /etc/httpd/htauth/htpasswd_file AuthGroupFile /etc/httpd/htauth/htgroup AuthName private_web require group private_web order allow,deny allow from all Step 2) Next I created a file that would hold the user names, cell phone numbers and pin numbers of the users in which I would allow access into my protected directory. This file I called cellist and placed it in with the password file that would be used by htpasswd cmd in /etc/httpd/htauth. # cat /etc/httpd/htauth/cellist userid:1234:user.one@tmomail.net userid:5678:user.two@sprint.com userid:9101:userthree@att.net The file is semicolon delimited and will be easy to parse fields from. The first field is the user id that the user of course will know. The second field is the pin number that the user will have to be told and they will have to remember. The third is the Email address of the cell phone we will email once the random half of the password is generated. Step 3) The next step involved putting together a web page that used form format that would call a cgi script. # cat index.html

<FORM action="https://apacheweb/cgi-bin/htpasschg_v4.cgi" method="get"> <P> User name: <INPUT type="text" name="username"><BR> <INPUT type="submit" value="Send"> <INPUT type="reset"> </P> </FORM> <html><head></head><body> Again, nothing fancy and I'm sure there are those out there that could make this more elaborate. This form displays nothing more than a field asking for a user ID, a submit button and a reset button. If the user ID is not in the cellist file listed above the script errors. If you enter nothing in the field and hit the submit button, the script will error out. Get the user name right and hit enter and the above cgi script runs. The initial URL was a https connection(https://webserver/index.html). I used a self signed certificate for proof of concept. The rest of the URLs include https as well. This way nothing goes out in clear. You certainly do not have to use secure http. The cgi script parses the out put of the form ( $QUERY_STRING ) and pulls out the user ID. It also identifies but DOES NOT show on the web page the users pin number and cellphone Email address. # cat htpasschg_v4.cgi #!/bin/sh # # #################################################### # Author: Gary Keen # Date: 9/15/08 # Description: # Change a users htpasswd but include the PIN # that THEY will know and Email the token #. # #################################################### #------------------ Variables ---------------------# echo -e "Content-type: text/html\n\n" echo "" UI=`echo $QUERY_STRING | awk -F"=" '{print $2}'` PASFILE=/etc/httpd/htauth/htpasswd_file MASLIST=/etc/httpd/htauth/cellist HTPASSWD=/usr/bin/htpasswd # #-------------------------------------------------# if [ -z "$UI" ] then echo "Use the back button to return to the login page." echo "Please enter user name" exit 0 else USER=$UI fi #--------- Does the user have an account ---------# cat $MASLIST |grep $USER >/dev/null 2<&1 FOUND=$? if [ $FOUND != 0 ] then echo "You don't have a user account. Try again." exit 0 else USER=$USER fi PIN=`cat $MASLIST | grep $USER |awk -F":" '{print $2}'` MAILADRS=`cat $MASLIST | grep $USER |awk -F":" '{print $3}'` USER=$USER #------------------ Functions --------------------# genrandom () { RANDUM=`/usr/bin/od -A x -t x -N 4 /dev/random |head -1 |awk '{print $2}' |cut -c1-6` # or # RANDUM=`hexdump -C -n 4 -s m -x /dev/random |head -1| awk '{print $2$3$4$5}'|cut -c2-5` # or # Use an actual cipher. I believe there several in the public domain(blowfish,2fish,mars....etc) } # mailout () { echo " $RANDUM " | mail -s "Your security token" $MAILADRS echo "You will be directed to your secured page and your token ID is being Emailed." sleep 1 } # genpasswd () { $HTPASSWD -b $PASFILE $USER $PIN$RANDUM >/dev/null 2<&1 } # #------------------- Go to work ------------------# genrandom genpasswd mailout #-------------------------------------------------# sleep 1 echo "<p>Click <a href="/gosecure.html"> here to be redirected to a list of secured directories. </p>" # or # echo "<p>Click <a href="/restricted"> here to be redirected to a list of secured directories. </p>" echo "</body></html>" #--------------------- EOF ---------------------# Finally) Once the script authenticates you and changes your password in the the htpasswd_file you are Emailed the second part of the password. Your entire password is the combination of your pin number and your random alpha numeric code that is Emailed you. This does assume you have sendmail or some MTA running your host. NOTE: In my case, the Apache process ran as user apache. In order to have the script change the user password. I had to allow group write for group apache. If user apache becomes compromised, your htpasswd_file could be at risk. # ls -l /etc/httpd/htauth -rw-r--r-- 1 root root 33 Sep 15 21:29 cellist -rw-rw-r-- 1 root apache 19 Sep 16 22:09 htgroup -rw-rw-r-- 1 root apache 20 Sep 20 21:59 htpasswd_file The length of the pin as well as the length of the random number is variable. To get a longer pin, all you need to do is edit the cellist file and make the number the length or as complex as you want. To make the random number longer you would have to play with hexdump or octal dump command. I chose the numbers and complexity I did for speed rather than real world security. At the end of the script a html tag calls either the restricted directory or I started playing with another form web page that might list several restricted directories. The one in the script, gosecure.html points to the same restricted directory regardless of which selection you make but I thought it might have merit for future use. Contents of the gosecure.html file. <form method="post" action="https://apacheweb/restricted/"> <select size="10" name="SECURED"> <option>Secured directory one</option> <option>Secured directory two</option> <option>Secured directory three</option> <option>Secured directory four</option> </select> <input type="submit"> </form> Either way you are presented with the login dialog box to access the restricted directory. At which point you can login with user ID and your password is the pin number you know and the random number you had been sent by the server itself to your cell phone. If you find this code useful, it's free to use. I just hope you have the courtesy to grant me some credit for the original idea and coding. Thank you. #############################################################################