Again, nothing fancy and I'm sure there are those out there that could make this more elaborate. This form displays nothing more than a field asking for a user ID, a submit button and a reset button. If the user ID is not in the cellist file listed above the script errors. If you enter nothing in the field and hit the submit button, the script will error out. Get the user name right and hit enter and the above cgi script runs. The initial URL was a https connection(https://webserver/index.html). I used a self signed certificate for proof of concept. The rest of the URLs include https as well. This way nothing goes out in clear. You certainly do not have to use secure http. The cgi script parses the out put of the form ( $QUERY_STRING ) and pulls out the user ID. It also identifies but DOES NOT show on the web page the users pin number and cellphone Email address. # cat htpasschg_v4.cgi #!/bin/sh # # #################################################### # Author: Gary Keen # Date: 9/15/08 # Description: # Change a users htpasswd but include the PIN # that THEY will know and Email the token #. # #################################################### #------------------ Variables ---------------------# echo -e "Content-type: text/html\n\n" echo "" UI=`echo $QUERY_STRING | awk -F"=" '{print $2}'` PASFILE=/etc/httpd/htauth/htpasswd_file MASLIST=/etc/httpd/htauth/cellist HTPASSWD=/usr/bin/htpasswd # #-------------------------------------------------# if [ -z "$UI" ] then echo "Use the back button to return to the login page." echo "Please enter user name" exit 0 else USER=$UI fi #--------- Does the user have an account ---------# cat $MASLIST |grep $USER >/dev/null 2<&1 FOUND=$? if [ $FOUND != 0 ] then echo "You don't have a user account. Try again." exit 0 else USER=$USER fi PIN=`cat $MASLIST | grep $USER |awk -F":" '{print $2}'` MAILADRS=`cat $MASLIST | grep $USER |awk -F":" '{print $3}'` USER=$USER #------------------ Functions --------------------# genrandom () { RANDUM=`/usr/bin/od -A x -t x -N 4 /dev/random |head -1 |awk '{print $2}' |cut -c1-6` # or # RANDUM=`hexdump -C -n 4 -s m -x /dev/random |head -1| awk '{print $2$3$4$5}'|cut -c2-5` # or # Use an actual cipher. I believe there several in the public domain(blowfish,2fish,mars....etc) } # mailout () { echo " $RANDUM " | mail -s "Your security token" $MAILADRS echo "You will be directed to your secured page and your token ID is being Emailed." sleep 1 } # genpasswd () { $HTPASSWD -b $PASFILE $USER $PIN$RANDUM >/dev/null 2<&1 } # #------------------- Go to work ------------------# genrandom genpasswd mailout #-------------------------------------------------# sleep 1################################################################################# # Searchable Keywords: two factor authentication apache security token # ################################################################################# Two Factor Authentication Using a Cell Phone as a Token Author: Gary Keen Date: Sept 20 2008 Purpose: The purpose of the 2factor code was to provide simple two factor authentication to a Apache web server using https, htaccess security features of Apache and a cell phone as a token. SECURITY: Two factor authentication is a good thing to have but I will be the first to admit that there are wholes in this and is NOT without risk. Once you enter your password into the site the script goes back and changes your password to another random number after 60 seconds. So you cannot use the same password over again. At least not after 60 seconds. How it works: The first thing I did is install Apache web server. This code was originally built and tested on a Centos 5 Linux system, 700mhz, 512mb memory. Nothing special was done in the configuration of Apache. I created a directory on the system I wanted to protect or only wanted to allow selected users. In this directory I created a .htaccess file. The one that follows is similar to the one I originally used. Step 1) # cat .htaccess AuthType Basic AuthUserFile /etc/httpd/htauth/htpasswd_file AuthGroupFile /etc/httpd/htauth/htgroup AuthName private_web
require group private_web order allow,deny allow from all Step 2) Next I created a file that would hold the user names, cell phone numbers and pin numbers of the users in which I would allow access into my protected directory. This file I called cellist and placed it in with the password file that would be used by htpasswd cmd in /etc/httpd/htauth. # cat /etc/httpd/htauth/cellist userid:1234:user.one@tmomail.net userid:5678:user.two@sprint.com userid:9101:userthree@att.net The file is semicolon delimited and will be easy to parse fields from. The first field is the user id that the user of course will know. The second field is the pin number that the user will have to be told and they will have to remember. The third is the Email address of the cell phone we will email once the random half of the password is generated. Step 3) The next step involved putting together a web page that used form format that would call a cgi script. # cat index.html
Click here to be redirected to a list of secured directories.
" # or # echo "Click here to be redirected to a list of secured directories.
" echo ""