Further deployment of Google Authenticator: Apache module

Google Authenticator is a good thing. It not only enhances the security of Google account login, but also is deployed elsewhere for use due to its open-source features. Such as Linux PAM and WordPress, so that users can use Google's OTPTo enhance the security of your servers, websites, and PCs. I have previously written a detailed tutorial titled using Google Authenticator to enhance the security of VPS, WordPress, and even desktop computers. This article describes how to deploy Google Authenticator on servers, WordPress, and PCs. If you think this is not safe enough, this article will teach you how to deploy it into Apache.

I. Advantages of Google Authenticator's Apache module

How to enhance server security? This issue has always been the focus of discussion by webmasters. For SSH Login, You can restrict IP address logon, disable Password Logon (only use public key logon), and use Fail2ban to deal with them, you can even add IP addresses that attempt brute-force cracking to the iptables blacklist. But what about the Web Front-end? Cannot I restrict IP address access? For example, the WordPress management backend and phpMyAdmin login pages are vulnerable to attacks. In order to defend against such attacks, the simple practice is to use mod_auth_basic or mod_auth_digest for verification. If it is more advanced, two-way TLS authentication in mod_ssl can be used. However, the former is too simple. If the page is http: //, the password is transmitted in plaintext, which is very convenient for attackers, while the latter is relatively complicated, you need to create and maintain a CA by yourself, or you need to spend money to ask a third-party CA to sign the certificate. Google Authenticator's Apache module mod_authn_google provides an economic, convenient, simple, and effective authentication method: dynamic password authentication.

Compared with mod_auth_basic, The mod_authn_google password is dynamic and cannot be guessed. Compared with mod_ssl two-way TLS authentication, mod_authn_google removes the need for third-party CA signatures and complicated CA certificate configuration.

Ii. Install mod_authn_google

Because this is not an official module, we must download and install it ourselves. The main page of this project is here, but the module provided in the download list has bugs. If you do not want to fix the Bug yourself, you can download mod_authn_google after the Bug fix here.

Note that this module is compiled in 64-bit Linux. If you are using a 32-bit system, download the source code and compile it on your own.

Download is A. so library file, you can use the apxs2 script to install, to Ubuntu and other releases based on APT and dpkg as an example, this script can be obtained by installing the apache2-prefork-dev package.

1. Sudo apt-get install apache2-prefork-dev

Then you can use apxs2 to install the module:

1. Sudo apxs2-I-a-n authn_google mod_authn_google.so

Meanings of parameters:

-I

Install

-

Automatically add LoadModule statements to facilitate loading

-N authn_google

Name of the module after installation

Mod_authn_google.so

File Name of the downloaded Module

Because this is a compiled module, you can also manually install it in addition to using the script to automatically install it:

1. Sudo cp mod_authn_google.so/usr/lib/apache2/modules/
2. Echo "LoadModule authn_google_module/usr/lib/apache2/modules/mod_authn_google.so" | sudo tee/etc/apache2/mod-available/authn_google.load

3. Configure mod_authn_google

First, create a place for storing authentication information, such as/etc/apache2/ga_auth. Then edit the/etc/apache2/mod-available/authn_google.conf file. The following is an example:

1. <Directory/secret> # Directory to be verified
2. Options FollowSymLinks Indexes ExecCGI
3. AllowOverride All # Allow. htaccess to overwrite the global settings in each directory
4. Order deny, allow
5. Allow from all
6. AuthType Basic
7. AuthName "Secret" # prompt information in the pop-up window
8. AuthBasicProvider "google_authenticator"
9. Require valid-user
10. GoogleAuthUserPath ga_auth # directory for saving authentication information
11. GoogleAuthCookieLife 3600 # cookie validity period. No Password is required during this period, in seconds.
12. GoogleAuthEntryWindow 2 # this positive and negative error is allowed when the time is different. In 30 s
13. </Directory>

Save and exit, and then

1. Sudo a2enmod authn_google & sudo service apache2 restart

If no error is reported, mod_authn_google should be working now. If you access/secret, you will be prompted to enter the user name and password, but we have not added a user, so it is wrong to enter anything.

4. Add Authenticated Users

Authenticated Users generate authentication files using tools provided by Google Authenticator. Copy the generated authentication files to the directory corresponding to GoogleAuthUserPath, such as/etc/apache2/ga_auth.

Instructions on how to use Google Authenticator to generate new users are clearly described in this article. Here we will mention:

1. Use the Package Manager to install the libpam-google-authenticator package. Take Ubuntu Server as an example:
   1. Sudo apt-get install libpam-google-authenticator
2. If you have used Google Authenticator before ~ /. Rename the google_authenticator file for backup.
3. Run
   1. Google-authenticator

   Command to scan the QR code on the screen to a mobile phone with Google Authenticator installed, and answer a few questions as prompted to generate a new ~ /. Google_authenticator file.

In this way, a valid user is generated. Copy the. google_authenticator file generated in the home directory to the/etc/apache2/ga_auth directory. The file name is the user name and

1. Sudo chmod 640 wzyboy & sudo chown root: www-data wzyboy

(Change wzyboy to the corresponding user name) change the File Permission to ensure that Apache can read it and then add a user. Repeat these steps for more users. Remember to change the. google_authenticator file in the home directory.

V. debugging and Error Detection

We recommend that you debug the Cookies in the invisible window of the browser to eliminate the interference of Cookies. If an error occurs, you can find the answer in/var/log/apache2/error. log.

Supplement: the pre-compiled files of this module on Google Code have bugs and do not read Cookies. As a result, the system prompts that the/etc/apache2/ga_auth/(null) file cannot be found. At this time, a funny wordaround is to rename your user authentication information file to (null), and then you can continue working with this Bug. At this time, you can enter everything for the user name, And the password must be correct. This also has a special flavor ...... Via @ jimmy_xu_wrk.

Via: http://wzyboy.im/post/869.html