Google Authenticator加强apache安全

上一篇日志中提到通过Google Authenticator来增强sshd的安全,其实Google Authenticator的动态认证应用范围非常广,不仅仅只是对于sshd的增加。其也可以用于对vsftpd、lightdm、screen、xscreen、su、sudo、samba等等,只要是调用到pam模块的服务—————具体ls下/etc/pam.d目录,我们都可以在其认证之前增加google动态认证。配置方法同sshd相同。配置完后,重启服务让配置生效。 

难道Google Authenticator仅仅局限于对pam相关应用的增强吗?肯定不止。其还可以应用到web方面。其原理也非常简单。类似于在ssh上的应用,只不过是生成apache的相关模块。该模块的用法有点类似于使用 mod_auth_basic mod_auth_digest 来进行验证 。费话了半天,最重要的还是看操作。

一、安装 mod_authn_google模块

该项目所在的地址为:

https://code.google.com/p/google-authenticator-apache-module/downloads/list

<a href="https://www.361way.com/wp-content/uploads/2013/01/google-auth-for-apache.png"><img src="https://www.361way.com/wp-content/uploads/2013/01/google-auth-for-apache.png" alt="google-auth-for-apache" width="534" height="104" class="aligncenter size-full wp-image-2193" /></a>

如上图所示,下载时选择针对apache的下载。下载安成后,不能直接解包安装。因为这个版本是有bug的。需要替换其中的一个文件——— mod_authn_google.c 。View Download

[root@localhost tmp]# tar jxvf GoogleAuthApacheModule_v01.bz2
google-authenticator-apache-module/base32.c
google-authenticator-apache-module/base32.h
google-authenticator-apache-module/googleauth.conf
google-authenticator-apache-module/hmac.c
google-authenticator-apache-module/hmac.h
google-authenticator-apache-module/Makefile
google-authenticator-apache-module/mod_authn_google.c
google-authenticator-apache-module/README
google-authenticator-apache-module/sha1.c
google-authenticator-apache-module/sha1.h
[root@localhost tmp]# cd google-authenticator-apache-module/
[root@localhost google-authenticator-apache-module]# ll
总计 60
-rw-r--r-- 1 www www  2477 2011-04-30 base32.c
-rw-r--r-- 1 www www  1391 2011-04-30 base32.h
-rw-r--r-- 1 www www  1655 2011-04-30 googleauth.conf
-rw-r--r-- 1 www www  2495 2011-04-30 hmac.c
-rw-r--r-- 1 www www   919 2011-04-30 hmac.h
-rw-r--r-- 1 www www   287 2011-04-30 Makefile
-rw-r--r-- 1 www www 15370 2011-04-30 mod_authn_google.c   //注意该文件一定要先替换掉。
-rw-r--r-- 1 www www  1478 2011-04-30 README
-rw-r--r-- 1 www www 10966 2011-04-30 sha1.c
-rw-r--r-- 1 www www  1195 2011-04-30 sha1.h
[root@localhost google-authenticator-apache-module]# make &&make install

make install 安装完成后,可能会出现一个报错,内容如下:

sudo cp .libs/mod_authn_google.so /usr/local/apache2/modules/
cp: 无法创建一般文件“/usr/local/apache2/modules/”: 没有那个文件或目录
make: *** [install] 错误 1

这个错误没关系的,因为作者在创作该模块时,不是在centos/redhat上创建的(也有可能作者是源码包编译的apache),这个不去管他。通过系统自带的apxs脚本进行安装配置(另外一些发行版上可能叫做apxs2,该工具会自动完成cp到apache的模块目录下)。

apxs -i -a -n authn_google mod_authn_google.so

各参数含义:

-i 安装 

-a 自动添加 LoadModule 语句,方便加载

-n authn_google 安装后模块的名字 

mod_authn_google.so 刚才下载得到的模块的文件名

也可以手动完成(以下两步操作的效果同上面apxs安装的效果是一样的),先复制模板文件

cp .libs/mod_authn_google.so /etc/httpd/modules/

再打开httpd.conf文件,加入如下一行即可:

LoadModule authn_google_module /usr/local/apache2/modules/mod_authn_google.so

二、apache conf文件配置

修改想要使用google认证的虚拟主机的配置如下:

Alias /testlink "/var/www/html/testlink"

Options FollowSymLinks Indexes ExecCGI
AllowOverride All   # 允许每个目录下通过 .htaccess 覆盖这里的全局设置
Order deny,allow
Allow from all
AuthType Basic
AuthName "Secret"   # 弹出窗口的提示信息
AuthBasicProvider "google_authenticator"
Require valid-user
GoogleAuthUserPath /tmp/googletest  # 保存认证信息的目录
GoogleAuthCookieLife 3600  # Cookies 有效时间,这段时间内不用再输密码,单位为秒
GoogleAuthEntryWindow 2   # 当时间不同步时,允许有这样的正负误差。以 30s 为单位

三、配置用认证

按照Google Authenticator加强ssh安全 里的方法安装google-authenticator命令,当然也可以从其他有该命令的机器上复制生成的~/.google_auth enticator文件来用。将相存放的路径和上面配置中的一致,比如上例中是在/tmp/googletest目录下 (现网中千万不要这样放,因为tmp目录是一个存放临时文件的目录。一般用都有修改权限 。

cp ~/.google_authenticator  /tmp/googletest/361way
chmod 640 361way //避免其他用户修改该文件的内容
chown root:apache 361way  //让apache用户组具有读取该文件的权限

注:文件名即后面打开页面时要输入的用户名,密码就是google动态口令;允许按此方法生成多个用户 。

四、可能遇到的错误

错误1:

[root@localhost modules]# /etc/init.d/httpd restart
停止 httpd:                                               [确定]
启动 httpd:httpd: Syntax error on line 206 of /etc/httpd/conf/httpd.conf: Cannot load /usr/lib64/httpd/modules/mod_authn_google.so into server: /usr/lib64/httpd/modules/mod_authn_google.so: ELF file OS ABI invalid

出现该错误的原因很简单,太懒惰了。直接使用了该项目wiki页面上提供的编译好的模块 。因为该模块编译时的linux环境可能和我们在用的环境有区别,导致出该错误。下载源代码后重新编译即可。

错误2(apache的错误日志中查看):

Cookie in header: "(null)"
**** PW AUTH at  T=1357464913  user  "aaa"
(2)No such file or directory: check_password: Could not open password file: /tmp/googletest/(null)
user aa: authentication failure for "/testlink/": Password Mismatch

没有替换上面提到的bug文件,不过将密码文件的名字修改为“(null)” 就可以使用了,不过仍然会有bug —— 用户名可以使用任意,但动态密码一定要对,不对仍然不能验证通过。

备注:

bug修复后的验证日志也在apache的error_log日志中,access日志中不会记录 。具体如下:

**** COOKIE AUTH at  T=1357464923
Cookie in header: "google_authn=361way:1357468521:2a26GUrnKDk8+Zp8wD37jGa3+5A=:"
Found cookie Expires "1357468521" Valid "2a26GUrnKDk8+Zp8wD37jGa3+5A="
Match cookie "2a26GUrnKDk8+Zp8wD37jGa3+5A=" vs  "2a26GUrnKDk8+Zp8wD37jGa3+5A="
User 361way auth granted from cookie
Created cookie expires 1357469123 (time = 3600) hash is AoVthaJtnVbRSy3TjwpuHdhoawI= Cookie: google_authn=361way:1357469123:AoVthaJtnVbRSy3TjwpuHdhoawI=:

本文参考以下资料:

https://wzyboy.im/post/869.html  (ubuntu的安装步骤)

https://code.google.com/p/google-authenticator-apache-module/issues/detail?id=3 (该模块的wiki页面)

Google Authenticator加强apache安全》有17条评论

  1. You actually make it seem so easy with your presentation but I find this topic to be really something that I think I would never understand. It seems too complicated and extremely broad for me. I am looking forward for your next post, I’ll try to get the hang of it!

  2. I like the helpful info you supply on your articles. I’ll bookmark your blog and take a look at again right here frequently. I am rather certain I’ll learn a lot of new stuff right here! Best of luck for the following!

  3. I’m curious to find out what blog system you have been working with? I’m having some minor security problems with my latest website and I’d like to find something more safeguarded. Do you have any suggestions?

  4. Hi, I think your website might be having browser compatibility issues. When I look at your website in Safari, it looks fine but when opening in Internet Explorer, it has some overlapping. I just wanted to give you a quick heads up! Other then that, superb blog!

  5. Excellent way of describing, and good post to obtain data concerning my presentation focus, which i am going to present in university.

  6. Hi my loved one! I want to say that this article is awesome, nice written and include approximately all vital infos. I’d like to peer more posts like this .

  7. These are actually impressive ideas in regarding blogging. You have touched some fastidious points here. Any way keep up wrinting.

  8. Every weekend i used to pay a quick visit this site, as i want enjoyment, for the reason that this this web site conations in fact fastidious funny material too.

  9. What’s up to every single one, it’s in fact a nice for me to go to see this web site, it contains priceless Information.

  10. First of all I want to say wonderful blog! I had a quick question which I’d like to ask if you don’t mind.
    I was interested to find out how you center yourself and clear your thoughts prior to writing.
    I’ve had a difficult time clearing my mind in getting my ideas out there. I do take pleasure in writing however it just seems like the first 10 to 15 minutes are generally lost simply just trying to figure out how to begin. Any recommendations or tips? Many thanks!

  11. I’m not sure where you’re getting your info, but good topic. I needs to spend some time learning more or understanding more. Thanks for great information I was looking for this info for my mission.

  12. Hi there very nice web site!! Guy .. Beautiful .. Wonderful .. I will bookmark your web site and take the feeds also? I am glad to seek out numerous useful information right here in the submit, we need work out extra strategies on this regard, thanks for sharing. . . . . .

  13. Hello! I could have sworn I’ve been to this website before but after reading through some of the post I realized it’s new to me. Anyhow, I’m definitely delighted I found it and I’ll be book-marking and checking back frequently!

  14. I seriously love your website.. Very nice colors & theme. Did you make this web site yourself? Please reply back as I’m planning to create my very own blog and would like to learn where you got this from or just what the theme is called. Many thanks!|

    1. yes ,i doing it by myself . the theme callld inove_white , but i change something of this theme.

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注