Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
standalone 2FA with Apache or PHP
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
Vieri
l33t
l33t


Joined: 18 Dec 2005
Posts: 820

PostPosted: Wed Aug 03, 2022 11:23 pm    Post subject: standalone 2FA with Apache or PHP Reply with quote

Hi,

I'm looking for a way to secure some web applications on my Apache/PHP Gentoo server.
I do not want to use a third-party cloud service, etc. I require a standalone solution much like the TOTP extension in Apache Guacamole which is Java for Apache Tomcat.

I would like to do the same with an Apache HTTP server (with or without PHP).
I currently only use LDAP in Apache with my corp AD to authenticate users.
Now I'd like to add a 2FA poor man's solution.

A quick search got me two candidates:

1) https://github.com/RobThree/TwoFactorAuth

2) https://github.com/itemir/apache_2fa#instruction
(example including LDAP auth: https://www.hallam.ch/blog/index.php/2020/01/13/apache-and-two-factor-authentication-2fa-using-ldap-accounts/)

The first solution requires PHP, but it seems to rely on an external service to generate a QRcode. Why rely on an external URL to generate a QR code if there are quite a few PHP libs that can do this job? In any case, the AR code display is only a convenience for the user -- displaying the digits on-screen instead would be fine too.

The second solution requires Python (also onetimepass dependency via pip) and sys-auth/oath-toolkit, but it seems to be a no-frills simple 2FA solution. The only thing that's not implemented yet is a simple UI to enable new devices/users (to populate the tokens.json file).

Any suggestions?
Back to top
View user's profile Send private message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3027

PostPosted: Fri Aug 05, 2022 10:03 am    Post subject: Reply with quote

Why dont you use Kerberos?
There is a kerberos
Code:

www-apache/mod_auth_kerb

Of course you will need create a kerberos database etc.
Plz let me know if you go down this path how to modify your vhost to enable kerberos authentication for users.
_________________
:)
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 2384

PostPosted: Fri Aug 05, 2022 2:52 pm    Post subject: Reply with quote

You could use client-side certificates.
Reverse proxy can do the authentication and e.g. set http request headers (remember to filter headers set by the client so the authentication wouldn't be bypassed) or even chose a different backend.
I'm pretty sure I've seen some guides for setting it on haproxy and nginx running as reverse proxy. Also, handling it at the proxy makes it largely application-independent. Like in: some applications are able to use the information supplied via http headers to identify the user and skip their own login procedure, but uncooperative apps can still be shielded from general public.
Back to top
View user's profile Send private message
hdcg
Tux's lil' helper
Tux's lil' helper


Joined: 07 Apr 2013
Posts: 86

PostPosted: Fri Aug 05, 2022 7:41 pm    Post subject: Reply with quote

Hello Vieri,

I have ended up using:

https://github.com/authelia/authelia
An OAUTH2 (as well as other protocols) server supporting 2FA via OTP (Google Authenticator) or Yubikey.

and

https://github.com/zmartzone/mod_auth_openidc
To enable a generic OAUTH2 authentication (for web services without native OAUTH2 support).

I use Samba4/AD as a user backend.

Best Regards,
Holger
Back to top
View user's profile Send private message
Vieri
l33t
l33t


Joined: 18 Dec 2005
Posts: 820

PostPosted: Thu Sep 22, 2022 12:12 pm    Post subject: Reply with quote

I'm now using spomky-labs/otphp for a pure PHP solution.

I have a few doubts though.

The user authenticates on my web site fine and is redirected to another page (still mine) where a 6-digit code needs to be provided for 2FA.
On this web page I only display an input text box -- no other info. In other words, I DO NOT want to display a QR code for user convenience because I'm supposing it wouldn't make much sense security-wise (if the user's credentials were to be stolen I wouldn't want an attacker to see the QR code which has the secret key).
So instead, what I'm trying to do is send the "secret key" via another route such as an SMS or an e-mail.
Supposedly, the user will view this "secret key" on his/her smartphone.
What I'd like is the user to be able to just tap on a link to open whichever OTP application he/she has installed.

I'm now sending an HTML e-mail with href="otpauth://totp/My%20MFA?secret=MYSECRETKEY" in the body and an SMS with the same link as simple text.
The user is unable to tap on either one and open an OTP app with it (such as Google Authenticator).

However, if from the same smartphone I scan a QR code of the otpauth url displayed on a desktop PC screen (say with an app such as ZXing's Barcode Scanner) then it is able to "open with" any OTP app I may have on the device.

In other words, otpauth:// links don't work as expected in e-mail clients, web browsers or SMS. Is there a workaround for this without having to develop my own Android app?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 19296

PostPosted: Thu Sep 22, 2022 1:58 pm    Post subject: Reply with quote

The user receives the secret key at initial enrollment only, correct? If so, what is the harm in showing them a QR code onscreen, which they can then scan? If the initial enrollment is done by the attacker, how would this be less safe than what you are trying, where the attacker could supply his own e-mail address instead of the address of the user? Is the user's SMS/e-mail obtained out-of-band already, and an attacker cannot supply malicious values for those destinations?

Once the user has a 2FA secret, obtaining an on-screen QR code is no longer allowed, so an attacker cannot learn the secret later. Require the user to present a 2FA OTP in order to disable 2FA on the account, so an attacker cannot reset the 2FA secret without already knowing it. If the attacker knows that secret, the user has already lost.
Back to top
View user's profile Send private message
Vieri
l33t
l33t


Joined: 18 Dec 2005
Posts: 820

PostPosted: Thu Sep 22, 2022 2:42 pm    Post subject: Reply with quote

Some implementations (actually, most) allow self-enrollment from anywhere. I decided for better or worse that enrollment should only be allowed within our private network after user authentication via LDAP. So yes, the QR code is displayed on the enrollment page both upon creating a new key and when revisiting to view the key again.

After the enrollment is done, the user can authenticate via LDAP on the web site and then be required to insert a 6-digit OTP *without* viewing the QR code again because I take it that during the enrollment process the user took care of saving the key in his/her device app. If the user forgot to do so, he/she will have to go back to the enrollment page via LAN to view the QR code again.

Is all this "correct" or "acceptable"?

If the enrollment were to be allowed on a public network or if the QR code were displayed on the web app site right after LDAP authentication (right when the user is asked for the 6-digit OTP) wouldn't that be a security risk?

The e-mail addresses and SMS numbers I'm using are not entered by the user in a web form -- they are loaded from a corporate DB.
In any case, I'm worried about phishing. For the sake of clarity, suppose a user is unknowingly a victim of phishing and his/her credentials are stolen.
If the attacker were to have access from the public network to the enrollment page with the stolen credentials, the secret OTP key could be retrieved and the attacker could have access to the web site. Same thing if the QR code were to be displayed on the web site after user LDAP auth.

However, having the enrollment page on the WAN is functionally better as it allows remote users to either enroll or remind them their key. That's why I thought that maybe sending the key via an alternate route such as e-mail or SMS (hard-coded) instead of showing the QR code on-screen (for WAN access only -- LAN access would still show the code) could minimize risk somehow. Or maybe I'm stretching it too far...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum