I've followed README.md, but still have issues: After all is said an

This means the auth is not running for some reason. What do you get when you go

This is what I get when I run auth from the cli: <div class="snippet-clipboard-con

This is what happens when I sudo the auth ... <div class="snippet-clipboard-

500 Error about apache_2fa HOT 11 CLOSED

itemir commented on June 8, 2024

500 Error

from apache_2fa.

Comments (11)

itemir commented on June 8, 2024

This means the auth script is not running for some reason. What do you get when you go to apache_fa directory and run the script from the command line?

~/apache_2fa$ ./auth

from apache_2fa.

bgedney commented on June 8, 2024

This is what I get when I run auth from the cli:

[bgedney@xxx apache_2fa]$ ./auth 
Traceback (most recent call last):
  File "./auth", line 50, in <module>
    with open(TOKEN_FILE, 'r') as f:
IOError: [Errno 13] Permission denied: '/opt/apache_2fa/tokens.json'

And these are my permissions:

[bgedney@xxx apache_2fa]$ ls -lZah
drwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0   .
drwxr-xr-x. root   root   system_u:object_r:usr_t:s0       ..
-rw-r--r--. apache apache unconfined_u:object_r:usr_t:s0   2fa_demo.gif
-rw-r--r--. apache apache unconfined_u:object_r:usr_t:s0   apache_credentials
-rwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0   auth
drwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0   .git
-rw-r--r--. apache apache unconfined_u:object_r:usr_t:s0   .gitignore
-rw-r--r--. apache apache unconfined_u:object_r:usr_t:s0   LICENSE
-rw-r--r--. apache apache unconfined_u:object_r:usr_t:s0   README.md
-rw-r--r--. apache apache unconfined_u:object_r:usr_t:s0   settings.py
drwxr-x---. apache apache unconfined_u:object_r:usr_t:s0   state
-rwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0   state_clean
-rw-r--r--. apache apache unconfined_u:object_r:usr_t:s0   template.html
-rw-r-----. apache apache unconfined_u:object_r:usr_t:s0   tokens.json
[bgedney@xxx apache_2fa]$

from apache_2fa.

itemir commented on June 8, 2024

That looks correct, try it with sudo so it can open tokens.json and make sure it displays the following:

$ sudo ./auth
Content-type: text/html


Contact your administrator to obtain your 2FA secret.

Also try loosening the permissions temporarily (755 on all files) and see if it makes any difference.

Bottom line, auth script is not running via cgid, possibly giving an error and exiting. We need to figure out what that error is, permissions is a potential cause.

from apache_2fa.

bgedney commented on June 8, 2024

This is what happens when I sudo the auth script...

Traceback (most recent call last):
  File "/opt/apache_2fa/auth", line 51, in <module>
    secret = json.load(f)
  File "/usr/lib64/python2.7/json/__init__.py", line 290, in load
    **kw)
  File "/usr/lib64/python2.7/json/__init__.py", line 338, in loads
    return _default_decoder.decode(s)
  File "/usr/lib64/python2.7/json/decoder.py", line 366, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/lib64/python2.7/json/decoder.py", line 382, in raw_decode
    obj, end = self.scan_once(s, idx)
ValueError: Expecting , delimiter: line 3 column 3 (char 46)

I also did the 755 chmod to the directory...

from apache_2fa.

bgedney commented on June 8, 2024

Well, this is embarrassing- I forgot a comma when I added my entry to tokens.json, and via cli I now get the expected output as mentioned above:

Content-type: text/html


Contact your administrator to obtain your 2FA secret.

But I still get a 500 error when I run it via apache.

The virtual host error log reads the same:

[Sat Aug 26 14:06:08.616928 2017] [cgid:error] [pid 9183] [client xxx.xxx.xxx.xxx:52551] End of script output before headers: auth

But the apache error log has a trace:

Traceback (most recent call last):
  File "/opt/apache_2fa/auth", line 61, in <module>
    token_gen = str(onetimepass.get_totp(user_secret))
  File "/usr/lib/python2.7/site-packages/onetimepass/__init__.py", line 169, in get_totp
    token_length=token_length,
  File "/usr/lib/python2.7/site-packages/onetimepass/__init__.py", line 115, in get_hotp
    raise TypeError('Incorrect secret')
TypeError: Incorrect secret

I realized my token was incorrectly configured. So I corrected that issue, and now I get an traceback with the following issue:

Traceback (most recent call last):
  File "/opt/apache_2fa/auth", line 75, in <module>
    with open(state_file, 'w+') as state:
IOError: [Errno 13] Permission denied: '/opt/apache_2fa/state/Aq0y5cuDT42WWwT6BVjMMEbViriFKdMrpO87aODIste8IxIqjpBFQrIYlAmYhbLqymXih9LzSNt3L9VLYDPqgodMNIXlDsCsNWkF0U'

from apache_2fa.

itemir commented on June 8, 2024

Disregard the previous post (I deleted it), for some reason I only half processed your message.

Ok, you look closer. So, /opt/apache_2fa/state directory needs to be owned by apache and needs to be writeable. Python cannot create a file in that directory, that is the reason of the error. Try making it world writeable first and make it more strict if it fixes the problem.

from apache_2fa.

itemir commented on June 8, 2024

Any luck getting it work?

from apache_2fa.

bgedney commented on June 8, 2024

The directory is owned by apache, and is fully readable and writable by anyone....

[bgedney@xxx ~]$ ls -lahZ /opt/apache_2fa/
drwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0   .
drwxr-xr-x. root   root   system_u:object_r:usr_t:s0       ..
-rwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0   2fa_demo.gif
-rwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0   apache_credentials
-rwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0   auth
drwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0   .git
-rwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0   .gitignore
-rwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0   LICENSE
-rwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0   README.md
-rwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0   settings.py
-rwxr-xr-x. root   root   unconfined_u:object_r:usr_t:s0   settings.pyc
drwxrwxrwx. apache apache unconfined_u:object_r:usr_t:s0   state
-rwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0   state_clean
-rwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0   template.html
-rwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0   tokens.json

Still getting the same error in the httpd log...

Traceback (most recent call last):
  File "/opt/apache_2fa/auth", line 75, in <module>
    with open(state_file, 'w+') as state:
IOError: [Errno 13] Permission denied: '/opt/apache_2fa/state/ACy5z9jcNa8vZ7TrNxFBkVutDBQKxlyV5CftXfaCQq9bLJwPzafpSe9BE2Ez6RCG34ahXwgcA3O8Io8YUDU6FxyRQJ4grx6AVjn6no'

I ran sealerts on the systems audit log, and there are no related alerts...

from apache_2fa.

itemir commented on June 8, 2024

It looks odd. It could be the parent directory either but not too sure. It certainly is not a code issue though, something about the system not allowing the code to write to that directory.

Worst case, modify both auth python code and Apache configuration to keep states in /tmp instead of /opt/apache_2fa.

from apache_2fa.

itemir commented on June 8, 2024

One more thing make sure you have execute permission on both /opt and /opt/apache_2fa before you go down the path of /tmp/

chmod +x /opt
chmod +x /opt/apache_2fa

from apache_2fa.

itemir commented on June 8, 2024

Closing the issue. Please re-open if you get more information.

from apache_2fa.

500 Error about apache_2fa HOT 11 CLOSED

Comments (11)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent