Comments (11)
This means the auth script is not running for some reason. What do you get when you go to apache_fa directory and run the script from the command line?
~/apache_2fa$ ./auth
from apache_2fa.
This is what I get when I run auth from the cli:
[bgedney@xxx apache_2fa]$ ./auth
Traceback (most recent call last):
File "./auth", line 50, in <module>
with open(TOKEN_FILE, 'r') as f:
IOError: [Errno 13] Permission denied: '/opt/apache_2fa/tokens.json'
And these are my permissions:
[bgedney@xxx apache_2fa]$ ls -lZah
drwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0 .
drwxr-xr-x. root root system_u:object_r:usr_t:s0 ..
-rw-r--r--. apache apache unconfined_u:object_r:usr_t:s0 2fa_demo.gif
-rw-r--r--. apache apache unconfined_u:object_r:usr_t:s0 apache_credentials
-rwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0 auth
drwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0 .git
-rw-r--r--. apache apache unconfined_u:object_r:usr_t:s0 .gitignore
-rw-r--r--. apache apache unconfined_u:object_r:usr_t:s0 LICENSE
-rw-r--r--. apache apache unconfined_u:object_r:usr_t:s0 README.md
-rw-r--r--. apache apache unconfined_u:object_r:usr_t:s0 settings.py
drwxr-x---. apache apache unconfined_u:object_r:usr_t:s0 state
-rwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0 state_clean
-rw-r--r--. apache apache unconfined_u:object_r:usr_t:s0 template.html
-rw-r-----. apache apache unconfined_u:object_r:usr_t:s0 tokens.json
[bgedney@xxx apache_2fa]$
from apache_2fa.
That looks correct, try it with sudo so it can open tokens.json and make sure it displays the following:
$ sudo ./auth
Content-type: text/html
Contact your administrator to obtain your 2FA secret.
Also try loosening the permissions temporarily (755 on all files) and see if it makes any difference.
Bottom line, auth script is not running via cgid, possibly giving an error and exiting. We need to figure out what that error is, permissions is a potential cause.
from apache_2fa.
This is what happens when I sudo the auth script...
Traceback (most recent call last):
File "/opt/apache_2fa/auth", line 51, in <module>
secret = json.load(f)
File "/usr/lib64/python2.7/json/__init__.py", line 290, in load
**kw)
File "/usr/lib64/python2.7/json/__init__.py", line 338, in loads
return _default_decoder.decode(s)
File "/usr/lib64/python2.7/json/decoder.py", line 366, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib64/python2.7/json/decoder.py", line 382, in raw_decode
obj, end = self.scan_once(s, idx)
ValueError: Expecting , delimiter: line 3 column 3 (char 46)
I also did the 755 chmod to the directory...
from apache_2fa.
Well, this is embarrassing- I forgot a comma when I added my entry to tokens.json
, and via cli I now get the expected output as mentioned above:
Content-type: text/html
Contact your administrator to obtain your 2FA secret.
But I still get a 500 error when I run it via apache.
The virtual host error log reads the same:
[Sat Aug 26 14:06:08.616928 2017] [cgid:error] [pid 9183] [client xxx.xxx.xxx.xxx:52551] End of script output before headers: auth
But the apache error log has a trace:
Traceback (most recent call last):
File "/opt/apache_2fa/auth", line 61, in <module>
token_gen = str(onetimepass.get_totp(user_secret))
File "/usr/lib/python2.7/site-packages/onetimepass/__init__.py", line 169, in get_totp
token_length=token_length,
File "/usr/lib/python2.7/site-packages/onetimepass/__init__.py", line 115, in get_hotp
raise TypeError('Incorrect secret')
TypeError: Incorrect secret
I realized my token was incorrectly configured. So I corrected that issue, and now I get an traceback with the following issue:
Traceback (most recent call last):
File "/opt/apache_2fa/auth", line 75, in <module>
with open(state_file, 'w+') as state:
IOError: [Errno 13] Permission denied: '/opt/apache_2fa/state/Aq0y5cuDT42WWwT6BVjMMEbViriFKdMrpO87aODIste8IxIqjpBFQrIYlAmYhbLqymXih9LzSNt3L9VLYDPqgodMNIXlDsCsNWkF0U'
from apache_2fa.
Disregard the previous post (I deleted it), for some reason I only half processed your message.
Ok, you look closer. So, /opt/apache_2fa/state directory needs to be owned by apache and needs to be writeable. Python cannot create a file in that directory, that is the reason of the error. Try making it world writeable first and make it more strict if it fixes the problem.
from apache_2fa.
Any luck getting it work?
from apache_2fa.
The directory is owned by apache, and is fully readable and writable by anyone....
[bgedney@xxx ~]$ ls -lahZ /opt/apache_2fa/
drwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0 .
drwxr-xr-x. root root system_u:object_r:usr_t:s0 ..
-rwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0 2fa_demo.gif
-rwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0 apache_credentials
-rwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0 auth
drwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0 .git
-rwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0 .gitignore
-rwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0 LICENSE
-rwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0 README.md
-rwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0 settings.py
-rwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 settings.pyc
drwxrwxrwx. apache apache unconfined_u:object_r:usr_t:s0 state
-rwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0 state_clean
-rwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0 template.html
-rwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0 tokens.json
Still getting the same error in the httpd log...
Traceback (most recent call last):
File "/opt/apache_2fa/auth", line 75, in <module>
with open(state_file, 'w+') as state:
IOError: [Errno 13] Permission denied: '/opt/apache_2fa/state/ACy5z9jcNa8vZ7TrNxFBkVutDBQKxlyV5CftXfaCQq9bLJwPzafpSe9BE2Ez6RCG34ahXwgcA3O8Io8YUDU6FxyRQJ4grx6AVjn6no'
I ran sealerts on the systems audit log, and there are no related alerts...
from apache_2fa.
It looks odd. It could be the parent directory either but not too sure. It certainly is not a code issue though, something about the system not allowing the code to write to that directory.
Worst case, modify both auth python code and Apache configuration to keep states in /tmp instead of /opt/apache_2fa.
from apache_2fa.
One more thing make sure you have execute permission on both /opt and /opt/apache_2fa before you go down the path of /tmp/
chmod +x /opt
chmod +x /opt/apache_2fa
from apache_2fa.
Closing the issue. Please re-open if you get more information.
from apache_2fa.
Related Issues (20)
- proxypass after 2fa HOT 10
- Instructions should specify pip3, perhaps
- 500 Internal Server Error - No Module Named 'onetimepass' HOT 3
- Question -Bypassing Authentication For A Given IP Range HOT 1
- Unable to Complete HOT 2
- Blank page with : Contact your administrator to obtain your 2FA secret. HOT 1
- apache_2fa generates different token than Google Authenticator HOT 2
- AH01790: user `user_test' in realm `home.me' not found: /auth/aut HOT 2
- ERR_TOO_MANY_REDIRECTS HOT 2
- Internal Server Error with LDAP HOT 8
- Secret keys HOT 2
- Use with mod_proxy?
- Destroy token? HOT 4
- AuthDigest not recommended for security reasons
- Rewrite rule applies to whole site HOT 1
- You don't have permission to access /auth/auth on this server. HOT 3
- Clean_state HOT 1
- Brute Force Attack HOT 1
- Proxy instead of Directory (Question) HOT 1
- use active directory instead of htaccess HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from apache_2fa.