tallefer / google-authenticator-apache-module Goto Github PK

What steps will reproduce the problem?
We have setup a Apache HTTPD reverse proxy with google-authenticator 2 factor 
authentication. We use the reverse proxy as a single point of access to several 
web applications under different subdomains. Currently there is no option to 
set the domain for the authentication cookie, it will use the default which is 
the host from the request. This means when the user authenticates with webapp1 
the cookie's domain will be webapp1.example.com. And when the user accesses 
webapp2 he'll need to re-authenticate. To avoid this we'd like to set the 
domain for the cookie to be example.com and this way the browser would send the 
cookie along with all requests to all of the webapps hosted in subdomains.

What is the expected output? What do you see instead?
I expect to have an option that allows to set the domain for the cookie.

What version of the product are you using? On what operating system?
Version: trunk, revision 22. OS: Ubuntu 14.04

Please provide any additional information below.

Apache allows passwords to be stored different ways - .htaccess file, database, 
LDAP, etc.

Our static passwords should do the same, as well as other things we store 
(codes).

Need to support use of scratch codes, and invalidation of codes after use

What steps will reproduce the problem?
1. Specify the location of the user authentication file in the apache 
configuration file as specified in the documentation for GoogleAuthUserPath to 
something like: /var/lib/www/ga_auth
2. Create a user file such as "[email protected]" in an incorrect 
directory such as /var/lib/www. So that it is 
/var/lib/www/[email protected].
3. At the Apache web authentication prompt, put as the username as 
../[email protected]
4. Enter the expected password and code in the password field.

What is the expected output? What do you see instead?
Expected response from the web server is to deny access and ignore the parent 
path specifier in the username, as no file of [email protected] exists 
in /var/lib/www/ga_auth as specified in GoogleAuthUserPath. However, login is 
successful and the file outside the specified GoogleAuthUserPath is read and 
accepted anyways.

What version of the product are you using? On what operating system?
R21 on CentOS 6.4 with Apache 2.2.15.

What steps will reproduce the problem?

I have installed the google-authenticator-apache-module following the online 
instructions.
When I try to log in the verification process fails because the module is 
failing passing the user name on file.

This is the error message from apache log:

**** PW AUTH at  T=********  user  "root"
(2)No such file or directory: check_password: Could not open password file: 
/etc/httpd/ga_auth/(null)
user root: authentication failure for "/admin/code/tce_edit_objects.php": 
Password Mismatch

instead of passing the user name is passing "(null)"!

I have temporarily fixed the problem by creating a file named "(null)" that 
works with any filename.

I'm using Scientific Linux 6.1 with Apache 2.2.15 and 
google-authenticator-apache-module GoogleAuthBinary_v01.bz2

Luckyjcell mentioned this in Issue #3, I am adding it as a separate bug.

There is a bug in the cookie parser, which makes it so that if the google_authn 
cookie is not the *first* token in the cookie string, it is not recognized. 
This will result in authentication not working when cookies are used on the 
page/site.

I have a fix ready and in testing - to be released soon.

Hi,

After loading module in apache and apache2 reload i have the following : 

apache2: Syntax error on line 145 of /etc/apache2/apache2.conf: Cannot load 
/etc/apache2/modules/mod_authn_google.so into server: 
/etc/apache2/modules/mod_authn_google.so: wrong ELF class: ELFCLASS64


I am on ubuntu server 10.04 any idear?

Regards

I've built the most recent revision: r10. However, I cannot seem to get this to 
work, and looking at the error log it says Secret Key is "(null)".  Here is my 
auth file:

NNJITK6UBX4EEKHH
" TOTP_AUTH
50039494
27219159
58297638
85255199
44013977

Here is the output:
[Fri Apr 05 02:51:08 2013] [error] [client 192.168.1.1] **** COOKIE AUTH at  
T=1365130268
[Fri Apr 05 02:51:08 2013] [error] [client 192.168.1.1] **** PW AUTH at  
T=1365130268  user  "ryan"
[Fri Apr 05 02:51:08 2013] [error] [client 192.168.1.1] Secret Key is "(null)" 
@ T=45504342
[Fri Apr 05 02:51:08 2013] [error] [client 192.168.1.1] Checking codes  @ 
T=45504342 "540324" vs.  "16740"
[Fri Apr 05 02:51:08 2013] [error] [client 192.168.1.1] Checking codes  @ 
T=45504342 "416549" vs.  "16740"
[Fri Apr 05 02:51:08 2013] [error] [client 192.168.1.1] Checking codes  @ 
T=45504342 "463812" vs.  "16740"
[Fri Apr 05 02:51:08 2013] [error] [client 192.168.1.1] Checking codes  @ 
T=45504342 "759680" vs.  "16740"
[Fri Apr 05 02:51:08 2013] [error] [client 192.168.1.1] Checking codes  @ 
T=45504342 "978939" vs.  "16740"
[Fri Apr 05 02:51:08 2013] [error] [client 192.168.1.1] Validating for  
"016740" Shared Key  "(null)"
[Fri Apr 05 02:51:08 2013] [error] [client 192.168.1.1] user ryan: 
authentication failure for "/phpmyadmin/": Password Mismatch
[Fri Apr 05 02:51:23 2013] [error] [client 192.168.1.1] **** COOKIE AUTH at  
T=1365130283
[Fri Apr 05 02:51:23 2013] [error] [client 192.168.1.1] **** PW AUTH at  
T=1365130283  user  "ryan"
[Fri Apr 05 02:51:23 2013] [error] [client 192.168.1.1] Secret Key is "(null)" 
@ T=45504342
[Fri Apr 05 02:51:23 2013] [error] [client 192.168.1.1] Checking codes  @ 
T=45504342 "540324" vs.  "379161"
[Fri Apr 05 02:51:23 2013] [error] [client 192.168.1.1] Checking codes  @ 
T=45504342 "416549" vs.  "379161"
[Fri Apr 05 02:51:23 2013] [error] [client 192.168.1.1] Checking codes  @ 
T=45504342 "463812" vs.  "379161"
[Fri Apr 05 02:51:23 2013] [error] [client 192.168.1.1] Checking codes  @ 
T=45504342 "759680" vs.  "379161"
[Fri Apr 05 02:51:23 2013] [error] [client 192.168.1.1] Checking codes  @ 
T=45504342 "978939" vs.  "379161"
[Fri Apr 05 02:51:23 2013] [error] [client 192.168.1.1] Validating for  
"379161" Shared Key  "(null)"
[Fri Apr 05 02:51:23 2013] [error] [client 192.168.1.1] user ryan: 
authentication failure for "/phpmyadmin/": Password Mismatch

I've been trying for the past couple hours now, and try to tweak the underlying 
code (I was able to hardcode the key as char *sharedKey=NNJITK6UBX4EEKHH; 
instead of NULL in ga_check_password), but as I'm not too familiar with C I was 
limited to what I could do.

I made a new auth file and scanned the code with a QR reader, so I know the 
settings on the phone are correct