Using one time passwords for securing login
Jens Bothe08. Dec 2011 | AdministrationUse cases
Sometimes the basic authentication provided by OTRS via database or LDAP is not enough for securing the access to an application. RFC 4226 describes the generation and usage of one time passwords and two way authentication.
To make OTRS using OTP for the login of the agents we need to install mod-authn-otp as apache auth module. After downloading and compiling the module we need to activate it in the apache configuration.
Now we’ll start with the configuration of OTRS to use the OTP mechanism. First we need to tell OTRS to use the authenitfication provided by the webserver.
In Config.pm these lines need to be added:
# Basic Auth stuff for OTP $Self->{AuthModule} = 'Kernel::System::Auth::HTTPBasicAuth';
No, apache needs the information that for the otrs directory the auth module should be used. So we need to adjust the settings in the otrs.conf webserver config file:
# set mod_perl2 options <Location /otrs> ErrorDocument 403 /otrs/index.pl SetHandler perl-script PerlResponseHandler ModPerl::Registry Options +ExecCGI PerlOptions +ParseHeaders PerlOptions +SetupEnv Order allow,deny Allow from all AuthType basic AuthName "Protected OTRS Area" AuthBasicProvider OTP Require valid-user OTPAuthUsersFile "/etc/otp-users/otp-users" OTPAuthMaxLinger 3600 </Location>
You’ll find some documentation on the used parameters on the mod_authn-otp config page.
Now create the /etc/otp-users/otp-users file with the usernames, the PIN and the key:
HOTP jb 1234 e942415c9e24768bb193f572fb272a3198def1a3
Don’t forget to change owner to the webserver user and make the directory writable for the webserver. (Also have a look at http://code.google.com/p/mod-authn-otp/wiki/UsersFile)
You also should set the Lifetime of the OTRS Session to the same value as OTPAuthMaxLinger
Now you’ll need some software for your mobile phone to generate the OTP. I choosed OATH Token for the iPhone, but you’ll find some more here: http://code.google.com/p/mod-authn-otp/wiki/Tokens
After configuring the app, you’ll be able to generate your OTP if needed: