Using one time passwords for securing login
Jens Bothe08. Dec 2011 | AdministrationUse cases
Disclaimer:
The practical examples presented in our technical blog (blog.otrs.com) and now in the expert category in our FAQ blog section serve as a source of ideas and documentation to show what is theoretically possible with OTRS in concrete scenarios or sometimes even for more exotic configurations. All configurations presented here were developed under laboratory conditions as a proof of concept.
We can only guarantee testing and implementation of these concepts to be error-free and productive if implemented in a workshop with one of our OTRS consultants. Without this, the responsibility lies with the customer himself. Please note that configurations from older OTRS versions may not work in the newer ones.
Sometimes the basic authentication provided by OTRS via database or LDAP is not enough for securing the access to an application. RFC 4226 describes the generation and usage of one time passwords and two way authentication.
To make OTRS using OTP for the login of the agents we need to install mod-authn-otp as apache auth module. After downloading and compiling the module we need to activate it in the apache configuration.
Now we’ll start with the configuration of OTRS to use the OTP mechanism. First we need to tell OTRS to use the authenitfication provided by the webserver.
In Config.pm these lines need to be added:
# Basic Auth stuff for OTP $Self->{AuthModule} = 'Kernel::System::Auth::HTTPBasicAuth';
No, apache needs the information that for the otrs directory the auth module should be used. So we need to adjust the settings in the otrs.conf webserver config file:
# set mod_perl2 options <Location /otrs> ErrorDocument 403 /otrs/index.pl SetHandler perl-script PerlResponseHandler ModPerl::Registry Options +ExecCGI PerlOptions +ParseHeaders PerlOptions +SetupEnv Order allow,deny Allow from all AuthType basic AuthName "Protected OTRS Area" AuthBasicProvider OTP Require valid-user OTPAuthUsersFile "/etc/otp-users/otp-users" OTPAuthMaxLinger 3600 </Location>
You’ll find some documentation on the used parameters on the mod_authn-otp config page.
Now create the /etc/otp-users/otp-users file with the usernames, the PIN and the key:
HOTP jb 1234 e942415c9e24768bb193f572fb272a3198def1a3
Don’t forget to change owner to the webserver user and make the directory writable for the webserver. (Also have a look at http://code.google.com/p/mod-authn-otp/wiki/UsersFile)
You also should set the Lifetime of the OTRS Session to the same value as OTPAuthMaxLinger
Now you’ll need some software for your mobile phone to generate the OTP. I choosed OATH Token for the iPhone, but you’ll find some more here: http://code.google.com/p/mod-authn-otp/wiki/Tokens
After configuring the app, you’ll be able to generate your OTP if needed: