Using one time passwords for securing login

Jens Bothe08. Dec 2011 | AdministrationUse cases

Sometimes the basic authentication provided by OTRS via database or LDAP is not enough for securing the access to an application. RFC 4226 describes the generation and usage of one time passwords and two way authentication.

To make OTRS using OTP for the login of the agents we need to install mod-authn-otp as apache auth module. After downloading and compiling the module we need to activate it in the apache configuration.

Now we’ll start with the configuration of OTRS to use the OTP mechanism. First we need to tell OTRS to use the authenitfication provided by the webserver.

In these lines need to be added:

# Basic Auth stuff for OTP
    $Self->{AuthModule} = 'Kernel::System::Auth::HTTPBasicAuth';

No, apache needs the information that for the otrs directory the auth module should be used. So we need to adjust the settings in the otrs.conf webserver config file:

    # set mod_perl2 options
    <Location /otrs>
        ErrorDocument 403 /otrs/
        SetHandler  perl-script
        PerlResponseHandler ModPerl::Registry
        Options +ExecCGI
        PerlOptions +ParseHeaders
        PerlOptions +SetupEnv
        Order allow,deny
        Allow from all
        AuthType                basic
        AuthName                "Protected OTRS Area"
        AuthBasicProvider       OTP
        Require                 valid-user
        OTPAuthUsersFile        "/etc/otp-users/otp-users"
        OTPAuthMaxLinger        3600

You’ll find some documentation on the used parameters on the mod_authn-otp config page.

Now create the /etc/otp-users/otp-users file with the usernames, the PIN and the key:

HOTP    jb        1234   e942415c9e24768bb193f572fb272a3198def1a3

Don’t forget to change owner to the webserver user and make the directory writable for the webserver. (Also have a look at

You also should set the Lifetime of the OTRS Session to the same value as OTPAuthMaxLinger

Now you’ll need some software for your mobile phone to generate the OTP. I choosed OATH Token for the iPhone, but you’ll find some more here:

After configuring the app, you’ll be able to generate your OTP if needed:

Your email address will not be published. Required fields are marked *