You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Tom Browder <to...@gmail.com> on 2016/01/11 13:21:05 UTC
[users@httpd] Re: Dual private access: allow use of either client cert. or one-time password?
Anyone?
On Tuesday, January 5, 2016, Tom Browder <to...@gmail.com> wrote:
> First, Happy New Year, all!
>
> My site currently successfully uses client TLS certs. for access to
> its private area. I would like to add the capability of a one-time
> password sent to the user's e-mail to authenticate the user and then
> allow that user access to the private area for a limited time.
>
> I believe I know how to control the password and session handling, but
> how should the directory block in my httpd conf file look?
>
> My current directory configuration block for TLS only looks like this
> (Apache 2.4.16):
>
> <Directory ~ ".*/public/private">
> SSLOptions +StrictRequire
> SSLVerifyClient require
> SSLVerifyDepth 1
> # do NOT allow dir listings
> Options -Indexes
> </Directory>
>
> Is it possible to allow another authentication method to the above?
>
> If so, can anyone give me a secure example?
>
> Thanks so much.
>
> Best regards,
>
> -Tom
>
Re: [users@httpd] Re: Dual private access: allow use of either client
cert. or one-time password?
Posted by Daniel Gruno <hu...@apache.org>.
User is un-subbed from this list now...*sigh*
On 01/11/2016 02:39 PM, IdealGourmet wrote:
> DON'T SEND MORE EMAIL HERE!!
>
> -----Mensaje original-----
> De: Tom Browder [mailto:tom.browder@gmail.com]
> Enviado el: lundi 11 janvier 2016 14:34
> Para: users@httpd.apache.org
> Asunto: Re: [users@httpd] Re: Dual private access: allow use of either client cert. or one-time password?
>
> On Mon, Jan 11, 2016 at 6:37 AM, Daniel Gruno <hu...@apache.org> wrote:
>> In short, see
>> https://serverfault.com/questions/577835/apache-ssl-certificate-and-ba
>> sic-auth-combination-password-if-no-certificate (longer email is
>> pending moderation, I believe)
>
> Thanks, Daniel. My bad, I forgot to check there. It seems to answer most of my questions. I'll work on another strawman directory entry for critique.
>
> Best regards,
>
> -Tom
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Re: Dual private access: allow use of either client cert. or one-time password?
Posted by IdealGourmet <in...@idealgourmet.es>.
DON'T SEND MORE EMAIL HERE!!
-----Mensaje original-----
De: Tom Browder [mailto:tom.browder@gmail.com]
Enviado el: lundi 11 janvier 2016 14:34
Para: users@httpd.apache.org
Asunto: Re: [users@httpd] Re: Dual private access: allow use of either client cert. or one-time password?
On Mon, Jan 11, 2016 at 6:37 AM, Daniel Gruno <hu...@apache.org> wrote:
> In short, see
> https://serverfault.com/questions/577835/apache-ssl-certificate-and-ba
> sic-auth-combination-password-if-no-certificate (longer email is
> pending moderation, I believe)
Thanks, Daniel. My bad, I forgot to check there. It seems to answer most of my questions. I'll work on another strawman directory entry for critique.
Best regards,
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Dual private access: allow use of either client
cert. or one-time password?
Posted by Tom Browder <to...@gmail.com>.
On Mon, Jan 11, 2016 at 6:37 AM, Daniel Gruno <hu...@apache.org> wrote:
> In short, see https://serverfault.com/questions/577835/apache-ssl-certificate-and-basic-auth-combination-password-if-no-certificate (longer email is pending moderation, I believe)
Thanks, Daniel. My bad, I forgot to check there. It seems to answer
most of my questions. I'll work on another strawman directory entry
for critique.
Best regards,
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Dual private access: allow use of either client cert. or one-time password?
Posted by Daniel Gruno <hu...@apache.org>.
In short, see https://serverfault.com/questions/577835/apache-ssl-certificate-and-basic-auth-combination-password-if-no-certificate (longer email is pending moderation, I believe)
With belated regards,
Daniel
On 2016-01-11 13:21, Tom Browder <to...@gmail.com> wrote:
> Anyone?
>
> On Tuesday, January 5, 2016, Tom Browder <to...@gmail.com> wrote:
>
> > First, Happy New Year, all!
> >
> > My site currently successfully uses client TLS certs. for access to
> > its private area. I would like to add the capability of a one-time
> > password sent to the user's e-mail to authenticate the user and then
> > allow that user access to the private area for a limited time.
> >
> > I believe I know how to control the password and session handling, but
> > how should the directory block in my httpd conf file look?
> >
> > My current directory configuration block for TLS only looks like this
> > (Apache 2.4.16):
> >
> > <Directory ~ ".*/public/private">
> > SSLOptions +StrictRequire
> > SSLVerifyClient require
> > SSLVerifyDepth 1
> > # do NOT allow dir listings
> > Options -Indexes
> > </Directory>
> >
> > Is it possible to allow another authentication method to the above?
> >
> > If so, can anyone give me a secure example?
> >
> > Thanks so much.
> >
> > Best regards,
> >
> > -Tom
> >
>
------
Sent via Pony Mail for users@httpd.apache.org.
View this email online at:
https://pony-poc.apache.org/list.html?users@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Dual private access: allow use of either client
cert. or one-time password?
Posted by Daniel Gruno <hu...@apache.org>.
My actual reply is stuck in moderation, as I sent it from the wrong address.
Have patience, it'll be there soon enough :)
On 01/11/2016 01:21 PM, Tom Browder wrote:
> Anyone?
>
> On Tuesday, January 5, 2016, Tom Browder <tom.browder@gmail.com
> <ma...@gmail.com>> wrote:
>
> First, Happy New Year, all!
>
> My site currently successfully uses client TLS certs. for access to
> its private area. I would like to add the capability of a one-time
> password sent to the user's e-mail to authenticate the user and then
> allow that user access to the private area for a limited time.
>
> I believe I know how to control the password and session handling, but
> how should the directory block in my httpd conf file look?
>
> My current directory configuration block for TLS only looks like this
> (Apache 2.4.16):
>
> <Directory ~ ".*/public/private">
> SSLOptions +StrictRequire
> SSLVerifyClient require
> SSLVerifyDepth 1
> # do NOT allow dir listings
> Options -Indexes
> </Directory>
>
> Is it possible to allow another authentication method to the above?
>
> If so, can anyone give me a secure example?
>
> Thanks so much.
>
> Best regards,
>
> -Tom
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org