You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Tom Browder <to...@gmail.com> on 2016/01/05 15:23:14 UTC
[users@httpd] Dual private access: allow use of either client cert. or one-time password?
First, Happy New Year, all!
My site currently successfully uses client TLS certs. for access to
its private area. I would like to add the capability of a one-time
password sent to the user's e-mail to authenticate the user and then
allow that user access to the private area for a limited time.
I believe I know how to control the password and session handling, but
how should the directory block in my httpd conf file look?
My current directory configuration block for TLS only looks like this
(Apache 2.4.16):
<Directory ~ ".*/public/private">
SSLOptions +StrictRequire
SSLVerifyClient require
SSLVerifyDepth 1
# do NOT allow dir listings
Options -Indexes
</Directory>
Is it possible to allow another authentication method to the above?
If so, can anyone give me a secure example?
Thanks so much.
Best regards,
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Dual private access: allow use of either client
cert. or one-time password?
Posted by Daniel Gruno <hu...@apache.org>.
User is un-subbed from this list now...*sigh*
On 01/11/2016 02:39 PM, IdealGourmet wrote:
> DON'T SEND MORE EMAIL HERE!!
>
> -----Mensaje original-----
> De: Tom Browder [mailto:tom.browder@gmail.com]
> Enviado el: lundi 11 janvier 2016 14:34
> Para: users@httpd.apache.org
> Asunto: Re: [users@httpd] Re: Dual private access: allow use of either client cert. or one-time password?
>
> On Mon, Jan 11, 2016 at 6:37 AM, Daniel Gruno <hu...@apache.org> wrote:
>> In short, see
>> https://serverfault.com/questions/577835/apache-ssl-certificate-and-ba
>> sic-auth-combination-password-if-no-certificate (longer email is
>> pending moderation, I believe)
>
> Thanks, Daniel. My bad, I forgot to check there. It seems to answer most of my questions. I'll work on another strawman directory entry for critique.
>
> Best regards,
>
> -Tom
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Re: Dual private access: allow use of either client cert. or one-time password?
Posted by IdealGourmet <in...@idealgourmet.es>.
DON'T SEND MORE EMAIL HERE!!
-----Mensaje original-----
De: Tom Browder [mailto:tom.browder@gmail.com]
Enviado el: lundi 11 janvier 2016 14:34
Para: users@httpd.apache.org
Asunto: Re: [users@httpd] Re: Dual private access: allow use of either client cert. or one-time password?
On Mon, Jan 11, 2016 at 6:37 AM, Daniel Gruno <hu...@apache.org> wrote:
> In short, see
> https://serverfault.com/questions/577835/apache-ssl-certificate-and-ba
> sic-auth-combination-password-if-no-certificate (longer email is
> pending moderation, I believe)
Thanks, Daniel. My bad, I forgot to check there. It seems to answer most of my questions. I'll work on another strawman directory entry for critique.
Best regards,
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Dual private access: allow use of either client
cert. or one-time password?
Posted by Tom Browder <to...@gmail.com>.
On Mon, Jan 11, 2016 at 6:37 AM, Daniel Gruno <hu...@apache.org> wrote:
> In short, see https://serverfault.com/questions/577835/apache-ssl-certificate-and-basic-auth-combination-password-if-no-certificate (longer email is pending moderation, I believe)
Thanks, Daniel. My bad, I forgot to check there. It seems to answer
most of my questions. I'll work on another strawman directory entry
for critique.
Best regards,
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Dual private access: allow use of either client cert. or one-time password?
Posted by Daniel Gruno <hu...@apache.org>.
In short, see https://serverfault.com/questions/577835/apache-ssl-certificate-and-basic-auth-combination-password-if-no-certificate (longer email is pending moderation, I believe)
With belated regards,
Daniel
On 2016-01-11 13:21, Tom Browder <to...@gmail.com> wrote:
> Anyone?
>
> On Tuesday, January 5, 2016, Tom Browder <to...@gmail.com> wrote:
>
> > First, Happy New Year, all!
> >
> > My site currently successfully uses client TLS certs. for access to
> > its private area. I would like to add the capability of a one-time
> > password sent to the user's e-mail to authenticate the user and then
> > allow that user access to the private area for a limited time.
> >
> > I believe I know how to control the password and session handling, but
> > how should the directory block in my httpd conf file look?
> >
> > My current directory configuration block for TLS only looks like this
> > (Apache 2.4.16):
> >
> > <Directory ~ ".*/public/private">
> > SSLOptions +StrictRequire
> > SSLVerifyClient require
> > SSLVerifyDepth 1
> > # do NOT allow dir listings
> > Options -Indexes
> > </Directory>
> >
> > Is it possible to allow another authentication method to the above?
> >
> > If so, can anyone give me a secure example?
> >
> > Thanks so much.
> >
> > Best regards,
> >
> > -Tom
> >
>
------
Sent via Pony Mail for users@httpd.apache.org.
View this email online at:
https://pony-poc.apache.org/list.html?users@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Dual private access: allow use of either client
cert. or one-time password?
Posted by Daniel Gruno <hu...@apache.org>.
My actual reply is stuck in moderation, as I sent it from the wrong address.
Have patience, it'll be there soon enough :)
On 01/11/2016 01:21 PM, Tom Browder wrote:
> Anyone?
>
> On Tuesday, January 5, 2016, Tom Browder <tom.browder@gmail.com
> <ma...@gmail.com>> wrote:
>
> First, Happy New Year, all!
>
> My site currently successfully uses client TLS certs. for access to
> its private area. I would like to add the capability of a one-time
> password sent to the user's e-mail to authenticate the user and then
> allow that user access to the private area for a limited time.
>
> I believe I know how to control the password and session handling, but
> how should the directory block in my httpd conf file look?
>
> My current directory configuration block for TLS only looks like this
> (Apache 2.4.16):
>
> <Directory ~ ".*/public/private">
> SSLOptions +StrictRequire
> SSLVerifyClient require
> SSLVerifyDepth 1
> # do NOT allow dir listings
> Options -Indexes
> </Directory>
>
> Is it possible to allow another authentication method to the above?
>
> If so, can anyone give me a secure example?
>
> Thanks so much.
>
> Best regards,
>
> -Tom
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Dual private access: allow use of either client cert. or one-time password?
Posted by Tom Browder <to...@gmail.com>.
Anyone?
On Tuesday, January 5, 2016, Tom Browder <to...@gmail.com> wrote:
> First, Happy New Year, all!
>
> My site currently successfully uses client TLS certs. for access to
> its private area. I would like to add the capability of a one-time
> password sent to the user's e-mail to authenticate the user and then
> allow that user access to the private area for a limited time.
>
> I believe I know how to control the password and session handling, but
> how should the directory block in my httpd conf file look?
>
> My current directory configuration block for TLS only looks like this
> (Apache 2.4.16):
>
> <Directory ~ ".*/public/private">
> SSLOptions +StrictRequire
> SSLVerifyClient require
> SSLVerifyDepth 1
> # do NOT allow dir listings
> Options -Indexes
> </Directory>
>
> Is it possible to allow another authentication method to the above?
>
> If so, can anyone give me a secure example?
>
> Thanks so much.
>
> Best regards,
>
> -Tom
>