Apache Reverse Proxy and Google Authenticator as 2-Factor Auth

Question

I have searched the hole Internet but cannot find any good answer.

Scenario: I have a Intranet Website that should accessible from the Internet. I have add a Linux / Apache based Reverse Proxy in front of it into a dmz.

Target: Logon to the Reverse Proxy with a real two factor auth system using google authenticator (not like in this howto what is a single factor auth: http://www.blogbyben.com/2012/02/getting-google-authenticator-and-apache.html). After Login to the Reverse Proxy, the login token are forwarded to the intranet website.

Any idea?

Thank You!

Answer 1

By "real two factor" you mean you want the username, password and token - not just username and token, right?

So, here's one option - it's possible to configure PAM on linux to require a password which is the concatenation of password and code. See: http://google-authenticator.googlecode.com/git/libpam/README Then you can use apache auth via PAM (http://pam.sourceforge.net/mod_auth_pam/configure.html) as the authn for your apache reverse proxy and voila.

Now, I have not actually tried this, and it's possible that it will attempt to verify the password every time (so you'll be logged in for exactly one request before the code becomes invalid!), so then you'll want to use mod_auth_pam combined with mod_auth_form which allows you to set a session cookie to bypass the password checking while the session is valid.

I have implemented something like this but not all the pieces yet.

Would love to know if you get it working!