<div>[Daniel, sorry for sending the same letter again – the last time I accidentally pressed button "Reply" instead of "Reply to all" in my GMail. Now I just re-send email]</div><div>Hi Daniel,</div><div class="gmail_quote">
<div class="im"><br><div class="gmail_quote">On Sun, Jan 13, 2013 at 11:38 PM, Daniel Molkentin <span dir="ltr"><<a href="mailto:danimo@owncloud.com" target="_blank">danimo@owncloud.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
If you would like to contribute this to our administrator manual, it would be nice if you could write down a technical outline and send it here before you make an effort to write an entire tutorial. After a peer-review of the concept by one of our developers, you can contribute it.<br>
<br>I want peer reviews for these kinds of documentation because if we make this an official documentation, people will trust that it is safe, and we should make sure it is.</blockquote></div><br clear="all"></div><div>
Sorry for delay: I was getting ready for exams on physics at my university and had no time to write the answer. Yesterday I passed exam (5/5) and I'm able to deal with documentation.<br>
<br>This is outline of tutorial. It consists of 2 parts: user and administrator guides.<br><br>User guide:<br>1. [General describing and advantages of one-time password (OTP) authentication (can be copied from wikipedia or other sites).]<br>
2. There are many apps for several common mobile platforms for generating OTP. It's impossible to write tutorial for any device/app, therefore I'll use assumption, that user have Android with <a href="https://play.google.com/store/apps/details?id=nu.kelvin.potato" target="_blank">Potato</a> app because it's simplest OTP (mOTP to be more precise) app in my opinion.<br>
3. How to use (with screenshots).</div><div>3.1. How to create token.</div><div>3.2. How to get OTP.<br><br>Administration guide:<br>1. [Link to user guide for understanding the goal.]<br>2. OTP authentication can be setup in many ways: using Apache mod, php function, plugin for RADIUS, PAM module, etc. We use Apache mod not because this is the best way but because author not mastered other ways.<br>
3. [Describing process of installation of <a href="http://code.google.com/p/mod-authn-otp/" target="_blank">mod_authn_otp</a> and enabling it via a2enmod.]<br>4. [Editing Apache's configs.]<br>4.1. It's bad to use http. Only use https, <a href="http://code.google.com/p/mod-authn-otp/wiki/SecurityConsiderations" target="_blank">especially with OTP</a>. Let's assume you've configured owncloud via file /etc/apache2/default-vhost-ssl.conf and default server's config file (http) is /etc/apache2/default-server.conf.<br>
4.2. WebDAV authentication needs "private" web-page protected with password (basic Apache authentication). We cannot protect with password <a href="https://server/owncloud" target="_blank">https://server/owncloud</a> because in this case Apache will block owncloud before we can reach owncloud's login page. We don't want that. Instead we should create special empty html file (/srv/www/htdocs/otp/index.html). Then set right permissions.<br>
4.3. [Editing /etc/apache2/default-server.conf]. We need to add those lines:<br><Directory "/srv/www/htdocs/otp"><br>Order deny,allow<br>deny from all<br># localhost<br>allow from 127.0.0.1<br># ipv6 localhost<br>
allow from ::1<br>AuthType basic<br># any string<br>AuthName "Authentication based on OTP"<br>AuthBasicProvider OTP<br>Require valid-user<br>OTPAuthUsersFile "/srv/otp/users"<br># 0 seconds to use the same password (each password will work exactly one time)<br>
OTPAuthMaxLinger 0<br>OTPAuthLogoutOnIPChange On<br></Directory></div><div>5. [Configuring <a href="http://code.google.com/p/mod-authn-otp/" target="_blank">mod_authn_otp</a>]</div><div>5.1. Make file /srv/otp/users and add lines:</div>
<div>MOTP user1 [pin, 4 digits] [Token key from Potato, 16 hex digits]</div><div>MOTP user2 [pin, 4 digits] [Token key from Potato, 16 hex digits]</div><div>5.2. Set permissions for folder /srv/otp: wwwrun:www, 700.<br>
6. Enable WebDAV Authentication app and set "WebDAV URL" to "<a href="http://server/otp" target="_blank">http://server/otp</a>" in "WebDAV Authentication" section of admin panel.</div><div><br>
</div><div>That's it. You could see tons of mistakes in this letter. Sorry for that – English isn't my native language.</div><span class="HOEnZb"><font color="#888888">
</font></span></div><br>-- <br>Regards, Roman Inflianskas<br>