[Owncloud] Writing documentation about one-time passwords

Wed Jan 23 18:23:09 UTC 2013

[Daniel, sorry for sending the same letter again – the last time I
accidentally pressed button "Reply" instead of "Reply to all" in my GMail.
Now I just re-send email]
Hi Daniel,

On Sun, Jan 13, 2013 at 11:38 PM, Daniel Molkentin <danimo at owncloud.com>wrote:

> If you would like to contribute this to our administrator manual, it would
> be nice if you could write down a technical outline and send it here before
> you make an effort to write an entire tutorial. After a peer-review of the
> concept by one of our developers, you can contribute it.
>
> I  want peer reviews for these kinds of documentation because if we make
> this an official documentation, people will trust that it is safe, and we
> should make sure it is.

Sorry for delay: I was getting ready for exams on physics at my university
and had no time to write the answer. Yesterday I passed exam (5/5) and I'm
able to deal with documentation.

This is outline of tutorial. It consists of 2 parts: user and administrator
guides.

User guide:
1. [General describing and advantages of one-time password (OTP)
authentication (can be copied from wikipedia or other sites).]
2. There are many apps for several common mobile platforms for generating
OTP. It's impossible to write tutorial for any device/app, therefore I'll
use assumption, that user have Android with
Potato<https://play.google.com/store/apps/details?id=nu.kelvin.potato>app
because it's simplest OTP (mOTP to be more precise) app in my opinion.
3. How to use (with screenshots).
3.1. How to create token.
3.2. How to get OTP.

Administration guide:
1. [Link to user guide for understanding the goal.]
2. OTP authentication can be setup in many ways: using Apache mod, php
function, plugin for RADIUS, PAM module, etc. We use Apache mod not because
this is the best way but because author not mastered other ways.
3. [Describing process of installation of
mod_authn_otp<http://code.google.com/p/mod-authn-otp/>and enabling it
via a2enmod.]
4. [Editing Apache's configs.]
4.1. It's bad to use http. Only use https, especially with
OTP<http://code.google.com/p/mod-authn-otp/wiki/SecurityConsiderations>.
Let's assume you've configured owncloud via file
/etc/apache2/default-vhost-ssl.conf and default server's config file (http)
is /etc/apache2/default-server.conf.
4.2. WebDAV authentication needs "private" web-page protected with password
(basic Apache authentication). We cannot protect with password
https://server/owncloud because in this case Apache will block owncloud
before we can reach owncloud's login page. We don't want that. Instead we
should create special empty html file (/srv/www/htdocs/otp/index.html).
Then set right permissions.
4.3. [Editing /etc/apache2/default-server.conf]. We need to add those lines:
<Directory "/srv/www/htdocs/otp">
Order deny,allow
deny from all
# localhost
allow from 127.0.0.1
# ipv6 localhost
allow from ::1
AuthType basic
# any string
AuthName "Authentication based on OTP"
AuthBasicProvider OTP
Require valid-user
OTPAuthUsersFile "/srv/otp/users"
# 0 seconds to use the same password (each password will work exactly one
time)
OTPAuthMaxLinger 0
OTPAuthLogoutOnIPChange On
</Directory>
5. [Configuring mod_authn_otp <http://code.google.com/p/mod-authn-otp/>]
5.1. Make file /srv/otp/users and add lines:
MOTP user1 [pin, 4 digits] [Token key from Potato, 16 hex digits]
MOTP user2 [pin, 4 digits] [Token key from Potato, 16 hex digits]
5.2. Set permissions for folder /srv/otp: wwwrun:www, 700.
6. Enable WebDAV Authentication app and set "WebDAV URL" to "
http://server/otp" in "WebDAV Authentication" section of admin panel.

That's it. You could see tons of mistakes in this letter. Sorry for that –
English isn't my native language.

-- 
Regards, Roman Inflianskas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20130123/17f13869/attachment.html>