Hello List,
we would like to protect a Web-Application Server (lets say Outlook
Webaccess or whatever) by using a Reverse Proxy / Apache. This works out
quite well so far.
- - -
Now we would like to add an Authentification, so that only Users who
pass the Reverse Proxy auth, will get to the Web-App login. This can be
done by some htacces and static passwords. The disatvantage is, that
this are static passwords and they could be stored by keyloggers. So we
need some kind of one time passwords (OTP).
Is there a way to add some random "salt" to the http authentification?
- - -
I had the following idea (http://i39.tinypic.com/zmyyjs.jpg):
The User gets to some Login Page (PHP) where he enters his
Username/Password. Then PHP asks him for his 3, 6 and 12 Digit of his
Passport-ID (this can be random). After submitting this, we could set
this User/Password+(Append RandomNumber) combinations in a Database
where htaccess could try to auth against. This would mean, that the user
wold have to enter his Login-Information AGAIN using
User/Password+(Appended RandomNumber).
Is there a way to get rid of the http access prompt?
Or is there maybe a complete other way to do a secure and cheap OTP
authentification?
Any ideas?
Cheers,
Mario
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
