Pilot service for Yubikey two-factor authentication

November 24, 2015

Cosign client configuration for Informatics ‘Theon’ websites

Filed under: Pilot service for Yubikey two-factor authentication — idurkacz @ 8:35 am
Tags: ,

As a brief note, internal to Informatics:

We’ve now set up two-factor Cosign authentication on a test ‘portal.theon’ website. Apart from pointing that client site at the appropriate test Cosign server, the only necessary configuration is the inclusion of appropriate CosignRequireFactor directives at suitable places within the Apache configuration hierarchy.

For testing, we’ve placed these directives using both Apache <Directory> stanzas, and also within .htaccess files. Both approaches work, and both therefore ‘switch on’ two-factor authentication at a directory level. (We assume – but have not tested – that <Files> stanzas could be used to make the authentication demarcations even more fine-grained. But, on the other hand, the simpler these demarcations are, the better.) Note, of course, that CosignRequireFactor directives placed within .htaccess files work if and only if the necessary Apache ‘Overrides’ declarations are in force.

Specifically, to populate the appropriate .htaccess files within the test ‘portal.theon’ website, the final approach taken has been to amend the relevant TP000...Access conduits so that a CosignRequireFactor INF.ED.AC.UK otp directive is appended as a verbatim gurgle %%footer statement.

Theme: Rubric.