Nowadays I try to manage my virtual servers from browser with shell in a box. I also have post about my experiences with shell in a box.

Opening an access to your servers means a lot of people will try to hack your system. Shell in a box authenticates user, however the gui does not have any authentication. Hence I want to some authentication with small effort. I want to use htpasswd. But I want to use 2 factor authentication. The first step of authentication will be OTP, and the second step will be performed by ssh.

After some searches (it was very easy), I found mod_authn_otp project. I compiled and deployed on my server. For configuration, you need very simple directives in apache config:

AuthType basic
AuthName "OTP Auth"
AuthBasicProvider OTP
Require valid-user
OTPAuthUsersFile /path/you/want/otp.secrets

I configured otp.secrets file for using google authenticator. An example is following.

HOTP/T30 <username>  -  <secret>

For creating secret and mobile configuration I used the project PHPGangsta/GoogleAuthenticator.

And restart apache configuration.

PS: Do not forget to add LoadModule directive on your httpd.conf