In short, see https://serverfault.com/questions/577835/apache-ssl-certificate-and-basic-auth-combination-password-if-no-certificate (longer email is pending moderation, I believe) With belated regards, Daniel On 2016-01-11 13:21, Tom Browder <tom.browder@xxxxxxxxx> wrote: > Anyone? > > On Tuesday, January 5, 2016, Tom Browder <tom.browder@xxxxxxxxx> wrote: > > > First, Happy New Year, all! > > > > My site currently successfully uses client TLS certs. for access to > > its private area. I would like to add the capability of a one-time > > password sent to the user's e-mail to authenticate the user and then > > allow that user access to the private area for a limited time. > > > > I believe I know how to control the password and session handling, but > > how should the directory block in my httpd conf file look? > > > > My current directory configuration block for TLS only looks like this > > (Apache 2.4.16): > > > > <Directory ~ ".*/public/private"> > > SSLOptions +StrictRequire > > SSLVerifyClient require > > SSLVerifyDepth 1 > > # do NOT allow dir listings > > Options -Indexes > > </Directory> > > > > Is it possible to allow another authentication method to the above? > > > > If so, can anyone give me a secure example? > > > > Thanks so much. > > > > Best regards, > > > > -Tom > > > ------ Sent via Pony Mail for users@xxxxxxxxxxxxxxxx. View this email online at: https://pony-poc.apache.org/list.html?users@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx