These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for Two-factor authentication via Google on the new forum.
Web Hosting and Cloud Computing Control Panels
Howdy,
That's an interesting question... what did you have to do in order to get SSH working with the two-factor authentication?
I'm curious if a similar setup to what you did there could also work for Webmin/Virtualmin, but that'll depend on what all needed done for SSH to work.
-Eric
Eric,
Sorry for only getting back to you now.
Here is what needs to be done to get it to work on SSH: http://blog.adslweb.net/serendipity/article/286/CentOS-5-enabling-Two-fa... http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/ca...
And here is a thread I found of someone who already did a hack to get it to work on Webmin...
http://forum.yubico.com/viewtopic.php?f=11&t=692
let me know what you think.
Peace
I’m a “Geek” serving as a Linux System admin, a website designer and maintainer and general know how for all things TECH. I am a fan of CentOS, Virtualmin, Joomla, and anything that uses Electricity. See more of my posts at http://www.dieskim.me
Ah, great. That's good info, which also led me to some other docs on the matter.
My one last question before I go pursue this further -- once two-factor authentication is enabled in SSH -- am I correct in that it becomes a requirement for everyone?
And is that what you'd want for Webmin/Virtualmin?
Or would you like to see that configurable per-user?
I think I'd be inclined to look into a way of enabling/disabling that per-user, but I wanted your thoughts before looking into it :-)
Thanks!
-Eric
Eric,
Have you had time to look at this more at all? How is it coming along?
Peace
I’m a “Geek” serving as a Linux System admin, a website designer and maintainer and general know how for all things TECH. I am a fan of CentOS, Virtualmin, Joomla, and anything that uses Electricity. See more of my posts at http://www.dieskim.me
Eric,
Thanks for looking into this with me.
Yes, I believe you are right about it being required by everyone on the server.
I would really want that on the virtualmin/webmin server as a requirement as with SSH as I would want the system to be secure all round, or have the added security of two-factor authentication all round, SSH and Virtualmin with all users - and not just some that have a higher/better security level due to the two-factor authentication and then others bringing the security level down due to them not having it or needing it.
Basically all I am saying is - if you want to go to the extreme of adding two-factor authentication on your server I think you would want to do it all round!
What would be your main reasons for wanting to add the feature to enable/disable that per-user? And would that be the best thing or good at all to do from a security point of view?
Looking forward to hearing from you!
Peace
I’m a “Geek” serving as a Linux System admin, a website designer and maintainer and general know how for all things TECH. I am a fan of CentOS, Virtualmin, Joomla, and anything that uses Electricity. See more of my posts at http://www.dieskim.me
with duo security it can be per user.
I think I had it working per user on google authenticator, but I am not sure since I replaced it with duosecurity.
If you want to put it only for ssh you can modify the pam files for ssh, that's what I do.
Have you managed to get SSH to use two-factor authentication with just a PAM configuration change?
If so, you could configure Webmin in the same way, by editing
/etc/pam.d/webminwith the same changes you made to/etc/pam.d/sshdSince the login process will now prompt for more than just a username and password, you would need to enable "Full PAM conversion" mode in Webmin. This can be done by editing
/etc/webmin/miniserv.confand adding the linepam_conv=1, then running/etc/webmin/restart''
Hey guys,
Thanks for all the help and advice - I spent the whole day on this and it now works beautifully on both SSH and Virtualmin - here is a guide I wrote...
http://kiteplans.info/2012/04/06/two-factor-ssh-virtualmin-authenticatio...
Let me know what you think - I have also added a link to the bottom to a patch that would enable you to turn this on for some users only.
I’m a “Geek” serving as a Linux System admin, a website designer and maintainer and general know how for all things TECH. I am a fan of CentOS, Virtualmin, Joomla, and anything that uses Electricity. See more of my posts at http://www.dieskim.me
That's a nice writeup, thanks for sharing!
I posted a link to your blog entry in our twitter account.
-Eric
Eric,
Awesome! Thanks so much! Thats more of a Diary than a blog but there is also alot of other good Virtualmin related things!
Peace
I’m a “Geek” serving as a Linux System admin, a website designer and maintainer and general know how for all things TECH. I am a fan of CentOS, Virtualmin, Joomla, and anything that uses Electricity. See more of my posts at http://www.dieskim.me
Actually I think this feature should be built-in with Virtualmin. Would love to see it part of the next release...
Eric,
I would find the two factor feature somewhat painful if it was forcibly enabled for ALL virtualmin users.
In a production environment from my perspective I would want the main administration account(s) and SSH users to have two factor but my clients should not need to go and purchase a Yubikey or sign up with a 3rd party just to login to a service they are paying for. A choice would of users would be nice.
I'm looking at getting a Yubikey myself to use with both KeePass and my servers. I will likely look into kiteplans post regarding two factor with virtualmin if it hasn't been implemented yet.