Submitted by sjorsvdp on Thu, 12/03/2015 - 02:30
For some users I have enabled two factor authentication using Google Authenticator. At the virtualmin login form a field "token" is visible and required for the users that have enabled two factor authentication.
However, when visiting the mobile site a login page without a "token" field is displayed. The title of the page is "Login at Webmin" (translated). A user can login without two factor token.
Expected: - a user cannot login (no token can be provided) or - the token field is displayed and validated
Status:
Closed (fixed)
Comments
Submitted by JamieCameron on Thu, 12/03/2015 - 22:06 Comment #1
So is it the same user who can login via the mobile theme with no token, but cannot login via the regular UI?
Because two-factor has to be setup on a user by user basis.
Submitted by sjorsvdp on Fri, 12/04/2015 - 01:57 Comment #2
Yes, it is the same user
Submitted by JamieCameron on Fri, 12/04/2015 - 19:19 Comment #3
That is very odd, as the mobile site shouldn't have a different login form from the regular site.
Which version of the virtual-server-mobile package do you have installed there?
Submitted by sjorsvdp on Sun, 12/06/2015 - 03:43 Comment #4
I have two packages installed: webmin-virtual-server-mobile: 2.6 usermin-virtual-server-mobile: 2.1
Submitted by JamieCameron on Sun, 12/06/2015 - 12:07 Comment #5
So there is definitely a bug in that the mobile UI doesn't show the two-factor login field. However, in all my tests this simply prevents a login from working at all.
Are you sure when using the mobile UI you are logging into the regular Virtualmin UI on port 10000 ?
Submitted by sjorsvdp on Mon, 12/07/2015 - 12:03 Comment #6
Checked again and yes, it's port 10000. But...
It's not the mobile UI. It's the check if the token is required. On my mobile the user field is filled in with a capital. This is behaviour of the browser and I was too lazy to use lowercase. When I use a capital on the desktop UI, the token is bypassed as well.
Conclusion: the check if a token is required should be case insensitive.
Submitted by JamieCameron on Mon, 12/07/2015 - 18:25 Comment #7
So I just tested this, and wasn't able to login with an incorrect-case username. I was completely ready to believe that the Webmin code had this bug, but it doesn't look like it!
Are you using local files for Webmin users, or a remote DB like LDAP or MySQL?
Submitted by sjorsvdp on Tue, 12/08/2015 - 03:06 Comment #8
LDAP is used
Submitted by JamieCameron on Tue, 12/08/2015 - 23:06 Comment #9
Ok, that explains it - the issue here is that LDAP lookups are not case sensitive, but lookups into the two-factor key list are :-( This will be fixed in the next Webmin release.
Submitted by sjorsvdp on Thu, 12/10/2015 - 02:19 Comment #10
Thanks!
Submitted by Issues on Thu, 12/24/2015 - 02:20 Comment #11
Automatically closed -- issue fixed for 2 weeks with no activity.