Two-factor authentication built in Virtualmin --- attach SSH

5 posts / 0 new
Last post
#1 Sat, 07/23/2016 - 03:46
a10sth

Two-factor authentication built in Virtualmin --- attach SSH

Hello Forum,

I have a current install of Virtualmin GPL 5.03 completely up to date with a Ubuntu 16.04 64bit install.

I noticed the two step authentication built into Webmin that let's you ask for a verification key from the Google Authenticator or Authy. I choose the Google Authenticator since it was more convenient. It works great on the Virtualmin login page, but I would like to use this setup, these same codes over to SSH. I have seen ways to install the authenticator app separately, but I would like to have one control point if possible, since Webmin is already taking care of it with a module inside, can I use a PAM to add to the /etc/pam.d/sshd? My only problem is I don't see one for the Google Authenticator.

I hope I was specific enough, I spent quite a few hours looking for this.

I do suggest a few updates to the Google Authenticator module in Webmin:

1) on enrollment, require a key to be entered to verify that it was setup correctly to prevent lockout 2) provide the backup codes that normally come with a native setup.

I really appreciate any help anyone can give on this, this will help out alot, thanks,

Sat, 07/23/2016 - 07:16
Diabolico
Diabolico's picture

For SSH you dont need two factor authentication but rather remove password login and instead use keys. If you add strong passphrase (lets say 20 random characters) to the keys you are pretty safe. Even if the hacker somehow manage to get the keys he would still missing the passphrase to use the keys.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Sat, 07/23/2016 - 11:31
a10sth

I really appreciate the input, but I would still like to know this, since this will be setup for not quite advanced users like so, but average users that I will be better able to get to use the google authenticator and their password than that.

even with keys, I would still insist on a OTP 2FA

again thank you so much

Sat, 07/23/2016 - 12:46
Diabolico
Diabolico's picture

Then google up "ssh two factor authentication [your OS]" and you will find tons of guides. More or less all of them come down to install google-authenticator and setup SSH to use it.

Dont forget to check and if needed increase "LoginGraceTime" to give time to your client to recover the code and use it otherwise the server will disconnect him while waiting for the code.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Sat, 07/23/2016 - 13:08
a10sth

Again thank you for your feedback, but you missed what I was asking,

"I have seen ways to install the authenticator app separately, but I would like to have one control point if possible, since Webmin is already taking care of it with a module inside, "

I already know that I can install a separate install for it, and have it work that way, my question was, how to make SSH work with the two-factor authentication - Google Authenticator module built into Webmin.

Again I do appreciate your feedback

Thank you very much,

Topic locked