Google Authenticator / 2Factor Auth won't work once enabled.

Hi I think I've found a bug/issue - or at least this is what is happening for my Debian Jessie server.

I'm running Webmin 1.821 and Virtualmin 5.05 GPL.

When I enabled Two Factor Authentication and scan the QR code in Google Authenticator all seems ok.

But then when I log out and try and log back in I just get the error: "Two-factor authentication failed: Incorrect OTP code"

I then have to go in via SSH and disable OTP/2FA.

Any help appreciated to get this enabled or fixed.

Thanks :)



Does any error get logged to /var/webmin/miniserv.error when you try to login?

Hi thanks for the reply.

No error gets logged when I try login. The onscreen error "Two-factor authentication failed: Incorrect OTP code" appears.

When I check the log the only errors in there are from when the login page is accessed "Document follows : This web server is running in SSL mode. Try the URL..."

Trying the login from IP address https or hostname https still doesn't work either.

As soon as I turn of the two factor I'm straight back in again. I thought this may be down to having a sudo user set up instead of root login on Debian. But trying to login as "root" also gives the same error too... It could still be related though?

Thanks again for the help.

Hi I seem to have now fixed this (unless you managed to update something since?) by creating a webmin user group, then converting my sudo unix user to a webmin user. Then I deleted the root webmin user. When I log out I can then login as the sudo user and it accepts the Google 2 factor code no problem.

So it must of been trying to match up the code to the root user even though I was never logging in as root. I wonder if this is due to it being debian which has root as the default without any sudo users. I added a sudo user initially when I installed it so that I wasn't logging in as root...

Yes, that would explain it - if you are logging in as a sudo-capable user, it is treated as root for the purposes of two-factor authentication.