Two-factor authentication via Google

Howdy,

That's an interesting question... what did you have to do in order to get SSH working with the two-factor authentication?

I'm curious if a similar setup to what you did there could also work for Webmin/Virtualmin, but that'll depend on what all needed done for SSH to work.

-Eric

Eric,

Sorry for only getting back to you now.

Here is what needs to be done to get it to work on SSH: http://blog.adslweb.net/serendipity/article/286/CentOS-5-enabling-Two-fa... http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/ca...

And here is a thread I found of someone who already did a hack to get it to work on Webmin...

http://forum.yubico.com/viewtopic.php?f=11&t=692

let me know what you think.

Peace

Ah, great. That's good info, which also led me to some other docs on the matter.

My one last question before I go pursue this further -- once two-factor authentication is enabled in SSH -- am I correct in that it becomes a requirement for everyone?

And is that what you'd want for Webmin/Virtualmin?

Or would you like to see that configurable per-user?

I think I'd be inclined to look into a way of enabling/disabling that per-user, but I wanted your thoughts before looking into it :-)

Thanks!

-Eric

Eric,

Thanks for looking into this with me.

Yes, I believe you are right about it being required by everyone on the server.

I would really want that on the virtualmin/webmin server as a requirement as with SSH as I would want the system to be secure all round, or have the added security of two-factor authentication all round, SSH and Virtualmin with all users - and not just some that have a higher/better security level due to the two-factor authentication and then others bringing the security level down due to them not having it or needing it.

Basically all I am saying is - if you want to go to the extreme of adding two-factor authentication on your server I think you would want to do it all round!

What would be your main reasons for wanting to add the feature to enable/disable that per-user? And would that be the best thing or good at all to do from a security point of view?

Looking forward to hearing from you!

Peace

with duo security it can be per user.

I think I had it working per user on google authenticator, but I am not sure since I replaced it with duosecurity.

If you want to put it only for ssh you can modify the pam files for ssh, that's what I do.

Have you managed to get SSH to use two-factor authentication with just a PAM configuration change?

If so, you could configure Webmin in the same way, by editing /etc/pam.d/webmin with the same changes you made to /etc/pam.d/sshd

Since the login process will now prompt for more than just a username and password, you would need to enable "Full PAM conversion" mode in Webmin. This can be done by editing /etc/webmin/miniserv.conf and adding the line pam_conv=1 , then running /etc/webmin/restart

Hey guys,

Thanks for all the help and advice - I spent the whole day on this and it now works beautifully on both SSH and Virtualmin - here is a guide I wrote...

http://kiteplans.info/2012/04/06/two-factor-ssh-virtualmin-authenticatio...

Let me know what you think - I have also added a link to the bottom to a patch that would enable you to turn this on for some users only.

That's a nice writeup, thanks for sharing!

I posted a link to your blog entry in our twitter account.

-Eric

Eric,

Awesome! Thanks so much! Thats more of a Diary than a blog but there is also alot of other good Virtualmin related things!

Peace