2FA enabled, error with Incorrect OTP code

I’ve tried logging into a server via web that I haven’t been on in a while and after some CLI webmin updates. I’m getting denied access due to my Google Auth 2FA, which has perviously worked, indicating it is the wrong code and throwing error:

Two-factor authentication failed : Incorrect OTP code

Investigating the /var/webmin/miniserv.error logs, I find two errors possibly related:

  • Use of uninitialized value $acl::in{“user”} in concatenation (.) or string at /usr/libexec/webmin/acl/twofactor_form.cgi line 42.
  • Use of uninitialized value in pattern match (m//) at /usr/libexec/webmin/acl/index.cgi line 283.

Any thoughts?

In case you wish to forego the diagnosis and regain access to Virtualmin:

  1. in the file /etc/webmin/miniserv.conf, there is a line: twofactor_provider=totp. Remove the entire line and save the file.
  2. in /etc/webmin/miniserv.users, there is this line: root:x:0:::::::0:0:totp:jhguggjhgjhgjhgj carefully remove totp and save the file. This assumes that the user you wish to log in as is root, if it is some other user, edit the line corresponding to that user.
  3. restart Webmin with service webmin restart

Log back in with you username and password. You will not be asked for the 2FA code this time. After you have logged in successfully, you could re-enable 2FA for this user in the usual manner if you wish to do so.

Thanks, was able to do that yesterday. Can’t for the life of me figure out what the next troubleshooting steps are as I’ve disabled and reenabled and the same error occurs…and oddly, it works correctly on one server, but not the other?!

You need to enable (just checked) the corresponding PERL module:

If you did that, make sure to enable it if it isnt. If you didnt, then install it.

Otherwise try another Authenticator.

Module is installed, functional, and up to date.

In that case it shouldn’t be the cause then.
Did you try another Authenticator?

We don’t have another auth option available to us. Additionally, the same configuration is rolled out on 3 servers - there is only one that seems to be operating incorrectly, adding greatly to the confusion.

EDIT - after validating my earlier statement, it seems the same error is now plaguing on all servers so we have a consistent issue thankfully.

Uhm, I am not talking about the option inside virtualmin. There you should use the given option for “normal” 2FA apps.
I meant giving the Microsoft Authenticator a try, because I remember to having similar issues with the google one on different websites (in the past).

Thanks for the comments and help, appreciated.

The two options present for us are Google Authenticator and Authy. We use GA for literally dozens of other sites and not looking to move away from it. GA has worked for us in the past with Virtualmin/Webmin however something has clearly changed at this point.

Unsure how to proceed troubleshooting however it looks to us like a bug within VM given the original error, possibly related to ACL with 2FA usage, rather than a broken 2FA function specifically.

Hoping a dev can jump in soon with a thought on the topic.

I am not sure you fully understood what I tried to say.
Let the option set at GA and try to MS Authenticator (on your mobile device). If it works, then its either a bug in the app or a communication issue with GA and virtualmin.
If the MS app doesnt work too, then its something within your virtualmin installation.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.