2 factor is enabled and was working great. While adding an account for another server, I somehow managed to delete an account. Now I can’t login as the code is not correct. I cannot SSH as the firewall has the port closed. Any other suggestions? I can physically access the server, but it’s many hours away from where I am. Postfix is down and I need to reload and there are multiple virtuals having issues. Thanks for the fast response!
No SSH, No Tunnel, No physical proximity to a dedicated server…thats not a good plan, you always should leave yourself backdoor options. The way to protect those options is to have a home/office static ipaddress and whitelist it in the firewall!
By cutting off SSH, i think your goose is cooked.
Second thought for the future, with 2fa, always have it on 2 devices. relying on one is fraut with peril!
If you use google 2fa, have you tried the following (checkout “use backup options”)…https://support.google.com/accounts/answer/185834?hl=en
If you have a sudo ALL capable user account that doesn’t use 2FA you may be able to login with it (any sudo users with ALL capabilities can login to Webmin and they’ll be root, unless that’s been disabled or the specific user has been restricted).
Otherwise, it sounds like your system is pretty secure. Nobody can login at all.
2FA can be disabled from the command line, but if you can’t ssh, you don’t have that option.
If it’s colocated, most facilities have the ability to hook up a KVM for you (one that can be accessed over the internet). They’re mostly awful Java applets and a pain in the ass to get working, but, better than a several hour drive, probably.
Normally I’m 3 feet from the server thus the ability to keep it secure, I just happen to be on the road. I have an employee opening SSH for me. Any links to commands to disable? I haven’t had the need until now so never researched.
sed -i 's/totp//g' /etc/webmin/miniserv.users
sed -i '/twofactor_provider=totp/d' /etc/webmin/miniserv.conf
If that doesn’t, with the caveat that this is six years old, this SO post has a slightly more complicated guide on disabling TOTP for an account. https://stackoverflow.com/questions/22676508/how-to-disable-two-factor-authentication-in-webmin
Under more normal conditions, https://doxfer.webmin.com/Webmin/Enhanced_Authentication has some enrollment/removal info.
Incidentally, I recommend you switch to Authy and set a unique cloud backup password. Additional benefit is you can add the same account on multiple devices and it’ll sync all tokens. There’s only one or two other clients which can do this.
I dropped GAuth like a hot rock after my first device factory restore and realised my TOTPs weren’t backed up
Thanks Chris. Good info, but it didn’t take. On the road back to base with hopes I can figure out something. Good thing is I was able to SSH in and correct my offline issue. I’ll update with resolution once I find one.
Sorry it didn’t work. @Joe will definitely know the answer! Maybe it’s changed since those docs were written.
If your local staff has root, perhaps add another root privileged user for you?
I’m back and root. Any tips with out breaking this thing? I’d really appreciate all the help you can provide. I’m building a backup as we speak just in case.
Initial line fails of solution above.
#root@***# ed -i ‘s/totp//g’ /etc/webmin/miniserv.users
#ed: invalid option – i
#Try ‘ed --help’ for more information
#root@***# ed -l ‘s/totp//g’ /etc/webmin/miniserv.users
#ed: couldn’t open file ebmin/miniserv.users: No such file or directory
Not sure why the command dropped the W in webmin. What about a manual edit of the users file? I know it’s there.
Ok, I’m back in webmin. VI the users file to manually remove
totp strings and restore to standard login. I’ll disable and enable the two factor once all else is repaired, and get a 2nd phone dedicated for auth only. Thanks for all your posts!
You missed a character -
sed , not
ed's a text editor so you likely inadvertently asked
ed to open with a weird set of parameters and command switches (just tried it on another box of mine and got very confusing, similar results).
You can always just edit the file yourself with
vi etc, which you did in the end. Happy days! (and give Authy a spin!)
I have a backup account whose login is ACL-restricted to specific IP ranges. Or you can use SSH keys, I also do that.
I didn’t catch that Chris, just the missing W. I guess that’s what happens with all nighters on the road and trying to SSH at a rest area.
I’ve been there, I hear ya! Glad you got it sorted.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.