I have a current install of Virtualmin GPL 5.03 completely up to date with a Ubuntu 16.04 64bit install.
I noticed the two step authentication built into Webmin that let’s you ask for a verification key from the Google Authenticator or Authy. I choose the Google Authenticator since it was more convenient. It works great on the Virtualmin login page, but I would like to use this setup, these same codes over to SSH. I have seen ways to install the authenticator app separately, but I would like to have one control point if possible, since Webmin is already taking care of it with a module inside, can I use a PAM to add to the /etc/pam.d/sshd? My only problem is I don’t see one for the Google Authenticator.
I hope I was specific enough, I spent quite a few hours looking for this.
I do suggest a few updates to the Google Authenticator module in Webmin:
- on enrollment, require a key to be entered to verify that it was setup correctly to prevent lockout
- provide the backup codes that normally come with a native setup.
I really appreciate any help anyone can give on this, this will help out alot,
For SSH you dont need two factor authentication but rather remove password login and instead use keys. If you add strong passphrase (lets say 20 random characters) to the keys you are pretty safe. Even if the hacker somehow manage to get the keys he would still missing the passphrase to use the keys.
I really appreciate the input, but I would still like to know this, since this will be setup for not quite advanced users like so, but average users that I will be better able to get to use the google authenticator and their password than that.
even with keys, I would still insist on a OTP 2FA
again thank you so much
Then google up “ssh two factor authentication [your OS]” and you will find tons of guides. More or less all of them come down to install google-authenticator and setup SSH to use it.
Dont forget to check and if needed increase “LoginGraceTime” to give time to your client to recover the code and use it otherwise the server will disconnect him while waiting for the code.
Again thank you for your feedback, but
you missed what I was asking,
"I have seen ways to install the authenticator app separately, but I would like to have one control point if possible, since Webmin is already taking care of it with a module inside, "
I already know that I can install a separate install for it, and have it work that way, my question was, how to make SSH work with the two-factor authentication - Google Authenticator module built into Webmin.
Again I do appreciate your feedback
Thank you very much,