Home Secure Webmin with Google Authenticator
Post
Cancel

Secure Webmin with Google Authenticator

Posted Oct 16, 2014
By Chris Hamer
2 min read

This post will show you how to secure Webmin with Google Authenticator in Ubuntu 14.04 Server.

NTP Time Sync

First install NTP so the time can be synchronised, the time needs to be very accurate so Google Authenticator can work.

apt-get install ntp

Sync the NTP service with a pool before starting the service. The second line is an example of the output of the command.

ntpdate pool.ntp.org
16 Oct 14:13:01 ntpdate[9186]: adjust time server 87.253.152.191 offset -0.001604 sec

Start the NTP service. The service should have been added as a startup script.

service ntp start

Google Authenticator Install/Setup

Now we need to install the Google Authenticator application and generate the keys.

apt-get install libpam-google-authenticator

The application may pull in a few dependencies but just accept.

Run the command below:

google-authenticator

Now you will need to answer some questions. These are shown below. I have shown my answers but you may want to answer them differently.

Do you want authentication tokens to be time-based (y/n) y

Your new secret key is: ZQ2B3PSXGUZE6WTL
Your verification code is 85735403
Your emergency scratch codes are:
  579384932238
  5893742503
  35832429430
  404534033
  34353424

Do you want me to update your "/root/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

After answering a second question a bar code is printed out on-screen, you can use this to add the device to the Google Authenticator app on your phone.

Integrate with Webmin

Edit the following file:

nano /etc/pam.d/webmin

Add this line into the file:

auth required pam_google_authenticator.so

The file should now look like this:

#%PAM-1.0
auth required pam_google_authenticator.so
@include common-auth
@include common-account
@include common-password
@include common-session

Enable Full Pam Conversion mode by editing the following file:

nano /etc/webmin/miniserv.conf

Add this line

pam_conv=1

Now restart the webmin service.

service webmin restart

When you login to Webmin you should be greeted with this:

References

How to Secure SSH with Google Authenticator’s Two-Factor Authentication | How To Geek
How To: CentOS Two-factor SSH and Virtualmin Authentication via Google-Authenticator | Kiteplans.info

technology Security Server
This post is licensed under CC BY 4.0 by the author.

If you have found this site useful, please consider buying me a coffee :)

Proud supporter of the Gnome Foundation

Become a Friend of GNOME

Contents

Setting up mail server dns records

Install Kolab Mail Server on Ubuntu

Comments powered by Disqus.