This post will show you how to secure Webmin with Google Authenticator in Ubuntu 14.04 Server.
NTP Time Sync
First install NTP so the time can be synchronised, the time needs to be very accurate so Google Authenticator can work.
apt-get install ntp
Sync the NTP service with a pool before starting the service. The second line is an example of the output of the command.
ntpdate pool.ntp.org 16 Oct 14:13:01 ntpdate[9186]: adjust time server 87.253.152.191 offset -0.001604 sec
Start the NTP service. The service should have been added as a startup script.
service ntp start
Google Authenticator Install/Setup
Now we need to install the Google Authenticator application and generate the keys.
apt-get install libpam-google-authenticator
The application may pull in a few dependencies but just accept.
Run the command below:
google-authenticator
Now you will need to answer some questions. These are shown below. I have shown my answers but you may want to answer them differently.
Do you want authentication tokens to be time-based (y/n) y Your new secret key is: ZQ2B3PSXGUZE6WTL Your verification code is 85735403 Your emergency scratch codes are: 579384932238 5893742503 35832429430 404534033 34353424 Do you want me to update your "/root/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) n If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
After answering a second question a bar code is printed out on-screen, you can use this to add the device to the Google Authenticator app on your phone.
Integrate with Webmin
Edit the following file:
nano /etc/pam.d/webmin
Add this line into the file:
auth required pam_google_authenticator.so
The file should now look like this:
#%PAM-1.0 auth required pam_google_authenticator.so @include common-auth @include common-account @include common-password @include common-session
Enable Full Pam Conversion mode by editing the following file:
nano /etc/webmin/miniserv.conf
Add this line
pam_conv=1
Now restart the webmin service.
service webmin restart
When you login to Webmin you should be greeted with this:
References
How to Secure SSH with Google Authenticator’s Two-Factor Authentication | How To Geek
How To: CentOS Two-factor SSH and Virtualmin Authentication via Google-Authenticator | Kiteplans.info
Comments powered by Disqus.