Differences

This shows you the differences between two versions of the page.

--- 2fa_linux [2019/05/02 18:37] – admin
+++ 2fa_linux [2024/10/29 22:58] (current) – admin
@@ Line 17: / Line 17: @@
 The next step is to configure SSH to be able to login remotely. If you don’t configure this you won’t be able to ssh to your server anymore.
-Enable the PAM module by editing ''sudo nano /etc/pam.d/sshd'' and make sure that ''@include common-auth''
+Enable the PAM module by editing ''nano /etc/pam.d/sshd'' and make sure that ''@include common-auth''
-is at the end of the file and commented out. The comment usually will be at the top of the file. If you have to login twice you have the argument two times!
+is at the end of the file. The comment usually will be at the top of the file. If you have to login twice you have the argument two times!
-'' and set the follwoing lines ''ChallengeResponseAuthentication yes'' and ''UsePAM yes''.
+Set the follwoing lines ''ChallengeResponseAuthentication yes'' and ''UsePAM yes'' in /etc/ssh/sshd_config.
 Do a ''systemctl restart sshd'' or ''service sshd restart''
@@ Line 29: / Line 30: @@
 You now have to configure 2FA for every user who needs access to the system. Start configuring your own user and then all other users by doing the following:
-  * Type in the command ''google-authenticator''
+Type in the command ''google-authenticator''
-  * Type ''Y'' for the fist question
+Type ''Y'' for the fist question
 Write down the settings which will be presented (make sure you store them in a save place). These are the rescue settings if you don't get in anymore. Parallel to that open the Google Authenticator on you phone and enter the new settings directly into your Authenticator Settings on your phone. Give it a name (it doesn't have to be an e-mail address) and enter the code you have written down.
@@ Line 43: / Line 44: @@
 **NOTE:** It is possible to have multiple servers using the same code generated by your phone without adding multiple accounts. Simply replace the content of the file ''/root/.google_authenticator'' or ''/home/your_user/.google_authenticator'' after you have installed and configured the authenticator of the new server.
+**To use the Google 2 Factor Authenticator also in your Webmin do the following:**
+''nano /etc/webmin/miniserv.conf'' and add the line at the end of the file ''pam_conv=1''
+Then do:
+   nano /etc/pam.d/webmin
+   auth required pam_google_authenticator.so
+Restart the Webmin Service with:
+   service webmin restart or systemctl restart webmin
+Shoud you have any login problems in Webmin, reset your password with:
+   cd /usr/share/webmin
+   ./changepass.pl /etc/webmin/ username password
+   systemctl restart webmin
+If you like to disable 2FA, just comment out ''auth required pam_google_authenticator.so nullok''
+in ''/etc/pam.d/common-auth.''
+**USE THIS IF YOU JUST WANT TO HAVE SSH 2FA AUTHENTICATION**
+*If you just want to enable 2FA for ssh not interfering with other applications do the following:*
+   apt install libpam-google-authenticator -y
+   google-authenticator
+   answer with Yes - Yes - Yes - No - Yes
+If you want to use a common code for all your machines alter it:
+   nano /root/.google_authenticator
+and replace the code according to your other servers at the top of the file
+   nano /etc/pam.d/sshd
+   @include common-auth
+   auth required pam_unix.so no_warn try_first_pass
+   auth required pam_google_authenticator.so
+   nano /etc/ssh/sshd_config
+   ChallengeResponseAuthentication yes
+   PasswordAuthentication yes
+   AuthenticationMethods keyboard-interactive (for older Debian versions)
+   KbdInteractiveAuthentication yes (for newer Dbian versions)
+   UsePAM yes
+   service ssh restart
+Thas all.
 Enjoy,\\
@@ Line 50: / Line 105: @@
 \\
 **[[linux|BACK]]**