Questions About Two-Factor Authentication
@cPanelLauren,
I agree that setting the shell to noshell is important and will do that.
Should I create a new thread for this question?
I want some information on two factor authentication. Using the Microsoft services, whenever we login, we have to grab a code off our cells using the Microsoft Authenticator app, which changes every 30 seconds. From a simple test, I was able to determine that cPanel / WHM supports this. But to what degree?
With the Microsoft stuff, if we don't have access to the cell phones, we can receive a verification phone call with the number we setup during our account creation (that we can change after we've successfully logged in) or receive a text message with a code. The phone call just has us press # to prove it's us. The text message provides a code.
Also, is there any way to set up the same two-factor authentication for SSH access, where if we do not enter the correct code, it refuses us access to system? I was thinking perhaps I could modify a login script in the various users directories and have it point to the script / binary file that cPanel uses for the 2-factor authentication...would this be possible? I guess this should be under a new topic, but not sure where to put it. Maybe under Security?
-
Thank you for moving this, whoever moved it! Didn't realize two-factor authentication had its own sub-forum now. That's nice. 0 -
Is there any way to call the API directly that deals with the two-factor authentication? For example, I might be able to write a small wrapper that I can set as the login script, and if two-factor authentication fails, they'd get disconnected. I've have to maybe take precautions to make sure no one could break out of the wrapper to by-pass the security. 0 -
Is there any way to call the API directly that deals with the two-factor authentication? For example, I might be able to write a small wrapper that I can set as the login script, and if two-factor authentication fails, they'd get disconnected. I've have to maybe take precautions to make sure no one could break out of the wrapper to by-pass the security.
Could you provide a specific example of how such a script would work? Thank you.0 -
Yes sir. Once, (you might remember), I managed my own SSL certs from Let's Encrypt, before cPanel / WHM had automated support for this. I did this by creating a perl script that in the earliest revision had root's password and would call the WHM APIs to check if the certs where expiring, and if so, run the Let's Encrypt certbot program, then using the WHM APIs, install them. Later revisions used access hashes, and I think finally, some sort of token (but I had just toyed around with the token idea and never really got it working, if I remember correctly). I was hoping you guys implemented two-way authentication in a similar way you implemented the various SSL WHM APIs I could call. We use the Microsoft Authenticator App and as a test run, the WHM two-factor authentication is compatible with the app. Somehow, WHM / cPanel (I only tried it for logging into WHM, so I don't know what exactly is covered by your guy's implementation) must communicate with some sort of API that the Microsoft Authenticator communicates with. I haven't had time to research if the two-factor authentication is a Microsoft thing or not. I know with CSF, if someone accidently gets blocked, my system is configured to call the Google Prove you're not a Robot picture thing, and if they pick the correct images, they can unblock themselves, at least for the first few times. In that case, it's the Google reCAPTCHA v2 API that ConfigServer Firewall is using. If it's not a trade secret or confidential information, I'd like to know how cPanel implements the two-factor authentication. Then I have two choices I think, depending on how it's actually implemented. They both depend on me being able to call some function and read what the correct code is every 30 seconds. The first implementation would be a bit nicer and I'd probably talk to the people developing OpenSSH to see if they wanted to implement the code, but it'd call the two-factor authentication function and retrieve the code from some place. With the Google reCAPTCHA API, I had to register with Google to obtain a key to use the API. I'd imagine it's probably similar with the two-factor code, because I need to distinguish my server from everyone elses. I would obtain the code, and before executing the user's shell, just have them enter the code and see if it's correct. The second option would be cPanel / WHM specific, where instead of registering the server to gain access to the official API or whatever it is (again, I haven't had time to properly research this), I'd just be calling the cPanel / WHM API that grabs the code from the official place (Microsoft or whereever these codes come from), then I'd do something similar. Maybe write a simple login script that calls the cPanel API and stores the correct code in some variable, have the user enter the code while spawning a thread to keep track of the seconds, every 30 seconds, call the API again, unless of course, the enter the correct code, then simply check what the user's shell is set to normally, and execute it. I dunno, that might be hard though to maintain, the second one. Only because I'd have to keep some database of their original shells and then replace them with my two-factor authentication shell. Maybe I could just add a line to one of the login scripts, system wide or something. For the first option, I dunno if it'd even be possible, because the user has to scan a QR code, right? It might not be too hard, depending on the format of the QR code (png, jpg, svg, etc). I could easily write a function that downloads that simply displays the QR code so they can scan it. I dunno. Maybe I'd have to write it for cPanel users only, and they'd have to have already paired their apps with their servers, like we do now when we enable two-factor authentication. I haven't really gotten that far, there's too many variables right now. First, I just need to know how the two-factor authentication works, from a technical standpoint. Are there API calls available, is there an executable file, how does cPanel obtain the actual bar code, etc. After that, I could draw up a flow-chart or write some pseudo code and go from there. 0 -
@cPanelMichael, Turns out it's already been implemented. Here's an article that explains how to set it up using the Google Open Authenticator PAM module, which will be compatible with all the apps. How To Set Up Multi-Factor Authentication for SSH on Ubuntu 16.04 | DigitalOcean Although the link is for Ubuntu, it looks pretty simple, a lot more secure than how I was going to implement (using the PAM module), and easily doable. Once I finish drawing this diagram to get a permit to run the AC lines for my data center, depending on what else is on my todo list, I might give it a shot on my CentOS 7 server running cPanel / WHM and report back. I just wish that FIDO U2F was supported with hardware based USB devices or NFC. I discovered 2FA could be insecure if people are using the SMS protocol to receive the codes. With the article, it'd be best to enable the configuration like they have, to prevent relay attacks, which seem to be becoming more and more common now-a-days. 0 -
Hello @Spork Schivago, Thank you for the update. I'm glad to see you found a suitable solution. I'm not sure if you've already seen it, but we do provide some examples of API authentication with two-factor authentication at: Guide to API Authentication - Two-Factor Authentication - Developer Documentation - cPanel Documentation Thank you. 0
Please sign in to leave a comment.
Comments
8 comments