Skip to main content

2FA Login in Different Browsers

Comments

17 comments

  • Infopro
    [QUOTE="Ryan @WebEminence, post: 2407859, member: 690911">then go to Firefox/IE/Opera (tried all three) and try to login with the same login and 2FA
    The same code won't work. Each time you're asked for authentication, you need to generate a new code.
    0
  • Ryan @WebEminence
    Yes, I know how 2FA works. Otherwise, I'd be having trouble logging in at all. I am using Google Authenticator which generates a new code every 30 seconds. What I should have said is - I'm using the same 2FA "account", not the same 6 digit code in another browser.
    0
  • Infopro
    Sorry, my mistake. I don't use GA so am no help here I don't think. [QUOTE="Ryan @WebEminence, post: 2407859, member: 690911">I get past the login screen but it says the security code is invalid.
    Are you visiting WebHost Manager via a bookmark? If yes, you might check that the saved bookmark doesn't have the session ID in the URL.
    0
  • Ryan @WebEminence
    I don't think GA is the issue here. It's not doing much besides spitting out the code that is working fine in one browser. Yeah, I'm aware of the session IDs. Not visiting via a bookmark. Just going to domain.com:2087
    0
  • Infopro
    Server time set properly?
    0
  • Ryan @WebEminence
    Hadn't thought of that. My server time has actually been set to Eastern time zone which is where it is physically placed. But it's not my time zone. It hasn't caused any other problems that I know of thus far. However, the time shows 15:27 right now at 10:27 Eastern time. I click Sync Time with Time Server but it doesn't change. How do I update server time? Not sure if that would cause me to be able to login to Chrome browser but not other browsers.
    0
  • Ryan @WebEminence
    I logged into SSH and used the date command to check time and it now says the correct time for Eastern time zone. Tried to login again via another browser and it didn't work. WHM still says the wrong server time, but it may just need a restart or something. So it doesn't seem that server time is the issue right?
    0
  • Ryan @WebEminence
    Just to be clear, syncing the server time did not fix my problem. I still cannot login with 2FA to cpanel/WHM in any browser but Chrome. I've tried Firefox/Opera/IE.
    0
  • cPanelMichael
    Hello, Do you notice any specific output to /usr/local/cpanel/logs/login_log or /usr/local/cpanel/logs/error_log when encountering this issue? Thank you.
    0
  • Infopro
    [QUOTE="Ryan @WebEminence, post: 2407927, member: 690911">WHM still says the wrong server time, but it may just need a restart or something.
    WebHost Manager "Server Configuration "Server Time I agree with you though, if it works for one browser fine, it should work for the other.
    0
  • Ryan @WebEminence
    Do you notice any specific output to /usr/local/cpanel/logs/login_log or /usr/local/cpanel/logs/error_log when encountering this issue? Thank you.

    login_log shows this for a failed login HTTP/1.1" DEFERRED LOGIN whostmgrd: security token missing The time stamp on this line is the wrong time that's currently displayed in WHM as described above
    0
  • Ryan @WebEminence
    I fixed the server time by clicking change time zone again even though it was already set to Eastern. Now it's showing the correct time. I closed all browsers, cleared cookies, and still I can login to cPanel/WHM fine with Chrome but with any other browser it does not accept the security code.
    0
  • Infopro
    [QUOTE="Ryan @WebEminence, post: 2408115, member: 690911">security token missing
    That message is related to the cPanel session I believe. If you haven't yet, clear your browser cache and check again. If it was not accepting your code the message is this one, I think:
    0
  • Ryan @WebEminence
    I think I figured something out. I have 2FA accounts created for a reseller account and root. I typically use the reseller login for cpanel and WHM, but realized in chrome after logging in as the reseller, it then asks for the security code for "root". And in other browsers, it has been asking for the security code for the reseller. So I was able to login using the other code. I had codes in my authenticator app labeled as WHM and cpanel because that seems to be how they have been working, but it appears the are assigned to root and reseller, not cpanel and WHM. And it seems if I login once with root on chrome, it then always wants the root security code even if I login next time as the reseller. Does that make any sense? Maybe I can turn off 2FA for the root and only use it for reseller. I can then find another way to harden the login for root. Is there a different way? Any ideas?
    0
  • Infopro
    Where it says "Issuer" in the Two Factor setup page in WebHost Manager, I add the hostname. I don't use GA though, I use Duo Mobile. On my accounts list in Duo list it's ed as Host:root and Host:resellerusername [QUOTE="Ryan @WebEminence, post: 2408231, member: 690911">but it appears the are assigned to root and reseller, not cpanel and WHM.
    Correct. Reseller with WHM access uses the same TFA code for his cPanel as well. [QUOTE="Ryan @WebEminence, post: 2408231, member: 690911">And it seems if I login once with root on chrome, it then always wants the root security code even if I login next time as the reseller. Does that make any sense?
    No. :) Sounds like Chrome is auto filling login to me. I would suggest figuring this out and leaving, resetting TFA for use with each account, root and Reseller. Always be sure to logout as well. [QUOTE="Ryan @WebEminence, post: 2408231, member: 690911">I can then find another way to harden the login for root. Is there a different way?
    There's always this: Host Access Control - Documentation - cPanel Documentation
    0
  • Ryan @WebEminence
    Thanks. I got this working but I'm not entirely sure what did it. I deleted all 2FA setups and redid them making sure I was in the correct accounts. There was something going on with root/reseller login for WHM because I would login with reseller, use the root 2FA code after it asked for root code, then end up in the reseller WHM backend. Weird. I think having the correct server time may have helped because the old codes were created with the server time wrong. I also put the root 2FA in another app to keep it separate from the reseller 2FA and because I don't use it often. If I ever have to login to root, I'll do it in another browser (not chrome) since that seemed to mess with my reseller login somehow. Hope this mess helps someone else :)
    0
  • Infopro
    Thanks for posting back with your findings. :)
    0

Please sign in to leave a comment.