How to Configure Two-Factor Authentication in Virtualmin: Complete Step-by-Step Guide

Configuring two-factor authentication in Virtualmin is essential for improving your server's security. In this complete step-by-step guide, you will learn how to activate and configure this additional security measure, ensuring more robust protection against unauthorized access. Keep reading to discover how to do it simply and effectively.

Table of Contents
how-to-configure-two-factor-authentication-in-virtualmin-complete-step-by-step-guide-3-6097408

How to Set Up Two-Factor Authentication in Virtualmin

Security is a critical aspect of server administration, and two-factor authentication (2FA) is an essential tool for protecting your systems and data. Virtualmin, a powerful web-based server administration platform, allows for the implementation of 2FA to ensure that only authorized users can access your server. In this article, we will guide you step-by-step through the process of setting up two-factor authentication in Virtualmin.

Selecting the Authentication Method

Before starting the configuration, it is important to decide which two-factor authentication method you will use. The most common methods include:

  1. Authenticator Apps: Apps like Google Authenticator, Authy, or Microsoft Authenticator generate temporary codes that you must enter along with your password.
  2. SMS Authentication: A code is sent via text message to your mobile phone. This method is less secure due to vulnerabilities in telecommunication networks.
  3. Security Keys: Hardware devices that generate unique codes. Examples include YubiKey and Titan Security Key.

For this tutorial, we will use an authentication app like Google Authenticator, due to its ease of use and high security.

Step-by-Step Configuration

1. Installing Google Authenticator on Your Server

First, you need to install Google Authenticator on your server. This is a simple process if your server uses a Debian or Red Hat-based distribution.

For Debian/Ubuntu:

sudo apt-get update
sudo apt-get install libpam-google-authenticator

For Red Hat/CentOS/Fedora:

sudo yum install epel-release
sudo yum install google-authenticator

2. Configuring Google Authenticator

After installing the Google Authenticator package, run the following command to configure it for your user:

google-authenticator

The command will guide you through a setup wizard. Here are some key points:

  • Scanning the QR Code: The tool will generate a QR code that you must scan with your authentication app.
  • Advanced Configuration: You will be asked to decide whether you want time-based tokens, limit usage frequency, and allow “scratch codes” for recovery in case you lose your device.

3. Configuring PAM (Pluggable Authentication Modules)

For Virtualmin to use Google Authenticator, you need to configure PAM. Edit the file /etc/pam.d/sshd to include the line:

auth required pam_google_authenticator.so

This ensures that the Google Authenticator module is used for SSH authentication.

4. SSH Configuration

Edit the SSH configuration file at /etc/ssh/sshd_config and ensure the following lines are configured correctly:

ChallengeResponseAuthentication yes
PasswordAuthentication yes
UsePAM yes

Then restart the SSH service to apply the changes:

sudo systemctl restart sshd

5. Configuration in Virtualmin

Finally, access your Virtualmin panel. Go to the “System Settings” section and then to “Two-Factor Authentication”. Enable two-factor authentication and follow the instructions to integrate Google Authenticator.

Verification and Testing

Once configured, it is crucial that you verify that two-factor authentication is working correctly. Here are some steps to perform effective tests:

  1. Initial User Test: Log out of your current session and log back in to verify that you are prompted for an authentication code.
  2. Recovery Test: Try accessing using one of the “scratch codes” generated during the Google Authenticator setup.
  3. Multi-User Test: If your server has multiple users, ensure that each of them follows the same 2FA setup process.

Common Troubleshooting

Even with meticulous configuration, issues can arise. Here we address some of the most common problems and how to solve them.

Problem 1: Authentication Code Not Requested

If the authentication code is not requested after configuration, check the following:

  • PAM Configuration: Make sure the file /etc/pam.d/sshd contains the line auth required pam_google_authenticator.so.
  • SSH Configuration: Check that the file /etc/ssh/sshd_config has the option enabled ChallengeResponseAuthentication yes.

Problem 2: Time Desynchronization

Google Authenticator and other time-based methods depend on the server clock and the device clock being synchronized. If codes are not accepted, check and synchronize your server's time:

sudo timedatectl set-ntp true

Problem 3: Loss of Authentication Device

If you have lost your authentication device, you can use the “scratch codes” generated during the initial setup to gain temporary access. If you do not have the codes, you will need physical access to the server to temporarily disable 2FA.

In Virtualmin, you can disable two-factor authentication from the web interface, if you have administrator access.

Conclusion

Implementing two-factor authentication in Virtualmin is a significant step toward improving your server's security. This process not only adds an extra layer of protection against unauthorized access but also provides you with peace of mind knowing that your infrastructure is more secure.

Be sure to follow each step in detail and perform thorough testing to confirm that the configuration works as expected. Remember that security is an ongoing process and two-factor authentication is just one piece of the puzzle. Continue updating and monitoring your system to protect it against new threats.

We hope this guide has been helpful to you. Good luck on your cybersecurity journey!