Sep 10, 2015
16
0
1
Chicago
cPanel Access Level
Root Administrator
I'm trying to allow an assistant to login to WHM and cPanel via 2FA. I understand I need to share the same QR code for authorization and I've figured that out and have the authorization codes matching on different devices.

My problem is I cannot login on different browsers. I'm not even trying to login at the same time. But I will login to WHM on Chrome, logout of Chrome, then go to Firefox/IE/Opera (tried all three) and try to login with the same login and 2FA. I get past the login screen but it says the security code is invalid.

I thought this had to do with security tokens or caching. I found a post about /var/cpanel/sessions and deleted all the session files there under cache, preauth, and raw folders.

Why can I not login with any browser other than Chrome via 2FA ?

I just tested it with 2FA off and I was able to login with another browser. So it's only when 2FA is on that I can only login to Chrome.

Not sure if it matters but I'm trying to login as root and a reseller. Both have the same result.
 
Sep 10, 2015
16
0
1
Chicago
cPanel Access Level
Root Administrator
Yes, I know how 2FA works. Otherwise, I'd be having trouble logging in at all. I am using Google Authenticator which generates a new code every 30 seconds. What I should have said is - I'm using the same 2FA "account", not the same 6 digit code in another browser.
 
Sep 10, 2015
16
0
1
Chicago
cPanel Access Level
Root Administrator
I don't think GA is the issue here. It's not doing much besides spitting out the code that is working fine in one browser.

Yeah, I'm aware of the session IDs. Not visiting via a bookmark. Just going to domain.com:2087
 
Sep 10, 2015
16
0
1
Chicago
cPanel Access Level
Root Administrator
Hadn't thought of that. My server time has actually been set to Eastern time zone which is where it is physically placed. But it's not my time zone. It hasn't caused any other problems that I know of thus far.

However, the time shows 15:27 right now at 10:27 Eastern time. I click Sync Time with Time Server but it doesn't change. How do I update server time?

Not sure if that would cause me to be able to login to Chrome browser but not other browsers.
 
Sep 10, 2015
16
0
1
Chicago
cPanel Access Level
Root Administrator
I logged into SSH and used the date command to check time and it now says the correct time for Eastern time zone. Tried to login again via another browser and it didn't work.

WHM still says the wrong server time, but it may just need a restart or something.

So it doesn't seem that server time is the issue right?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
Hello,

Do you notice any specific output to /usr/local/cpanel/logs/login_log or /usr/local/cpanel/logs/error_log when encountering this issue?

Thank you.
 
Sep 10, 2015
16
0
1
Chicago
cPanel Access Level
Root Administrator
I fixed the server time by clicking change time zone again even though it was already set to Eastern. Now it's showing the correct time.

I closed all browsers, cleared cookies, and still I can login to cPanel/WHM fine with Chrome but with any other browser it does not accept the security code.
 
Sep 10, 2015
16
0
1
Chicago
cPanel Access Level
Root Administrator
I think I figured something out. I have 2FA accounts created for a reseller account and root. I typically use the reseller login for cpanel and WHM, but realized in chrome after logging in as the reseller, it then asks for the security code for "root".

And in other browsers, it has been asking for the security code for the reseller. So I was able to login using the other code. I had codes in my authenticator app labeled as WHM and cpanel because that seems to be how they have been working, but it appears the are assigned to root and reseller, not cpanel and WHM.

And it seems if I login once with root on chrome, it then always wants the root security code even if I login next time as the reseller. Does that make any sense?

Maybe I can turn off 2FA for the root and only use it for reseller. I can then find another way to harden the login for root. Is there a different way?

Any ideas?
 

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Where it says "Issuer" in the Two Factor setup page in WebHost Manager, I add the hostname. I don't use GA though, I use Duo Mobile. On my accounts list in Duo list it's displayed as Host:root and Host:resellerusername
but it appears the are assigned to root and reseller, not cpanel and WHM.
Correct. Reseller with WHM access uses the same TFA code for his cPanel as well.

And it seems if I login once with root on chrome, it then always wants the root security code even if I login next time as the reseller. Does that make any sense?
No. :)
Sounds like Chrome is auto filling login to me.

I would suggest figuring this out and leaving, resetting TFA for use with each account, root and Reseller. Always be sure to logout as well.

I can then find another way to harden the login for root. Is there a different way?
There's always this:
Host Access Control - Documentation - cPanel Documentation
 
Sep 10, 2015
16
0
1
Chicago
cPanel Access Level
Root Administrator
Thanks. I got this working but I'm not entirely sure what did it. I deleted all 2FA setups and redid them making sure I was in the correct accounts. There was something going on with root/reseller login for WHM because I would login with reseller, use the root 2FA code after it asked for root code, then end up in the reseller WHM backend. Weird.

I think having the correct server time may have helped because the old codes were created with the server time wrong.

I also put the root 2FA in another app to keep it separate from the reseller 2FA and because I don't use it often.

If I ever have to login to root, I'll do it in another browser (not chrome) since that seemed to mess with my reseller login somehow.

Hope this mess helps someone else :)