Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED 2FA Login in Different Browsers

Discussion in 'Security' started by Ryan @WebEminence, Mar 8, 2017.

  1. Ryan @WebEminence

    Joined:
    Sep 10, 2015
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Chicago
    cPanel Access Level:
    Root Administrator
    I'm trying to allow an assistant to login to WHM and cPanel via 2FA. I understand I need to share the same QR code for authorization and I've figured that out and have the authorization codes matching on different devices.

    My problem is I cannot login on different browsers. I'm not even trying to login at the same time. But I will login to WHM on Chrome, logout of Chrome, then go to Firefox/IE/Opera (tried all three) and try to login with the same login and 2FA. I get past the login screen but it says the security code is invalid.

    I thought this had to do with security tokens or caching. I found a post about /var/cpanel/sessions and deleted all the session files there under cache, preauth, and raw folders.

    Why can I not login with any browser other than Chrome via 2FA ?

    I just tested it with 2FA off and I was able to login with another browser. So it's only when 2FA is on that I can only login to Chrome.

    Not sure if it matters but I'm trying to login as root and a reseller. Both have the same result.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,762
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    The same code won't work. Each time you're asked for authentication, you need to generate a new code.
     
  3. Ryan @WebEminence

    Joined:
    Sep 10, 2015
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Chicago
    cPanel Access Level:
    Root Administrator
    Yes, I know how 2FA works. Otherwise, I'd be having trouble logging in at all. I am using Google Authenticator which generates a new code every 30 seconds. What I should have said is - I'm using the same 2FA "account", not the same 6 digit code in another browser.
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,762
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Sorry, my mistake. I don't use GA so am no help here I don't think.
    Are you visiting WebHost Manager via a bookmark? If yes, you might check that the saved bookmark doesn't have the session ID in the URL.
     
  5. Ryan @WebEminence

    Joined:
    Sep 10, 2015
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Chicago
    cPanel Access Level:
    Root Administrator
    I don't think GA is the issue here. It's not doing much besides spitting out the code that is working fine in one browser.

    Yeah, I'm aware of the session IDs. Not visiting via a bookmark. Just going to domain.com:2087
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,762
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Server time set properly?
     
  7. Ryan @WebEminence

    Joined:
    Sep 10, 2015
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Chicago
    cPanel Access Level:
    Root Administrator
    Hadn't thought of that. My server time has actually been set to Eastern time zone which is where it is physically placed. But it's not my time zone. It hasn't caused any other problems that I know of thus far.

    However, the time shows 15:27 right now at 10:27 Eastern time. I click Sync Time with Time Server but it doesn't change. How do I update server time?

    Not sure if that would cause me to be able to login to Chrome browser but not other browsers.
     
  8. Ryan @WebEminence

    Joined:
    Sep 10, 2015
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Chicago
    cPanel Access Level:
    Root Administrator
    I logged into SSH and used the date command to check time and it now says the correct time for Eastern time zone. Tried to login again via another browser and it didn't work.

    WHM still says the wrong server time, but it may just need a restart or something.

    So it doesn't seem that server time is the issue right?
     
  9. Ryan @WebEminence

    Joined:
    Sep 10, 2015
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Chicago
    cPanel Access Level:
    Root Administrator
    Just to be clear, syncing the server time did not fix my problem. I still cannot login with 2FA to cpanel/WHM in any browser but Chrome. I've tried Firefox/Opera/IE.
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Do you notice any specific output to /usr/local/cpanel/logs/login_log or /usr/local/cpanel/logs/error_log when encountering this issue?

    Thank you.
     
  11. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,762
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    WebHost Manager »Server Configuration »Server Time

    I agree with you though, if it works for one browser fine, it should work for the other.
     
  12. Ryan @WebEminence

    Joined:
    Sep 10, 2015
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Chicago
    cPanel Access Level:
    Root Administrator
    login_log shows this for a failed login
    HTTP/1.1" DEFERRED LOGIN whostmgrd: security token missing
    The time stamp on this line is the wrong time that's currently displayed in WHM as described above
     
  13. Ryan @WebEminence

    Joined:
    Sep 10, 2015
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Chicago
    cPanel Access Level:
    Root Administrator
    I fixed the server time by clicking change time zone again even though it was already set to Eastern. Now it's showing the correct time.

    I closed all browsers, cleared cookies, and still I can login to cPanel/WHM fine with Chrome but with any other browser it does not accept the security code.
     
  14. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,762
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    That message is related to the cPanel session I believe. If you haven't yet, clear your browser cache and check again.
    sectokmissng.png

    If it was not accepting your code the message is this one, I think:
    seccodmissng.png
     
  15. Ryan @WebEminence

    Joined:
    Sep 10, 2015
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Chicago
    cPanel Access Level:
    Root Administrator
    I think I figured something out. I have 2FA accounts created for a reseller account and root. I typically use the reseller login for cpanel and WHM, but realized in chrome after logging in as the reseller, it then asks for the security code for "root".

    And in other browsers, it has been asking for the security code for the reseller. So I was able to login using the other code. I had codes in my authenticator app labeled as WHM and cpanel because that seems to be how they have been working, but it appears the are assigned to root and reseller, not cpanel and WHM.

    And it seems if I login once with root on chrome, it then always wants the root security code even if I login next time as the reseller. Does that make any sense?

    Maybe I can turn off 2FA for the root and only use it for reseller. I can then find another way to harden the login for root. Is there a different way?

    Any ideas?
     
  16. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,762
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Where it says "Issuer" in the Two Factor setup page in WebHost Manager, I add the hostname. I don't use GA though, I use Duo Mobile. On my accounts list in Duo list it's displayed as Host:root and Host:resellerusername
    Correct. Reseller with WHM access uses the same TFA code for his cPanel as well.

    No. :)
    Sounds like Chrome is auto filling login to me.

    I would suggest figuring this out and leaving, resetting TFA for use with each account, root and Reseller. Always be sure to logout as well.

    There's always this:
    Host Access Control - Documentation - cPanel Documentation
     
  17. Ryan @WebEminence

    Joined:
    Sep 10, 2015
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Chicago
    cPanel Access Level:
    Root Administrator
    Thanks. I got this working but I'm not entirely sure what did it. I deleted all 2FA setups and redid them making sure I was in the correct accounts. There was something going on with root/reseller login for WHM because I would login with reseller, use the root 2FA code after it asked for root code, then end up in the reseller WHM backend. Weird.

    I think having the correct server time may have helped because the old codes were created with the server time wrong.

    I also put the root 2FA in another app to keep it separate from the reseller 2FA and because I don't use it often.

    If I ever have to login to root, I'll do it in another browser (not chrome) since that seemed to mess with my reseller login somehow.

    Hope this mess helps someone else :)
     
  18. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,762
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Thanks for posting back with your findings. :)
     
Loading...

Share This Page