SOLVED 2FA Login in Different Browsers

[Ryan @WebEminence]

I'm trying to allow an assistant to login to WHM and cPanel via 2FA. I understand I need to share the same QR code for authorization and I've figured that out and have the authorization codes matching on different devices.

My problem is I cannot login on different browsers. I'm not even trying to login at the same time. But I will login to WHM on Chrome, logout of Chrome, then go to Firefox/IE/Opera (tried all three) and try to login with the same login and 2FA. I get past the login screen but it says the security code is invalid.

I thought this had to do with security tokens or caching. I found a post about /var/cpanel/sessions and deleted all the session files there under cache, preauth, and raw folders.

Why can I not login with any browser other than Chrome via 2FA ?

I just tested it with 2FA off and I was able to login with another browser. So it's only when 2FA is on that I can only login to Chrome.

Not sure if it matters but I'm trying to login as root and a reseller. Both have the same result.

 

[Infopro]

then go to Firefox/IE/Opera (tried all three) and try to login with the same login and 2FA

The same code won't work. Each time you're asked for authentication, you need to generate a new code.

 

[Ryan @WebEminence]

Yes, I know how 2FA works. Otherwise, I'd be having trouble logging in at all. I am using Google Authenticator which generates a new code every 30 seconds. What I should have said is - I'm using the same 2FA "account", not the same 6 digit code in another browser.

 

[Infopro]

Sorry, my mistake. I don't use GA so am no help here I don't think.

I get past the login screen but it says the security code is invalid.

Are you visiting WebHost Manager via a bookmark? If yes, you might check that the saved bookmark doesn't have the session ID in the URL.

 

[Ryan @WebEminence]

I don't think GA is the issue here. It's not doing much besides spitting out the code that is working fine in one browser.

Yeah, I'm aware of the session IDs. Not visiting via a bookmark. Just going to domain.com:2087

 

[Infopro]

Server time set properly?

 

[Ryan @WebEminence]

Hadn't thought of that. My server time has actually been set to Eastern time zone which is where it is physically placed. But it's not my time zone. It hasn't caused any other problems that I know of thus far.

However, the time shows 15:27 right now at 10:27 Eastern time. I click Sync Time with Time Server but it doesn't change. How do I update server time?

Not sure if that would cause me to be able to login to Chrome browser but not other browsers.

 

[Ryan @WebEminence]

I logged into SSH and used the date command to check time and it now says the correct time for Eastern time zone. Tried to login again via another browser and it didn't work.

WHM still says the wrong server time, but it may just need a restart or something.

So it doesn't seem that server time is the issue right?

 

[Ryan @WebEminence]

Just to be clear, syncing the server time did not fix my problem. I still cannot login with 2FA to cpanel/WHM in any browser but Chrome. I've tried Firefox/Opera/IE.

 

[cPanelMichael]

Hello,

Do you notice any specific output to /usr/local/cpanel/logs/login_log or /usr/local/cpanel/logs/error_log when encountering this issue?

Thank you.

 

[Infopro]

WHM still says the wrong server time, but it may just need a restart or something.

WebHost Manager »Server Configuration »Server Time

I agree with you though, if it works for one browser fine, it should work for the other.

 

[Ryan @WebEminence]

Do you notice any specific output to /usr/local/cpanel/logs/login_log or /usr/local/cpanel/logs/error_log when encountering this issue?

Thank you.

login_log shows this for a failed login
HTTP/1.1" DEFERRED LOGIN whostmgrd: security token missing
The time stamp on this line is the wrong time that's currently displayed in WHM as described above

 

[Ryan @WebEminence]

I fixed the server time by clicking change time zone again even though it was already set to Eastern. Now it's showing the correct time.

I closed all browsers, cleared cookies, and still I can login to cPanel/WHM fine with Chrome but with any other browser it does not accept the security code.

 

[Infopro]

security token missing

That message is related to the cPanel session I believe. If you haven't yet, clear your browser cache and check again.


If it was not accepting your code the message is this one, I think:

 

[Ryan @WebEminence]

I think I figured something out. I have 2FA accounts created for a reseller account and root. I typically use the reseller login for cpanel and WHM, but realized in chrome after logging in as the reseller, it then asks for the security code for "root".

And in other browsers, it has been asking for the security code for the reseller. So I was able to login using the other code. I had codes in my authenticator app labeled as WHM and cpanel because that seems to be how they have been working, but it appears the are assigned to root and reseller, not cpanel and WHM.

And it seems if I login once with root on chrome, it then always wants the root security code even if I login next time as the reseller. Does that make any sense?

Maybe I can turn off 2FA for the root and only use it for reseller. I can then find another way to harden the login for root. Is there a different way?

Any ideas?

 

[Infopro]

Where it says "Issuer" in the Two Factor setup page in WebHost Manager, I add the hostname. I don't use GA though, I use Duo Mobile. On my accounts list in Duo list it's displayed as Host:root and Host:resellerusername

but it appears the are assigned to root and reseller, not cpanel and WHM.

Correct. Reseller with WHM access uses the same TFA code for his cPanel as well.

And it seems if I login once with root on chrome, it then always wants the root security code even if I login next time as the reseller. Does that make any sense?

No.
Sounds like Chrome is auto filling login to me.

I would suggest figuring this out and leaving, resetting TFA for use with each account, root and Reseller. Always be sure to logout as well.

I can then find another way to harden the login for root. Is there a different way?

There's always this:
Host Access Control - Documentation - cPanel Documentation

 

[Ryan @WebEminence]

Thanks. I got this working but I'm not entirely sure what did it. I deleted all 2FA setups and redid them making sure I was in the correct accounts. There was something going on with root/reseller login for WHM because I would login with reseller, use the root 2FA code after it asked for root code, then end up in the reseller WHM backend. Weird.

I think having the correct server time may have helped because the old codes were created with the server time wrong.

I also put the root 2FA in another app to keep it separate from the reseller 2FA and because I don't use it often.

If I ever have to login to root, I'll do it in another browser (not chrome) since that seemed to mess with my reseller login somehow.

Hope this mess helps someone else

 

[Infopro]

Thanks for posting back with your findings.