Questions About Two-Factor Authentication

[Spork Schivago]

@cPanelLauren,

I agree that setting the shell to noshell is important and will do that.

Should I create a new thread for this question?

I want some information on two factor authentication. Using the Microsoft services, whenever we login, we have to grab a code off our cells using the Microsoft Authenticator app, which changes every 30 seconds. From a simple test, I was able to determine that cPanel / WHM supports this. But to what degree?

With the Microsoft stuff, if we don't have access to the cell phones, we can receive a verification phone call with the number we setup during our account creation (that we can change after we've successfully logged in) or receive a text message with a code. The phone call just has us press # to prove it's us. The text message provides a code.

Also, is there any way to set up the same two-factor authentication for SSH access, where if we do not enter the correct code, it refuses us access to system? I was thinking perhaps I could modify a login script in the various users directories and have it point to the script / binary file that cPanel uses for the 2-factor authentication...would this be possible? I guess this should be under a new topic, but not sure where to put it. Maybe under Security?

 

[Spork Schivago]

Thank you for moving this, whoever moved it! Didn't realize two-factor authentication had its own sub-forum now. That's nice.

 

[cPanelMichael]

Hello @Spork Schivago,

Two-Factor authentication is currently only supported for the cPanel & WHM login interface. If you'd like to see it supported for an additional service, such as SSH, I encourage you to vote and add feedback to the existing feature request at:

Add Two-Factor Authentication to SSH Logins

To answer your other question, two-factor authentication for cPanel & WHM logins should correspond with the existing application on your smart phone. Any backup methods (e.g. voice calls) of receiving the code from that application should extend to the cPanel & WHM login.

Thank you.

 

[Spork Schivago]

Is there any way to call the API directly that deals with the two-factor authentication? For example, I might be able to write a small wrapper that I can set as the login script, and if two-factor authentication fails, they'd get disconnected. I've have to maybe take precautions to make sure no one could break out of the wrapper to by-pass the security.

 

[cPanelMichael]

Is there any way to call the API directly that deals with the two-factor authentication? For example, I might be able to write a small wrapper that I can set as the login script, and if two-factor authentication fails, they'd get disconnected. I've have to maybe take precautions to make sure no one could break out of the wrapper to by-pass the security.

Could you provide a specific example of how such a script would work?

Thank you.

 

[Spork Schivago]

Yes sir.

Once, (you might remember), I managed my own SSL certs from Let's Encrypt, before cPanel / WHM had automated support for this. I did this by creating a perl script that in the earliest revision had root's password and would call the WHM APIs to check if the certs where expiring, and if so, run the Let's Encrypt certbot program, then using the WHM APIs, install them.

Later revisions used access hashes, and I think finally, some sort of token (but I had just toyed around with the token idea and never really got it working, if I remember correctly).

I was hoping you guys implemented two-way authentication in a similar way you implemented the various SSL WHM APIs I could call.

We use the Microsoft Authenticator App and as a test run, the WHM two-factor authentication is compatible with the app. Somehow, WHM / cPanel (I only tried it for logging into WHM, so I don't know what exactly is covered by your guy's implementation) must communicate with some sort of API that the Microsoft Authenticator communicates with. I haven't had time to research if the two-factor authentication is a Microsoft thing or not.

I know with CSF, if someone accidently gets blocked, my system is configured to call the Google Prove you're not a Robot picture thing, and if they pick the correct images, they can unblock themselves, at least for the first few times. In that case, it's the Google reCAPTCHA v2 API that ConfigServer Firewall is using.

If it's not a trade secret or confidential information, I'd like to know how cPanel implements the two-factor authentication. Then I have two choices I think, depending on how it's actually implemented. They both depend on me being able to call some function and read what the correct code is every 30 seconds.

The first implementation would be a bit nicer and I'd probably talk to the people developing OpenSSH to see if they wanted to implement the code, but it'd call the two-factor authentication function and retrieve the code from some place. With the Google reCAPTCHA API, I had to register with Google to obtain a key to use the API. I'd imagine it's probably similar with the two-factor code, because I need to distinguish my server from everyone elses. I would obtain the code, and before executing the user's shell, just have them enter the code and see if it's correct.

The second option would be cPanel / WHM specific, where instead of registering the server to gain access to the official API or whatever it is (again, I haven't had time to properly research this), I'd just be calling the cPanel / WHM API that grabs the code from the official place (Microsoft or whereever these codes come from), then I'd do something similar. Maybe write a simple login script that calls the cPanel API and stores the correct code in some variable, have the user enter the code while spawning a thread to keep track of the seconds, every 30 seconds, call the API again, unless of course, the enter the correct code, then simply check what the user's shell is set to normally, and execute it.

I dunno, that might be hard though to maintain, the second one. Only because I'd have to keep some database of their original shells and then replace them with my two-factor authentication shell. Maybe I could just add a line to one of the login scripts, system wide or something.

For the first option, I dunno if it'd even be possible, because the user has to scan a QR code, right? It might not be too hard, depending on the format of the QR code (png, jpg, svg, etc). I could easily write a function that downloads that simply displays the QR code so they can scan it. I dunno. Maybe I'd have to write it for cPanel users only, and they'd have to have already paired their apps with their servers, like we do now when we enable two-factor authentication. I haven't really gotten that far, there's too many variables right now.

First, I just need to know how the two-factor authentication works, from a technical standpoint. Are there API calls available, is there an executable file, how does cPanel obtain the actual bar code, etc. After that, I could draw up a flow-chart or write some pseudo code and go from there.

 

[Spork Schivago]

@cPanelMichael,

Turns out it's already been implemented. Here's an article that explains how to set it up using the Google Open Authenticator PAM module, which will be compatible with all the apps.

How To Set Up Multi-Factor Authentication for SSH on Ubuntu 16.04 | DigitalOcean

Although the link is for Ubuntu, it looks pretty simple, a lot more secure than how I was going to implement (using the PAM module), and easily doable. Once I finish drawing this diagram to get a permit to run the AC lines for my data center, depending on what else is on my todo list, I might give it a shot on my CentOS 7 server running cPanel / WHM and report back.

I just wish that FIDO U2F was supported with hardware based USB devices or NFC. I discovered 2FA could be insecure if people are using the SMS protocol to receive the codes.

With the article, it'd be best to enable the configuration like they have, to prevent relay attacks, which seem to be becoming more and more common now-a-days.

 

[cPanelMichael]

Hello @Spork Schivago,

Thank you for the update. I'm glad to see you found a suitable solution. I'm not sure if you've already seen it, but we do provide some examples of API authentication with two-factor authentication at:

Guide to API Authentication - Two-Factor Authentication - Developer Documentation - cPanel Documentation

Thank you.

 

[Spork Schivago]

Hello @Spork Schivago,

Thank you for the update. I'm glad to see you found a suitable solution. I'm not sure if you've already seen it, but we do provide some examples of API authentication with two-factor authentication at:

Guide to API Authentication - Two-Factor Authentication - Developer Documentation - cPanel Documentation

Thank you.

I hope you don't mind the delays in my responses. We're still setting up the business, getting the datacenter almost finished, learning the new software, and most importantly, making sure our daughter comes first, so I don't get much time to browse the forums right now, but I was completely unaware of that and wanted to personally thank you for showing it to me!

I believe the way I know to call the APIs has changed a lot. First, I used plain password, but quickly moved on to hashes, which I think are now not the prefered way to go....so I might have to do some reading up on this. I can't get the dev license because all the machines we have are being used as production. Gonna set up a CentOS 7.4 "test" VPS or two though on the main server. Maybe if our business is successful, we'll be able to afford another copy of cPanel for the VPS running on our dedicated server.