Enable 2-step verification for specific user

Added:
https://www.directadmin.com/features.php?id=1754

Available in the pre-release section of DA if you'd like to try it out:
http://help.directadmin.com/item.php?id=408

1) BE SURE to use the "Test Code" to make sure you get a big green checkbox before you logout.
If you don't, you'll lock yourself out.

2) Also create and print scratch codes if you don't have any other way of getting in.

Screenshot:
http://www.directadmin.com/images/google-auth.jpg

This requires that your server and phone are both correctly synced with an accurate time.
If you server doesn't run a daily ntp or rdate cronjob, you'll want to do that, as servers do drift over time,
which is why I've set the google_auth_discrepancy=1 by default, to allow 30 seconds grace in either direction.

FYI: the demo "secret" never changes, but does work.
You can scan that QR code into your phone and you can also use the "Test Code" button to test out the provided code.

John
 
Great stuff, nice to see 2 factor authentication coming to DirectAdmin as well!

Would it be possible though to not specifically brand this Two-Step Google Authentication? As a lot of our customers use DirectAdmin precisely because they don't want to use a Google service.

Also, strictly speaking, I believe it's called two-factor authentication in stead of Two-Step Authentication (the older DirectAdmin Security Questions feature was a form of two-step authentication). So maybe only show Password Icon -> Two-Factor Authentication and change the title on that page to "Two-Factor Authentication" as well and not specifically only refer to Google's own app but more in general to two-factor authentication apps, since something like: FreeOTP or Authy would work as well.

Same goes for the feature page of course. Unless something in the Apache License Version 2.0, assuming you're using Google's PAM module for two-factor authentication, dictates this branding within the DirectAdmin frontend of course.
 
I'm with Tristan on this. Let's keep it generic and name it 2-factor auth. We don't want people to think that anything is sent to Google.

Otherwise, based on the screenshot nad the doc, good job!
 
Thank you John :cool:

Would it be possible to also integrate support for Yubikeys?
These hardware keys are very easy to use and are not time dependent. I travel a lot and then you are in different timezones.
That doesn't work well with Google Authenticator. No problem with the Yubikeys.
I use it om all my websites, and I see more and more people using it. I think it's the most popular two-factor authentication device. You just need to plug it in a usb port and push the button.
Good stuff!

Information on how to implement.
https://www.yubico.com/products/services-software/yubicloud/implement/
 
Thanks for the info. I've updated it without the "Google" branding. (note, filenames & commands have changed, if you were already editing things)
Basically swapped all instances of "google" with "twostep".

Now that the wording is more generic, we can look at Yubikeys for the same page, but I'll have to go out and buy one first ;)
No ETA on that though, as we want to make sure the TOTP works first.
Note that the "Test Code" button does check both the set discrepancy, but if that fails, it will power though a 24 hour time window before and after to see how far off your code is (if it's valid).
I'm hoping that everything uses the correct unix "epoc" time, and not specific to any timezones...
I would assume that's part of the design, but might not always be the case, depending on who wrote the app you're using, and how your hardware reports the clock time to that app.
In DA, I use the time(NULL) command, which does use EPOC time.

John
 
You must log in or register to reply here.
Back
Top