Question about 2FA

P

paulo

Verified User
Joined
Nov 8, 2021
Messages
17
I'm relatively new to DirectAdmin and I'm considering implementing 2FA. I tried to educate myself before going ahead and that included reading about it in this forum; while doing that, I came across the following comment:
"This currently why I don't use 2fa on directadmin. There is no alternate way for a user to reclaim their account like security questions. OR a way to disable 2FA. If you loose your phone or your scratch codes you are done."

This was about a year ago. Is the current version of DirectAdmin still prone to this? I would hate to lock myself out with no easy way back in...

Many thanks for the feedback.

Paulo
 
paulo said:
Is the current version of DirectAdmin still prone to this?
Click to expand...
No and I think a year ago it wasn't either. You can use Google Authenticator.

I don't know about reclaiming with security questions, but if you loose your phone or your codes, the admin can login as root and easily disable 2FA in the account.
I've done that already twice for customers.
And then they can enable it again and create new codes.
 
Thanks for the feedback, Richard. What if it's the admin who has 2FA enabled and looses phone/codes? Can the admin ssh into the server and disable 2FA to reset the system? Being the admin, that's what I'm worried about... :) Thanks in advance for the feedback.
 
paulo said:
Can the admin ssh into the server and disable 2FA to reset the system?
Click to expand...
If you are the admin you should have the root credentials to login to the server as root. Login in via SSH doesn't work via 2FA.
And in the worst case, the datacenter could give you console KVM access or something similar so you can mount the disk and remove the 2FA from the account.
So yes, even if the admin loses the keys, you can SSH into the server and remove the 2FA codes (which disables 2FA) from the user configuration file.

Otherwise if admin would loose a key or get a defective phone, one would have to install the server again. That is not the case, so don't worry. As long as there is SSH access you can fix things.

You're welcome. ;)
 
Great. I was afraid that even SSHing into the server would not allow 2FA to be disabled -- thanks for clearing that up. Do I understand correctly that the codes are kept in
/usr/local/directadmin/data/users/username/twostep_auth_*
?

Also, as an alternative to Google Authenticator, I've been looking at
  • FreeOTP
  • 2FAS
  • HENNGE OTP
  • Authy
Comments/opinions on any of them? I presume that DA will work with any token generator but I'm curious about people's experiences.

Sorry for all the questions -- I'm trying to do all the homework before actually installing 2FA on DA -- and thanks for the precious feedback.
 
paulo said:
/usr/local/directadmin/data/users/username/twostep_auth_
Click to expand...
Yes, there might be in fact 2 lines. I just remove them both and set the 2FA to no.
/usr/local/directadmin/data/users/username/twostep_auth_secret.txt
/usr/local/directadmin/data/users/username/twostep_auth_scratch_codes.list

But I didn't use those, you can however delete them if they are forgotten and not used anymore.

To really disable you have to check:
/usr/local/directadmin/data/users/username/user.conf
and set
twostep_auth=no

That would be enough to disable 2FA.

As for the alternative to Google authenticator I only have tried Authy myself and was pleased with it. However I did not use that on DA so I can't help you with that part.

paulo said:
Sorry for all the questions
Click to expand...
Don't be sorry about that. Those who ask, might get answers and maybe learn things.
Those who don't ask, might experience the risk to run into an issue when all is running at a moment you don't want to have an issue.

And the forum here is to help others, so feel free to keep asking. :)
 
Thanks so much for the detailed replies -- the feedback is very much appreciated. And your philosophy regarding the forum matches an ideal world that sometimes I fear is disappearing. Perhaps it's just my impression but I feel that people are increasingly busy with their own things and simple gestures of kindness and generosity are going the way of the dodo... So, thank you. :)
 
paulo said:
sometimes I fear is disappearing.
Click to expand...
I have the same fear. But several of us certainly try to keep up the good work here. ;)
You are totally right by the way, I experience the same. Lots of forums loose to social media, and in other cases some are too busy with themselve or are afraid to help the competition (yes this happens too). I don't have to live from my business so I don't care about competition and I have too much time on my hands. So there.:)
But there are also some other goold helpers here too. You will encounter them automatically when being around for a longer time here.
 
ARealRiley said:
I use Authy as a GA replacement (but not with directadmin); in general it works a treat!
Click to expand...
Thanks for the feedback. If it can be of help for others, the password manager '1Password' also appears to have this functionality.
 
You must log in or register to reply here.
Back
Top