#5418 2-Factor authentication failed since 1.960

[JEREMY DELATTRE]

Hello,
I have 2-factor authentication enabled for a few years. I have never had a problem so far.
I just installed the new version from 1.955 to 1.960.
You can see error (in french) in my short video.

Do you have any idea where the problem is?

Thank you in advance.

Kind regards
Jeremy

[Jamie Cameron]

We did change the UI for two-factor login in 1.960, so it's possible that this introduced a bug.

Do you still see problems if you switch to the old Blue Framed Theme (at Webmin -> Change Language and Theme) ?

[JEREMY DELATTRE]

No problem with the old Blue Framed Theme

[Ilia]

Jeremy, hi. Honestly it's not clear what is happening. This feature has been tested for so many times. Anyway, what does this error say in French? Did you enter the right OTP? Is anything logged under /var/webmin? Have you tried restarting Webmin and/or trying another browser? Is this Google Authenticator?

Eventually, is there a way for us to have a loggin credentials to test it if we cannot solve it the regular way?

[JEREMY DELATTRE]

Hi,
Ok, I'm using Authentic Theme on Webmin.
In same time I upgraded Webmin to 1.960, Authentic Theme upgraded from 19.60 to 19.61.
I just downgraded Authentic Theme to 19.60 and it's ok. 2FA works.
So, the problem is in Athentic Theme upgraded from 19.60 to 19.61
I upgrade to 19.61 and 2FA does not work.

[Ilia]

I have given it another try and after Webmin restart (/etc/webmin/restart) all seems to be working just fine with Webin 1.960 and theme 19.61.

Could you double check??

If it still doesn't work, what is the output of :

cat /etc/webmin/miniserv.conf
cat /etc/webmin/config

[JEREMY DELATTRE]

No, the problem persists.
In attachment :

• miniserv.conf
• config
• short video of my test : first part of video with 19.60 where totp works. Next, upgrade to 19.61 and logout. Restart webmin and attempt to log. After validate OTP, I have an error message "Identification error. Try Again.". You will be able to see that the generated code and the one entered are identical.
  I use Google Authenticator on the server for OTP.

[Ilia]

Jeremy, I see what the problem is. Webmin is not getting restarted as expected.

Try:

ps aux | grep miniserv | grep webmin
systemctl restart webmin
ps aux | grep miniserv | grep webmin

You should see that the PIDs aren't changed? Thus, you need to use provided with Webmin restart script.

/etc/webmin/restart

[JEREMY DELATTRE]

Ilia, sorry but it does not work.
In attachment, PIDs are changed with "systemctl restart webmin" and "/etc/webmin/restart".
After these to command lines, I have always the error message.

[MobileHero]

Alright guys I ended up in the same situation. Authentic theme does not provide the 2FA code box anymore.

So I AM SCREWED now because I can´t change anything without logging in.
-> Can I change theme without/before logging in?
-> Can I fix it on the command line?

[MobileHero]

Update: I manually restarted Webmin on the command line. After that login worked.
BUT putting the 2FA code box on a second state is something I consider as completely unnecessary UI change by the way.

Anyway, back in...

[JEREMY DELATTRE]

you are lucky because restarting does not work for me. Maybe because I put it in French?

[Ilia]

Jeremy, if you try another browser or incognito mode (without extensions enabled) does it change anything? I just cannot reproduce this issue. Is there a way for me to get a SSH root login and have a look, in case you cannot fix this?

Have you tried rebooting your server?

[JEREMY DELATTRE]

Ilia, I have already tried with another browser and after restarting the server. I also tried by putting Webmin back in English. The problem persists.

Giving root access directly to the server is not possible. But if you want, we can coordinate to find a time slot together so that I give you access to my PC via Teamviewer and open ssh access as root.
I am in the Paris time zone (UTC +2).
it's possible for me on Saturday afternoon if not Monday or Tuesday.

[Ilia]

What do you get printed in /var/webmin/miniserv.error log upon login?

[JEREMY DELATTRE]

nothing upon login. But at the restart :
[22/Oct/2020:22:37:50 +0200] miniserv.pl started
[22/Oct/2020:22:37:50 +0200] Using MD5 module Digest::MD5
[22/Oct/2020:22:37:50 +0200] Using SHA512 module Crypt::SHA

[JEREMY DELATTRE]

oh ! I have this after a new ettempt to connect :
[22/Oct/2020:22:57:48 +0200] miniserv.pl started
[22/Oct/2020:22:57:48 +0200] Using MD5 module Digest::MD5
[22/Oct/2020:22:57:48 +0200] Using SHA512 module Crypt::SHA
Use of uninitialized value $acl::in{"user"} in concatenation (.) or string at /usr/libexec/webmin/acl/twofactor_form.cgi line 50.
[22/Oct/2020:22:58:13 +0200] Reloading configuration
Use of uninitialized value $acl::in{"user"} in concatenation (.) or string at /usr/libexec/webmin/acl/twofactor_form.cgi line 42.

[Ilia]

What about syslog?

Do you have perl-Digest-MD5 installed?

[Ilia]

Besides, is Authen::OATH installed?

[JEREMY DELATTRE]

These modules are installed.
For information, I removed Webmin RPM
I rename /etc/webmin to /etc/webmin.old (for fresh install and recreate default config)
I reinstalled Webmin
I connected to webmin and configure 2FA with the same secret key.
I restarted Webmin (with systemctl and /etc/webmin/restart)
I have always the problem with this fresh install.
After downgrade to Authentic-Theme 19.60 (and always webmin 1.960), I have no problem.

Can you test with the same OS? I am using OpenSUSE Leap 15.2

[JEREMY DELATTRE]

it's still strange that 2-factor authentication works well with version 19.60 but that it no longer works with version 19.61. Is it only an UI change ? nothing else ?

[Ilia]

19.61 introduces 2fa to be on the separte screen. You must be able to enter OTP only after entering correct password.

I will have a closer look tomorrow. This shouldn't be happening.

[Ilia]

Jeremy, salut!

I have given it a close look and it appears that you have something on your side misconfigured. I could successfully use latest Webmin 19.60 with Authentic Theme 19.61 to login with OTP (see attached screencast).

The only bug I found was the version parsing, which I just fixed.

It's worth mentioning that I used your earlier shared config and miniserv.conf. Double check /etc/webmin/miniserv.conf file.

BUT putting the 2FA code box on a second state is something I consider as completely unnecessary UI change by the way.

It was absolutely necessary, because, for example, if 5 out of 10 Webmin users don't have 2FA setup and still see 2FA OTP field - it makes it very confusing for those users.

[Ilia]

Double check /etc/webmin/miniserv.conf file.

This was a typo, I meant to say /etc/webmin/miniserv.users file.

[JEREMY DELATTRE]

Hello Ilia,
It's very strange effectively.
What bothers me is that version 19.60 works fine.
So I don't see why a simple UI change in version 19.61 would stop it working. Maybe you used a new module for Perl ?!? Can you tell me what you have installed in addition to Webmin to make it work?

I never says "BUT putting the 2FA code box on a second state is something I consider as completely unnecessary UI change by the way." . It's a message from MobileHero. I have no problem with that ;-)

my miniserv.users (I change only secret key here) :

root:x::::::::0:0:totp:ABCDEFGHIJKLMNOP:

I will install OpenSUSE Leap 15.2 on a virtual machine and test Webmin on it. I'll keep you posted.

[Ilia]

What bothers me is that version 19.60 works fine. So I don't see why a simple UI change in version 19.61 would stop it working.

It's not just simply UI change - I had to make series of miniserv patches to make it work properly.