Webmin versions 1.660 and above support two-factor authentication using either TOTP (implemented by the Google Authenticator smartphone app, among others) or Authy (a commercial service with its own app). Two-factor provides additional security by requiring an additional code when logging into Webmin, commonly referred to as an OTP or One-Time Password. This code is time-based and so cannot be re-used later than 30 seconds after it is generated by the user's smartphone. This means that even if a Webmin user's password is compromised, an attacker will not be able to login without the user's smartphone.
Webmin supports two different two-factor providers :
- Google Authenticator - This actually uses the standard TOTP protocol, which is implemented by a smartphone app provided by Google for most smartphone operating systems. OTP code validation is done entirely by Webmin, rather than by calling any Google-provided API. For more information, see https://support.google.com/accounts/answer/1066447?hl=en and http://en.wikipedia.org/wiki/Google_Authenticator .
- Authy - This is a commercial service that provides a smartphone app for generating OTP codes, and has a website for enrolling users. For more information, see http://www.authy.com/
The steps to enable two-factor authentication in Webmin are :
- Go to the Webmin Configuration module, and click on Two-Factor Authentication
- Choose an authentication provider, and enter any additional details such as the provider's API key.
- Click Save
- You may be prompted to install the Authen::OATH Perl module at this point, if it is missing from your system.
Once this is done, you can now enroll yourself or another Webmin user so that the additional factor is required when logging in. The steps for this are :
- Go to the Webmin Users module, and click on Two-Factor Authentication
- Enter information specific to the chose authentication provider. When using Authy, this will be an email address and cellphone number corresponding to an account already created at http://www.authy.com/ . For Google Authenticator, you can either enter an existing TOTP secret (such as from a hardware OTP device) or have Webmin generate one.
- Click the Enroll For Two-Factor Authentication button.
- If using Google Authenticator, Webmin will display a QR code that contains the TOTP secret that you can scan using the Authenticator app on your smartphone.
Once enrolled, you can verify that it is working by logging out and trying to login again. The Webmin login page should now also prompt for a two-factor token, which will be a 6 or 7 digit number generated by the authenticator app on your smartphone or OTP device. This must be entered in addition to the correct username and password.
The root or admin user can also enroll other users as follows :
- Go to the Webmin Users module, and click on a username.
- In the Security and limits options section click the Enable Two-Factor For User button.
- Complete the enrollment process as above.
To disable two-factor authentication for your Webmin login, go to the Webmin Users module, click the Two-Factor Authentication icon and then the Disable Two-Factor Authentication button.
Two-factor can also be disabled for another user by root by clicking on his username, opening the Security and limits options section and checking the box Remove two-factor authentication requirement and clicking Save.
SSL Client Certificates
SSL client certificates are a method for a browser to authenticate itself to a webserver (like Webmin) that replaces the username and password. Once a private key and certificate is installed into a browser, it will be presented when connecting to Webmin in SSL mode and validated against Webmin's own certificate authority. Assuming the cert is valid, the user who owns it will be looked up and the browser automatically logged in.
Before SSL client certs can be used, you must first setup a CA (certificate authority) in Webmin, as follows :
- Go to the Webmin Configuration module, and click the Certificate Authority icon.
- Fill in your details, such as your state and country, then click Setup Certificate Authority
Once this is done, each Webmin user can create a private SSL client key and certificate. At the time of writing, this is only known to work reliably with Firefox-based browsers. The steps are :
- Go to the Webmin Users module, and click on Request an SSL Sertificate.
- Select the desired key size, and start the key generation process.
- Once it is complete, your browser should notify you that a new SSL key has been installed.
- Logout of Webmin, re-open your browser, and return to the Webmin URL. You may be prompted to select an SSH client cert by your browser, and should be then logged in automatically.
If SSL client authentication fails, you will still have the option to login using a username and password.