Before doing anything, open an SSH session with root privileges to avoid locking yourself out. Then, open another SSH session to do the following steps. This worked for me with no problems on CentOS 5.8, but proceed at your own risk.
Webmin uses PAM to handle the integration with Duo Security, so Duo must be compiled with PAM support. Also, Webmin will need the perl-Authen-PAM package. If all goes well, this should take no more than 30 minutes.
Follow Steps 1,2,3 of the Duo Security documentation with the following 2 caveats.
Duo Security with PAM requires the Linux pam-devel package. Install it if it's not already installed.
yum install pam-devel
Use the following compile flags, because you need the --with-pam to integrate with Webmin
./configure --with-pam --prefix=/usr && make && sudo make install
Now that Duo is installed with the PAM flag, make sure two-factor authentication is working with Duo Security + SSH. If you have yet to configure users and devices in Duo then do so now.
Login to Webmin and go to Webmin -> Webmin Users. Edit any applicable usernames, like root, and set the Password drop-down to Unix Authentication.
Edit the /etc/duo/pam_duo.conf file and add your Duo Security integration key, secret key, and API hostname (found on the Integrations screen on Duo's website). These values are the same for SSH and PAM and are as described in Step 1 of the Duo Security documentation.
Edit the /etc/pam.d/webmin file and do as Duo suggests in their PAM Configuration section. That is, add a line for auth required pam_duo.so AFTER the pam_unix lines, and change the auth required pam_unix line to requisite, like this:
auth requisite pam_unix.so nullok
account required pam_unix.so
session required pam_unix.so
auth required pam_duo.so
The perl-Authen-PAM package is needed by Webmin. Install it.
yum install perl-Authen-PAM
If this install fails then Google how to add the EPEL repository and try the install again.
Save the following to the bottom of the /etc/webmin/miniserv.conf file.
pam_conv=1
Restart Webmin
/etc/init.d/webmin/restart
Go to the Webmin URL in your browser
If you have a problem and can't login with Webmin, then simply edit the /etc/pam.d/webmin and remove the auth required pam_duo.so line and you'll be back to regular Unix authentication.
Thanks to Kite for the Webmin specifics.
Awesome, thanks for this write up
Just implemented this myself
Lovingly crafted by orangecoat with some rights reserved, and a promise not to spam you.
Back to top
Jim,
I am really glad I could help you out with the Webmin / Virtualmin parts!
Please feel free to visit my Blog for other Webmin / Virtualmin Related posts!
Kite - David