Duo Security and Webmin / Virtualmin Two-factor Authentication Login Integration

Before doing anything, open an SSH session with root privileges to avoid locking yourself out. Then, open another SSH session to do the following steps. This worked for me with no problems on CentOS 5.8, but proceed at your own risk.

Webmin uses PAM to handle the integration with Duo Security, so Duo must be compiled with PAM support. Also, Webmin will need the perl-Authen-PAM package. If all goes well, this should take no more than 30 minutes.

Compiling/Installing Duo Security with PAM on CentOS

Follow Steps 1,2,3 of the Duo Security documentation with the following 2 caveats.

 

Caveat 1

Duo Security with PAM requires the Linux pam-devel package. Install it if it's not already installed.

yum install pam-devel

Caveat 2

Use the following compile flags, because you need the --with-pam to integrate with Webmin

./configure --with-pam --prefix=/usr && make && sudo make install

 

Now that Duo is installed with the PAM flag, make sure two-factor authentication is working with Duo Security + SSH. If you have yet to configure users and devices in Duo then do so now.

Duo Security and Webmin / Virtualmin Integration using PAM on CentOS

Login to Webmin and go to Webmin -> Webmin Users. Edit any applicable usernames, like root, and set the Password drop-down to Unix Authentication.

Edit the /etc/duo/pam_duo.conf file and add your Duo Security integration key, secret key, and API hostname (found on the Integrations screen on Duo's website). These values are the same for SSH and PAM and are as described in Step 1 of the Duo Security documentation.

Edit the /etc/pam.d/webmin file and do as Duo suggests in their PAM Configuration section. That is, add a line for auth required pam_duo.so AFTER the pam_unix lines, and change the auth required pam_unix line to requisite, like this:

auth requisite pam_unix.so nullok
account required pam_unix.so
session required pam_unix.so
auth required pam_duo.so

The perl-Authen-PAM package is needed by Webmin. Install it.

yum install perl-Authen-PAM

If this install fails then Google how to add the EPEL repository and try the install again.

Save the following to the bottom of the /etc/webmin/miniserv.conf file.

pam_conv=1

Restart Webmin

/etc/init.d/webmin/restart

Go to the Webmin URL in your browser

  • The first screen should only ask for a username, which is likely to be root, unless you've changed it. Enter the username and click Continue
  • The next screen should ask for your Linux password. Enter the password and click ContinueNote: IF Webmin presents Duo Security options before asking for a Linux password then see the section above about editing /etc/pam.d/webmin
  • The next screen should ask you to select a Duo device/option, the same as it does when you log in over SSH.
  • Enter a Duo Security option and click Continue. Note: Duo Push and the phone call method work for me. SMS and Duo app passcodes have yet to work for me
  • The next screen will say "You must respond to the question below to login to Webmin server on". If you requested a phone call (or if SMS or the app passphrase work for you) then enter that passphrase and click Continue.
  • The next screen may just have a Continue button on it. Keep clicking "Continue" until you're logged in to Webmin/Virtualmin interface.
  • If you have a problem and can't login with Webmin, then simply edit the /etc/pam.d/webmin and remove the auth required pam_duo.so line and you'll be back to regular Unix authentication.

    Sources

    Thanks to Kite for the Webmin specifics.

    2 Comments

    Kite - David ~ July 05, 2012

    Jim,
    I am really glad I could help you out with the Webmin / Virtualmin parts!
    Please feel free to visit my Blog for other Webmin / Virtualmin Related posts!

    Kite - David

    Visitor ~ July 20, 2013

    Awesome, thanks for this write up

    Just implemented this myself

    Lovingly crafted by orangecoat with some rights reserved, and a promise not to spam you.

    Back to top