2FA accepts any code and accepts logins

Hi everyone.

Under fully updated RHEL 7.2 system...

2 servers have that exact same flaw. The 2fa I had setup before installing virtualmin for ssh logins still works fine and only accepts proper codes.

I've tried to setup 2fa with Google Auth on latest virtualmin. After numerous tries at activating, missing modules, trying to install them, installing Moose, Moo outside of virtualmin, testing all requires, strict and warning packages for Authen::OATH, I decided to try, according to one of the many support pages on this forum, to install an old version (1.0.0) of perl-Authen-OATH found on sourceforge...

I could then activate 2fa. And my happiness was short lived because after enrolling users, the webmi

n login page accepts ANY code. So I removed manually the package. Same thing. I then removed Authen::OATH from the list of perl modules from within webmin only to see I can still activate 2fa and it still accepts every code.

So far, I've:
<code>yum install perl-CPAN
perl -MCPAN -e shell
install Bundle::CPANAuthen::OATH is up to date (2.0.0).
reload cpan
install Authen::OATH

as well as install every perl package by hand to receive... every time, for all packages messages like this one:

cpan[3]> install Authen::OATH
Reading '/root/.cpan/Metadata'
  Database was generated on Wed, 31 Aug 2016 16:53:29 GMT
Authen::OATH is up to date (2.0.0).

What troubles me is that I removed Authen::OATH from inside webmin, but cpan shell still reports it's installed and up to date.

Can someone help me solve this thing? Where can I look at?

Thanks

Marc.

Status: 
Active

Comments

Are you sure that 2-factor is enabled globally, in the Webmin Users module, and that the user you're logging in as has enrolled?

Yes to all questions.

The problem is that webmin would not activate 2fa while all modules were installed. Painfully checked manually all dependencies. And after I've installed and removed an old perl-authen-oath rpm and remove the core perl package (Authen::OATH) I still can activate 2fa and enroll users.

There clearly is a problem with webmin not being able to recognize what module is installed or not... Then properly use them.

Now, when I want to activate 2fa, it tells me about missing perl module. I let it install to be told:

Digest::HMAC warnings Moo Types::Standard strict Math::BigInt Digest::SHA Module::Build (2 modules missing)

when I click fetch missing dependencies, I get:

Scalar::Util Role::Tiny Test::Fatal Exporter Module::Runtime Class::Method::Modifiers Test::More Devel::GlobalDestruction Exporter::Tiny Digest::HMAC warnings Moo Types::Standard strict Math::BigInt Digest::SHA Module::Build (All installed)

It'd be important that the first screen would recognize what the second says... All modules are installed.

I also tried issuing

force install Authen::OATH Digest::HMAC Moo Types::Standard Test::More Math::BigInt Digest::SHA Module::Build Scalar::Util Role::Tiny Test::Fatal Exporter Module::Runtime Class::Method::Modifiers Test::More Devel::GlobalDestruction Exporter::Tiny from the cpan shell to no avail

Is there anything I can help you with providing you a list of installed packages or something?

Thanks.

Marc

I fixed it.

Here's how:

webmin - others - perl modules

install modules from cpan named I input this string: Authen::OATH Digest::HMAC Moo Types::Standard Test::More Math::BigInt Digest::SHA Module::Build Scalar::Util Role::Tiny Test::Fatal Exporter Module::Runtime Class::Method::Modifiers Devel::GlobalDestruction Exporter::Tiny

I checked both boxes

clicked install

it complained about missing 1 module

selected: make and install

clicked continue with install

activated google 2fa in webmin configuration

registered user

using another browser, tested it'd refuse random key and accept correct one.

Voilà! Maybe I could suggest, humbly so, that a tut be created for last resort guys like me having this problem.

Best regards.

Marc

I'm surprised that you were able to turn on two-factor in Webmin without first having those modules installed and working..