a simply terrifying experience (setting up OAUTH)...

  • rapidwebs
  • 07/10/13
  • Offline
Posted: Wed, 2014-02-12 00:53

k, i would post a bug report, but i figured i would see if anybody had any input first! so I spent today setting up OAUTH on all our servers, including preparing the PAM modules for 2 step SSHd access;

I continued on, and in order to properly secure the admin account, we planned to use 2 factor authentication for this as well... anyways, i could not find any way to use OAUTH 2 step within regard to a Sudo account....

the problem is that there is no Webmin account for the Sudo account.. so i went ahead and converted the Sudo account to a Webmin user: and this was where things got sticky!

anyways, i made sure to add the new user to the Moderator (webmin) group i have setup, which has access to all modules. when i logged out, and logged back in, the interface was missing the webmin tab (and it was explicitly set to be shown).

after hacking my way around this first problem, this user did not have access to the Users & Groups module. i could not revert the changes!

one should note: my moderators group allows a simple virtual server near root functionality, and this user was set to the same group, but things were acting much differently.

so i found the ACL for webmin users, and copied root's over the Sudo users "module list". now i could access the users module, but perl was throwing an error in the left column and breaking the page. after more kufudgery i was in.... what to do.. what to do... i know, ill delete this converted user!

"You can not delete your self!"

omfg

okay, repeat the process for an exisiting virtual host. add them to the moderator group i have made... and FINALLY i was again able to log in with regular permissions as a Sudo account, and started cleaning things up, without having to do any sort of restore.

anyways, to make a long story sh.. longer-

anybody have any idea what i should do in this scenario? simply offer all my users two factor auth.. but disable it for my sudo account?

the only way i could think to 2 step this account would be to restrict by IP along side password...