Google 2FA on WebUI


#1

Hello! As I said in my previous topic, “Sorry if I miss something, I’m new here.”

Is there a way to add a box to the WebUI login for Google 2FA codes? And if there is a way, can somebody walk me through how to do so? (I only know so much about node.js)
If Google 2FA is not possible, I’d be fine with some other 2FA method.

I think it’d be a cool idea (if possible) to make a script that can enable a method of 2FA.

I am on the latest version of Turnkey MineOS with everything up to date.


#2

The WebUI as is do not have 2FA as a module. For user management and authentication it relies on the underlying OS. The the user/ password combination you enter in the WebUI must match an existing user on the OS.

Turnkey linux (the underlying OS of MineOS) is a stripped down and streamlined version of Debian. So if something can bedone on Debian, you should be able to do it on Turnkey.

This guide tells you how to activate 2FA for SSH and SUDO: https://www.linux.com/learn/how-set-2-factor-authentication-login-and-sudo

Be warned though:
I am not sure how the WebUI, or more precisely the html authentication it uses to access the underlying OS’s user management framework, will react to suddenly having another hoop to jump through. Most likely you will get a timeout or an auth error since it’s not programmed to react to, and wait for, a secondary passkey prompt. This means I fear that activating 2FA on your system will lock you out of the WebUI, since the WebUI do not know how to handle it.

This version of MineOS is for the most part locked down for new features, since development for the next generation WebUI is underway. I’ll rebrand this thread as a feature request, so that it gets considered for this, or more likely the next, generation of MineOS


#3

Alright. Thank you for your support and consideration! I enabled 2FA for ssh, I just want my webapps to be as secure as possible.


#4

The only other kind/type of 2FA I can think of currently as is would be a VPN of some sort you must connect to first to then afterwards be able to access the web ui, though I’m not sure if that actually counts (but I’ve done it before a few times in the past); essentially you’d make the web ui page not publicly accessible (only locally), and then remotely would require a VPN to be installed/enabled/added to the system or the network it is on in order to access the page, through the VPN. Depending upon what VPN it is that you’d choose to use, there may be some sort of 2FA such as like certificates that go along with passwords or maybe Google 2FA, and then pretty much everything going/passing through will be 2FA in terms of now being able to access the web ui login page through it (and anything else you choose to add); there may also be the possibility of using webmin to achieve this as I believe I have seen a 2FA thing within it before, and it’s got an embedded iframe browser that loads pages through it to your browser so you could authenticate through that and then sign into the web ui using it’s integrated browser pretty much. 2 alternative methods that you can attempt/try.


#5

I was thinking of making a landing page in which literally the only thing there is just a box that says, “Auth code” and connect it with Google-2FA and Javascript. The problem is that I can’t figure out how to connect the two.

EDIT: And to the VPN solution, I’ve actually done that before. The problem is that I don’t want to pay for a static IP just to connect to one website, so I stopped using that solution. And for the webmin solution, I’ll have to check that out. I haven’t really gotten into Webmin, but I’ve been wanting to get it set up.


#6

Well, you can probably do things a bit “dirty” by replacing the MineOS auth page with your own complete/fully custom one which would then afterwards point/redirect to the MineOS auth page, whatever you’d choose to rename it to assuming that doing so doesn’t/won’t break anything.

As for the VPN portion, I was referring to setting up configuring and hosting your own (much like you are currently doing with MineOS, not paying a provider for one; paying a provider for one I believe would actually most probably likely increase latency and create lag compared to just hosting one yourself either from the same system or the same network or gateway); webmin has configuration panels for 2 VPN types I believe, or it can also be done manually without the use of webmin.


#7

Ah I see. I could do the VPN method that way. As for the new Auth site, I’d be a bit skeptical in case I need to or accidently run the reset script, or if an update changes the page. At the same time, I could keep a backup of my own Auth page and just override the default one when needed. Thanks for the ideas!