How-to two-factor authentication for ISPConfig control panel access?

Is it posisble to secure the ISPConfig Control Panel access with two-factor authentication and, if so, how can this be achieved?
Thanks in advance,
Erik van Doorne

 

Thanks Jesse.

 

I second this.
Specially the admin account needs to be protected. I'd also suggest implementing fido2/webauthn as login method instead of passwords, also for the admin account.
Perhaps not a simple task, and I'd be willing to participate in a bounty for this feature.

 

Thanks Jesse

 

Not 2FA but two step using .htaacces/.passwd authentication does have some advantages. Besides requiring the cracker to have two correct combinations - htaccess authentication doesn't (as ISPConfig does) require a SQL lookup so reducing load if a brute force attack eludes fail2ban.

You could do a pseudo-2FA htaccess authentication by having a cron job that alternates the authentication files.

And, of course don't have Admin as your ISPConfig username especially if 1234 is your password

 

As long as it does not break the api its fine ;-)
In the beginning I had the admin panel only available via VPN. However, I did not want to have an account for every user...
I would appreciate 2FA for the admin panel. In my naive view it looks rather easy: Make a DB field to store the secret (if you want to have that in the same database than the password? oO) and implement one of these examples: https://github.com/topics/totp?l=php but as always, the devil is in the details.
Anyway, I have secured my SSH account with totp which takes like 8 minutes (https://ubuntu.com/tutorials/configure-ssh-2fa#1-overview) and secured the ISPC admin panel by other means. Would be a nice feature, though.

 

https://stackoverflow.com/questions...te-google-two-factor-authentication-using-php

Granted its using google authenticater, but I believe it would work with any authenticater as long as you can add the required information.

 

A more recent implementation (inspired by the same code as mentioned above) can be found here: https://github.com/RobThree/TwoFactorAuth

It's being actively maintained but with minimal documentation (apparently it doesn't need much more than a few calls...)

 

Seems easy. I guess one just need to test it and if all worked out, pull request it to ISPConfig git to make it available for everyone with option to turn it off or on in the panel as some may not want it.

 

Admin : password is safe though right?

 

Did this get ever get picked up ?

 

I don't think so, at least not yet, so those who are capable should write and propose in the git. I am quite sure the contributions are very much welcomed.

 

Awesome I'm looking forward to this exciting new feature!

 

coming up for to May now any update on this

 

Based on https://git.ispconfig.org/ispconfig/ispconfig3/-/merge_requests/1540 with cross reference to https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2558 it seems that the milestone is 3.2.9 for the very basic version.

 

Super! Looking forward to that