Configure DUO 2FA in Ezeelogin SSH Jumphost
How to enable/disable DUO 2fa in Ezeelogin?
Overview: This article provides a comprehensive guide on configuring and managing Duo two-factor authentication (2FA) for Ezeelogin gateway users. It also covers methods to disable duo 2FA through both the GUI and backend commands.
Note:
Do check out the duo ssh jump host configuration video as well.
1. How to enable DUO 2FA (Two-factor Authentication) in Ezeelogin?
Step 1(A): Create your account on duo.com and log in. Navigate to Applications -> Protect an Application
Step 1(B): Search for Web SDK and click on Protect this Application
Step 1(C): Copy the Integration Key, Secret Key, and API Hostname and paste them on Ezeelogin GUI. Also, enter a custom name for this Application Under Settings.
Step 1(D): Enable duo 2FA in the Ezeelogin GUI with an admin privileged user. Log in to the Ezeelogin GUI, navigate to Settings -> General -> Two Factor Authentication -> Enable Duo, and paste the DUO Integration Key, Secret Key, and the API hostname in the highlighted fields below, then click on the save button.
Note:
In order to avoid the " invalid_grant " or " An Error Was Encountered "error, make sure to access the Ezeelogin GUI with SSL(HTTPS) and a domain name.
Refer to the article "error": "invalid_grant", "error_description"
Step 1(E): To set up Duo 2FA for user authentication, log in to the Ezeelogin GUI as the user for whom duo is to be enabled. Then, navigate to Account -> Duo Authenticator -> Enable Duo Authenticator.
Step 1(F): Log out and re-login into the web panel and duo two-factor authentication will be asked.
Step 1(G): The backend 2fa method will also be using Duo 2FA.
Note:
If an Ezeelogin user wants to enable DUO 2FA, but Admin has disabled force two-factor authentication, then that particular user must log into the GUI and enable DUO 2FA under Account -> DUO Authenticator then logout and re-login again into the web panel and you would be asked for DUO two-factor authentication.
2. How to disable DUO 2FA (Two-factor Authentication) from the GUI?
Step 2(A): To disable Duo 2FA globally(Duo 2FA will be disabled for all users), navigate to Settings -> General -> Two Factor Authenticator -> Disable Duo
Step 2(B): To disable Duo 2FA for a single user, log in to the Ezeelogin GUI as the user for whom duo is to be disabled, navigate to Account -> Duo Authenticator -> Disable
Emergency CLI Method
Run the below commands to disable and clear DUO 2FA. Replace the username to disable DUO for that user.
root@gateway:~# php /usr/local/ezlogin/ez_queryrunner.php "update prefix_settings set value='N' where(name='enable_duo')"
root@gateway:~# php /usr/local/ezlogin/ez_queryrunner.php "update prefix_users set set_duo=0 where username='ezadmin'"
This error happens when we enforce Two-Factor authentication without enabling any of the Two-Factor authentications. Run the following command to disable Force Two Factor Authentication.
root@gateway:~# php /usr/local/ezlogin/ez_queryrunner.php "update prefix_settings SET value = 0 WHERE name = 'two_factor_auth'"
root@gateway:~# php /usr/local/ezlogin/ez_queryrunner.php "update prefix_usergroups SET force_tfa = 'N'"
Related Articles:
Enable/Disable two-factor authentication in Ezeelogin
Error: No Two-factor Authentication enabled in GUI