Clear two factor authentication
How to reset Google authenticator, DUO, Yubikey, Access keyword, Radius, and FIDO2 two-factor authentication (2FA) secrets for the gateway user?
Overview: This article will help Ezeelogin admin users reset Google authenticator, DUO, Yubikey, Access keyword, Radius, and FIDO2 two-factor authentication (2FA) secrets for the gateway user when the user is locked out or has forgotten their 2FA.
Prompt for 2FA when a user tries to log in to the GUI:
- If the gateway user has admin privileges, they can click on the reset password icon, enable "Clear Two-Factor Authentication Secret," and then save the changes.
Note: The gateway user can now log in without being asked for 2FA if 2FA is not enforced; otherwise, the user will be prompted to set up 2FA again.
How to reset the Google Authenticator code individually?
- Individual users can log into the GUI, and navigate to Account -> Google Authenticator -> Reset to reset the Google Authenticator code.
Emergency CLI Method:
For Ezeelogin Version 7 and above:
1. To disable two-factor authentication ( 2FA ) for the admin user, run the following commands.
root@gateway:~# php /usr/local/ezlogin/ez_queryrunner.php "update prefix_settings SET value = 0 WHERE name = 'two_factor_auth'"
root@gateway:~# php /usr/local/ezlogin/ez_queryrunner.php "update prefix_users set egs=NULL,eak=NULL,eyk=NULL,set_duo=0 where id=1"
2. To disable two-factor authentication ( 2FA ) for all users, run the following command.
root@gateway:~# php /usr/local/ezlogin/ez_queryrunner.php "update prefix_users set egs=NULL,eak=NULL,eyk=NULL,set_duo=0"
Abbreviations:
eak = Access Keyword
eyk = Yubikey
egs = Google Authenticator
set_duo = DUO 2FA
Emergency CLI Method:
For Ezeelogin Version 6 and below:
Users need to provide the correct db_name and dbprefix from ez.conf to run the MySQL commands manually.
1. Find the database name and database prefix from /usr/local/etc/ezlogin/ez.conf from the Ezeelogin gateway server.
root@gateway:~# cat /usr/local/etc/ezlogin/ez.conf | grep -i "db_name\|db_user\|db_pass\|db_prefix"
db_name ezlogin_por
db_user ezlogin_cxy
db_pass ymhbtPaY)VzD2g]84
db_prefix casmbn_
2. Log in to MySQL command prompt
Replace the "db_user", "db_name" and "db_pass" with values in /usr/local/etc/ezlogin/ez.conf from the Ezeelogin jump server.
root@gateway:~# mysql -u db_user -p db_name
3. Run the following command to clear the two-factor authentication ( 2FA ) for the admin user.
Replace "dbprefix_" with the value of dbprefix_ from /usr/local/etc/ezlogin/ez.conf from the Ezeelogin jump server.
Example: "dbprefix_settings" is to be replaced with "casmbn_settings".
mysql> UPDATE dbprefix_settings SET value = 0 WHERE name = 'two_factor_auth' ;
mysql> UPDATE dbprefix_users SET egs=NULL,eak=NULL,eyk=NULL,set_duo=0 where id=1;
4. Run the following command to clear the two-factor authentication ( 2FA ) for all users.
mysql> UPDATE dbprefix_users SET egs=NULL,eak=NULL,eyk=NULL,set_duo=0;
Related Articles:
Enable/Disable 2FA [Two Factor Authentication] on Ezeelogin.
How to enforce 2 Factor Authentication on user login?