2FA

Zabbix: two-factor authentication with Authenticator app (version 5.0.10+, 6.0, 6.4)

ey — Wed, 28 Apr 2021 02:06:40 +0000

Zabbix: two-factor authentication with Authenticator app (version 5.0.10+, 6.0, 6.4)

Author

Evgeny Yurchenko

ey Wed, 04/28/2021 - 09:06

This article describes how to implement two-factor authentication (2FA) in Zabbix server with Google or Microsoft Authenticator app (available for iOS and Android).

You can find many articles about how Authenticator app works on the Internet let's briefly describe how it applies to Zabbix server. When a user logs in and Zabbix server successfully authenticates him/her using one of its "out-of-the-box" methods (Internal, LDAP, etc) then 2FA via Authenticator app takes place and only if this user successfully enters one time password (OTP) generated on his/her device by Authenticator app only then the user is granted access to Zabbix server WebUI. This algorithm is implemented in non-official fork of Zabbix server https://github.com/BGmot/zabbix (see README about different ways to install it).

There are two ways to install/test this feature.

1) The easiest way to test this solution is to deploy these docker container (if you don't want to touch your Zabbix server instance):

docker run -p 8080:80 --name zabbix-appliance -t -d bgmot42/zabbix-appliance-ubuntu:6.0.0-bg

Bringing up zabbix-appliance container takes time as it creates the database schema from scratch, before proceeding watch its logs:

docker logs -f zabbix-appliance

and do not proceed until you see that all zabbix-server processes started:


   377:20210428:014731.172 server #40 started [lld worker #1]
   378:20210428:014731.174 server #41 started [lld worker #2]
   372:20210428:014731.233 server #36 started [preprocessing worker #1]
   374:20210428:014731.233 server #38 started [preprocessing worker #3]
   373:20210428:014731.249 server #37 started [preprocessing worker #2]

2) Install the feature on you already running Zabbix server (hope you know what you are doing). Login into the server and do the following:

curl -L -o bg-features-install.sh https://github.com/BGmot/zabbix/raw/6.0.0-bg/bg-scripts/bg-features-install.sh

Then edit bg-features-install.sh to provide correct values for these variables:

DB_HOST=localhost
DB_USERNAME=zabbix
DB_PASSWORD=zabbix
ZABBIX_INSTALL_PATH=/usr/share/zabbix

and run installations script which will make some additions to DB and replace some php files (current files will be backed up):

sudo bash bg-features-install.sh

If you see "Done! Reload your browser to see changes." then patching completed successfully you can proceed.

Turn on 2FA

So you have a running Zabbix server with default user "Admin" and password "zabbix". Go to http://localhost:8080/ URL and login with these credentials. Open Administration -> 2FA page, select Google Authenticator and click Update.

Log off and try to login as "Admin" again.

Registering your device

If you (user Admin) have never logged in using Google Authenticator Zabbix will generate unique secret code for this account and you'll be presented with a QR code representing this code:

Open Google Authenticator app on your device, tap plus sign and scan this QR code. You should see "Zabix docker (Admin)" entry in the app:

Enter these 6 digits into Zabbix UI prompt and if you did everything correctly you'll see default UI page and Zabbix internally will update Admin user's status to 'Enrolled into Google authenticator 2FA' so nobody will ever see this QR code again. It's important to know that the secret code generated once during user's registration will never travels to user's browser so can't be intercepted. When in future Admin user logs in again into Zabbix his/her enrollment status will be checked and only request for 6-digit code will be shown:

Tags: Zabbix 2FA

Zabbix: two-factor authentication with DUO

ey — Wed, 17 Feb 2021 03:35:38 +0000

Zabbix: two-factor authentication with DUO

Author

Evgeny Yurchenko

ey Wed, 02/17/2021 - 10:35

This article describes how to implement 2FA with DUO as provider in Zabbix server.

If you are not familiar with two-factor authentication then please read this nice introduction. Why DUO? Because at the moment of when this requirement for Zabbix server came up I was working for a company that used DUO 2FA for all services access.

What's added to Zabbix server - when a user logs in and Zabbix server successfully authenticates him/her then 2FA via DUO takes place and only if this users successfully authenticated by DUO he/she is granted access to Zabbix server WebUI. This algorithm is implemented in non-official fork of Zabbix server https://github.com/BGmot/zabbix (see README about different ways to install it). You can read about how Zabbix server interacts with DUO here.

The easiest way to test this solution is to deploy these docker container (if you don't want to touch your Zabbix server instance):

docker run -p 8080:80 --name zabbix-appliance -t -d bgmot42/zabbix-appliance-ubuntu:6.0.0-bg

But before we can test anything you need to set up your DUO account.

Setting up DUO

It's very nice of DUO to offer absolutely free not limited by time access to DUO services for up to 10 users so go here and create an account. Login into your 'Dashboard' and select Applications at the left menu, click Protect an Application button. In Protect an Application field put web sdk to filter all the results.

Click on Protect button in Web SDK line and you'll be forwarded to a page with your Web SDK application settings:

In the next step we will be using these values to configure DUO 2FA in Zabbix server.

Configure Zabbix server

Create a test user if you don't have it already (for demo in this howto bgmot user was created).

Go to Administration -> 2FA, select DUO and fill API hostname, Integration key and Secret key fields copy-pasting from DUO WebSDK settings. There are two ways to generate 40 characters long custom key:

Use this on-line service http://www.sha1-online.com/ and generate 40 characters SHA1 key.

import os, hashlib
print hashlib.sha1(os.urandom(32)).hexdigest()

So you should have something similar to this in Zabbix server WebUI:

Click Update and the Zabbix server is configured for 2FA!

Testing

Logout out of Zabbix WebUI and login back as a test user, if you entered credentials correctly you'll see DUO's set up page, this means the user has not been set up yet at DUO side.

Click Start setup. Select type of device you are going to use for 2FA and answer all other questions, finally you should see this screen:

Select the way you want to perform 2FA and authorize accordingly. That's it now you are authorized and should be redirected to Dashboards in Zabbix WebUI. The next time you login you will not need to go through set up process you will only need to select the way to perform 2FA and confirm authentication on your device.

Now if you go back to your Dashboard in DUO and select Users you'll see that new user bgmot has been created. Here you can disable 2FA for this user, disable user effectively disabling his/her access to Zabbix, see timeline when this user logged in and do lots of other cool stuff (read DUO's documentation).

Tags: Zabbix 2FA DUO