Zabbix: two-factor authentication with Authenticator app (version 5.0.10+, 6.0, 6.4)
28th Apr 2021This article describes how to implement two-factor authentication (2FA) in Zabbix server with Google or Microsoft Authenticator app (available for iOS and Android).
You can find many articles about how Authenticator app works on the Internet let's briefly describe how it applies to Zabbix server. When a user logs in and Zabbix server successfully authenticates him/her using one of its "out-of-the-box" methods (Internal, LDAP, etc) then 2FA via Authenticator app takes place and only if this user successfully enters one time password (OTP) generated on his/her device by Authenticator app only then the user is granted access to Zabbix server WebUI. This algorithm is implemented in non-official fork of Zabbix server https://github.com/BGmot/zabbix (see README about different ways to install it).
There are two ways to install/test this feature.
1) The easiest way to test this solution is to deploy these docker container (if you don't want to touch your Zabbix server instance):
docker run -p 8080:80 --name zabbix-appliance -t -d bgmot42/zabbix-appliance-ubuntu:6.0.0-bg
Bringing up zabbix-appliance container takes time as it creates the database schema from scratch, before proceeding watch its logs:
docker logs -f zabbix-appliance
and do not proceed until you see that all zabbix-server processes started:
377:20210428:014731.172 server #40 started [lld worker #1]
378:20210428:014731.174 server #41 started [lld worker #2]
372:20210428:014731.233 server #36 started [preprocessing worker #1]
374:20210428:014731.233 server #38 started [preprocessing worker #3]
373:20210428:014731.249 server #37 started [preprocessing worker #2]
2) Install the feature on you already running Zabbix server (hope you know what you are doing). Login into the server and do the following:
curl -L -o bg-features-install.sh https://github.com/BGmot/zabbix/raw/6.0.0-bg/bg-scripts/bg-features-install.sh
Then edit bg-features-install.sh to provide correct values for these variables:
DB_HOST=localhost
DB_USERNAME=zabbix
DB_PASSWORD=zabbix
ZABBIX_INSTALL_PATH=/usr/share/zabbix
and run installations script which will make some additions to DB and replace some php files (current files will be backed up):
sudo bash bg-features-install.sh
If you see "Done! Reload your browser to see changes." then patching completed successfully you can proceed.
Turn on 2FA
So you have a running Zabbix server with default user "Admin" and password "zabbix". Go to http://localhost:8080/ URL and login with these credentials. Open Administration -> 2FA page, select Google Authenticator and click Update.
Log off and try to login as "Admin" again.
Registering your device
If you (user Admin) have never logged in using Google Authenticator Zabbix will generate unique secret code for this account and you'll be presented with a QR code representing this code:
Open Google Authenticator app on your device, tap plus sign and scan this QR code. You should see "Zabix docker (Admin)" entry in the app:
Enter these 6 digits into Zabbix UI prompt and if you did everything correctly you'll see default UI page and Zabbix internally will update Admin user's status to 'Enrolled into Google authenticator 2FA' so nobody will ever see this QR code again. It's important to know that the secret code generated once during user's registration will never travels to user's browser so can't be intercepted. When in future Admin user logs in again into Zabbix his/her enrollment status will be checked and only request for 6-digit code will be shown: