How to enable Google Authenticator for phpMyAdmin Jul 21, 2017

Google Authenticator

In this blog, I will show you how to secure phpMyAdmin so that you can safely use it to manage your databases. I assume that you are using Ubtuntu 16 and already installed phpMyAdmin in /var/www/html/pma

Prerequisites

Download https://github.com/itemir/apache_2fa/archive/master.zip and extract it to /var/www/a2fa/

Install onetimepass

pip install onetimepass

Configuration

Create a directory for storing states

mkdir /var/www/a2fa/state

Adjust permissions

chown -R www-data:www-data /var/www/a2fa
chmod 750 /var/www/a2fa/state
chmod 755 /var/www/a2fa/auth
chmod 755 /var/www/a2fa/state_clean
chmod 640 /var/www/a2fa/tokens.json

Enable Apache modules

a2enmod rewrite
a2enmod auth_digest
a2enmod cgid
service apache2 restart

Edit vhost 

nano /etc/apache2/sites-available/default-ssl.conf

Add this code block inside the VirtualHost block

# a2fa
ScriptAlias /auth/ /var/www/a2fa/
<Directory /var/www/a2fa>
AuthType Digest
AuthName "yourdomain.com"
AuthDigestDomain /
AuthDigestProvider file
AuthUserFile /var/www/a2fa/apache_credentials
Require valid-user
</Directory>
# a2fa protected pma
<Directory /var/www/html/pma>
AuthType Digest
AuthName "yourdomain.com"
AuthDigestDomain /
AuthDigestProvider file
AuthUserFile /var/www/a2fa/apache_credentials
Require valid-user
</Directory>

Create/edit .htaccess in phpMyAdmin directory and add the text below

RewriteEngine On

RewriteCond %{REQUEST_URI} !^/auth/
RewriteCond %{HTTP_COOKIE} !^.*2FA_Auth=([a-zA-Z0-9]+)
RewriteRule ^(.*)$ /auth/auth?$1?%{QUERY_STRING} [L,R=302]

RewriteCond %{REQUEST_URI} !^/auth/
RewriteCond %{HTTP_COOKIE} ^.*2FA_Auth=([a-zA-Z0-9]+)
RewriteCond /var/www/a2fa/state/%1 !-f
RewriteRule ^(.*)$ /auth/auth?/pma

Generate your auth key at https://daplie.github.io/browser-authenticator/ then update your key in /var/www/a2fa/tokens.json

Add new user by running this command

htdigest apache_credentials yourdomain.com <new_user>

Delete the test_user in /var/www/a2fa/apache_credentials

Finally, add cronjob to clean the states every hour

crontab -e

And add this line at the bottom

0 * * * * /var/www/a2fa/state_clean

--- END ---

 

Advertisement

Latest Updates