Harry Tang

How to enable Google Authenticator for phpMyAdmin

2FA phpMyAdmin
2FA phpMyAdmin

Introduction

In this blog, I will show you how to secure phpMyAdmin so that you can safely use it to manage your databases. I assume that you are using Ubtuntu 16 and already installed phpMyAdmin in /var/www/html/pma.

Prerequisites

Download https://github.com/itemir/apache_2fa/archive/master.zip and extract it to /var/www/a2fa/, then install the onetimepass:

pip install onetimepass

Configuration

Create a directory for storing states:

mkdir /var/www/a2fa/state

Adjust permissions:

chown -R www-data:www-data /var/www/a2fa
chmod 750 /var/www/a2fa/state
chmod 755 /var/www/a2fa/auth
chmod 755 /var/www/a2fa/state_clean
chmod 640 /var/www/a2fa/tokens.json

Enable Apache modules:

a2enmod rewrite
a2enmod auth_digest
a2enmod cgid
service apache2 restart

Edit vhost:

nano /etc/apache2/sites-available/default-ssl.conf

Add this code block inside the VirtualHost block:

# a2fa
ScriptAlias /auth/ /var/www/a2fa/
<Directory /var/www/a2fa>
     AuthType Digest
     AuthName "yourdomain.com"
     AuthDigestDomain /
     AuthDigestProvider file
     AuthUserFile /var/www/a2fa/apache_credentials
     Require valid-user
</Directory>
# a2fa protected pma
<Directory /var/www/html/pma>
     AuthType Digest
     AuthName "yourdomain.com"
     AuthDigestDomain /
     AuthDigestProvider file
     AuthUserFile /var/www/a2fa/apache_credentials
     Require valid-user
</Directory>

Create/edit .htaccess in phpMyAdmin directory and add the text below:

RewriteEngine On

RewriteCond %{REQUEST_URI} !^/auth/
RewriteCond %{HTTP_COOKIE} !^.*2FA_Auth=([a-zA-Z0-9]+)
RewriteRule ^(.*)$ /auth/auth?$1?%{QUERY_STRING} [L,R=302]

RewriteCond %{REQUEST_URI} !^/auth/
RewriteCond %{HTTP_COOKIE} ^.*2FA_Auth=([a-zA-Z0-9]+)
RewriteCond /var/www/a2fa/state/%1 !-f
RewriteRule ^(.*)$ /auth/auth?/pma

Generate your auth key at https://daplie.github.io/browser-authenticator/, then update your key in /var/www/a2fa/tokens.json. Add a new user by running this command:

htdigest apache_credentials yourdomain.com <new_user>

Delete the test_user in /var/www/a2fa/apache_credentials. Finally, add cronjob to clean the states every hour:

crontab -e

And add this line at the bottom:

0 * * * * /var/www/a2fa/state_clean

Conclusion

You now have 2FA enabled for your phpMyAdmin.

Comments