Configure 2FA For MediaWiki: Difference between revisions
| (11 intermediate revisions by the same user not shown) | |||
| Line 19: | Line 19: | ||
==Enable 2FA== | ==Enable 2FA== | ||
I created an account called Test2fa to illustrate how to enable Two-Factor Aythentication. After you login with username & password, open your ''Preferences'' dialog. | I created an account called Test2fa to illustrate how to enable Two-Factor Aythentication. After you login with '''your own''' username & password, open your ''Preferences'' dialog. | ||
[[File:A GoToUserPreferences.png|800px|thumb|none|open your ''Preferences'' dialog]] | [[File:A GoToUserPreferences.png|800px|thumb|none|open your ''Preferences'' dialog]] | ||
| Line 34: | Line 34: | ||
You will be presented with a page of information. This information will never change. The ''secret key'' will be used by the oauthtool to generate the 6 digit TOTP. Save it all, including the recovery codes, in case you screw things up. | You will be presented with a page of information. This information will never change. The ''secret key'' will be used by the oauthtool to generate the 6 digit TOTP. Save it all, including the recovery codes, in case you screw things up. | ||
<strong>This is just a temporary account I've since deleted. Keep all your information secret.</strong> | |||
[[File:E Save Key And Recovery Codes.png|800px|thumb|none|Save all this shiz]] | [[File:E Save Key And Recovery Codes.png|800px|thumb|none|Save all this shiz]] | ||
Open a terminal window, and run the oauth tool as follows. | Open a terminal window, and run the oauth tool as follows. | ||
<pre>oathtool --base32 --totp "LEQ3 7TOA CM6G 27PZ"</pre> | <pre>oathtool --base32 --totp "LEQ3 7TOA CM6G 27PZ"</pre> | ||
This will generate the six digit code that you will use during your new login process. | This will generate the six digit code that you will use during your new login process. I created a one-line script with this command so I don't need to remember the arguments. Obviously you will want to give this script ''700'' permissions so nobody can see it but you. | ||
[[File:I Run oathtool.png|800px|thumb|none|Run oauth command line tool]] | [[File:I Run oathtool.png|800px|thumb|none|Run oauth command line tool]] | ||
Use that generated six digit code to verify that TOTP is working. | |||
[[File:F Verify TOTP Code.png|800px|thumb|none|Use the code]] | |||
You should see a page saying that it worked, and that two-factor authentication will be enforced. | |||
[[File:G Verified Page.png|800px|thumb|none|Yay, it works]] | |||
Log off now, and log back in, and you should be prompted for username & password, and then prompted for a six digit code. This code is time sensitive, so it will be different each time you log in, and will expire after a short time. | |||
Congratulations, you are now one of the cool kids. | |||
=Extra Credit= | |||
To make the process a bit easier, I installed ''gpaste''. This package contains a command called ''gpaste-client'' that will copy stdin to the ''gnome clipboard''. I then create a super simple script that runs the '''oathtool''' copying the output to the clipboard. | |||
<pre>sudo dnf install gpaste</pre> | |||
<pre> | |||
#!/bin/bash | |||
MFA=`oathtool --base32 --totp "LEQ3 7TOA CM6G 27PZ"` | |||
echo $MFA | gpaste-client | |||
echo "$MFA was copied to the clipboard" | |||
<pre> | |||
Latest revision as of 02:05, 19 December 2024
How to use OATHAuth in Mediawiki
Configure OATHAuth
The version of Mediawiki I'm using has OATHAuth preinstalled. To configure your Mediawiki instance to allow users to enable two-factor authentication simply add
wfLoadExtension( 'OATHAuth' );
to the end of the LocalSettings.php file located in the root of the MediwWiki directory. Then restart your HTTP server. In my case I simply run
sudo systemctl restart httpd
Install oathtool
There are a number of OATH clients on the market, but I decided to just install the oathtool command line tool on my Fedora based laptop, by running
sudo dnf install oathtool.x86_64
Apple has the same functionality built into the Passwords app, but as I only login from my Fedora based laptop, it's easier to run a command and copy the output to my clipboard. You do you.
I'm using the Vector 2020 skin, so if your screen looks different, you're likely using a different skin.
Enable 2FA
I created an account called Test2fa to illustrate how to enable Two-Factor Aythentication. After you login with your own username & password, open your Preferences dialog.
In the User Profile tab of the Preferences dialog, hit the Manage button in the Two-Factor Authentication section.
Next, enable the Time-based One Time Password by hitting the Enable button.
It makes you login again because reasons.
You will be presented with a page of information. This information will never change. The secret key will be used by the oauthtool to generate the 6 digit TOTP. Save it all, including the recovery codes, in case you screw things up.
This is just a temporary account I've since deleted. Keep all your information secret.
Open a terminal window, and run the oauth tool as follows.
oathtool --base32 --totp "LEQ3 7TOA CM6G 27PZ"
This will generate the six digit code that you will use during your new login process. I created a one-line script with this command so I don't need to remember the arguments. Obviously you will want to give this script 700 permissions so nobody can see it but you.
Use that generated six digit code to verify that TOTP is working.
You should see a page saying that it worked, and that two-factor authentication will be enforced.
Log off now, and log back in, and you should be prompted for username & password, and then prompted for a six digit code. This code is time sensitive, so it will be different each time you log in, and will expire after a short time.
Congratulations, you are now one of the cool kids.
Extra Credit
To make the process a bit easier, I installed gpaste. This package contains a command called gpaste-client that will copy stdin to the gnome clipboard. I then create a super simple script that runs the oathtool copying the output to the clipboard.
sudo dnf install gpaste
#!/bin/bash MFA=`oathtool --base32 --totp "LEQ3 7TOA CM6G 27PZ"` echo $MFA | gpaste-client echo "$MFA was copied to the clipboard"
