This README is an addition to official README from Zabbix
This repository is a fork of official Zabbix repository The code in this repository is always based on official code from Zabbix with two features aded:
- two factor authentication (2FA) using DUO provider
- two factor authentication (2FA) using Google Authenticator or Microsoft Authenticator app
Detailed HowTos:
With 2FA enabled when you login into WebUI after 'in-stock' authentication (internal, LDAP or whatever is configured in your case) is successfully done the user is presented with DUO's interface to perform authentication via an SMS, DUO app push, or a phone call. For details please go to DUO website, you may also want to read about details of implementation. To enable 2FA go to Users -> 2FA, toggle DUO and fill in all the fields with data you get from DUO when you register an account. To fill in '40 characters long custom key' field you need to generate this custiom key, in python use following code:
import os, hashlib
print hashlib.sha1(os.urandom(32)).hexdigest()
With 2FA enabled when you login into WebUI after 'in-stock' authentication (internal, LDAP or whatever is configured in your case) is successfully done the user is required to enter a code generated by Authenticator app on previously enrolled device (the code is valid for 30 seconds). To implement this feature the code was used from https://github.com/sonata-project/GoogleAuthenticator/tree/master . To enable 2FA go to Users -> 2FA, toggle 'Authenticator app' and click 'Update'.
In case you lockout yourself (enable2FA but for some reason cannot go through authentication) you need to manually turn off 2FA. As the Zabbix server admin you should have access to database so execute following code:
# For MySQL
echo 'update config set 2fa_type=0;' | mysql -u <db_zabbix_user> -p<db_zabbix_password> -h <db_host> zabbix
# For PostgreSQL
PGPASSWORD="<db_zabbix_password>" psql -U <db_zabbix_user> -h <db_host> -d zabbix -c 'update config set 2fa_type=0;'
If 'Authenticator app' 2FA is in use and a user "lost his phone" and needs to re-enroll with new one then execute following to request enrollment procedure on his next login:
# For MySQL
echo 'update users set ggl_enrolled=0 where username="<username>" ;' | mysql -u <db_zabbix_user> -p<db_zabbix_password> zabbix
# For PostgreSQL
PGPASSWORD="<db_zabbix_password>" psql -U <db_zabbix_user> -h <db_host> -d zabbix -c 'update users set ggl_enrolled=0 where username="<username>";'
Very quick way to see this code in action is to deploy a Docker container using this image:
Patch Zabbix server (you need to do it after every Zabbix upgrade):
- If not already done then fresh install from sources using this repository, follow this guide
- Login into the Zabbix server as
root, download this script (pay attention that version of your Zabbix Server - 6.4.15 in this example - matches this repository version/tag - 6.4.15-bg):
curl -L -o bg-features-install.sh https://raw.githubusercontent.com/BGmot/zabbix/6.4.15-bg/bg-scripts/bg-features-install.sh
- Make sure zip package is installed (the script needs to be able to run unzip)
- Modify the script to provide proper values for DB_HOST, DB_USERNAME, DB_PASSWORD and ZABBIX_INSTALL_PATH (where all your php files located) and run the script:
sudo bash bg-features-install.sh