Require MFA on CLI API

Overview

The Require MFA on CLI API option enforces Multi-Factor Authentication when executing JetBackup API commands via the CLI.
When enabled, any CLI API request must be authenticated using a valid MFA token, adding an extra layer of security beyond standard user permissions.

This applies primarily to the user executing the CLI commands, typically the root user.

Prerequisites

Before enabling Require MFA on CLI API, the following conditions must be met:

  1. MFA must be enabled on the server

  2. MFA must be configured for the user running the CLI API commands

    • In most environments, this is the root user

  3. The user must complete the MFA activation process (via GUI or CLI, depending on the control panel)

If MFA is not enabled for the executing user, CLI API calls will fail once this option is enabled.

 

Enabling Require MFA on CLI API

  1. Navigate to:

    JetBackup 5 → Settings → Privacy & Security → Multi Factor Authentication

  2. Enable the following options as needed:

    • MFA Enabled: Yes

    • Require MFA on CLI API: Yes

  3. Save the changes

Once enabled, all CLI API calls will require MFA verification.

 

CLI Behavior After Enabling MFA Requirement

Attempting a CLI API Call Without MFA

If an API call is executed without an MFA token, JetBackup will return an error:

jetbackup5api -F getDashboardDetails

Response:

success: 0
message: MFA token is required
system:
  version: 5.4.0.0
  version_panel: 5.4.0.0
  tier: ALPHA
  type: cPanel
  retry_ms: 0
  disableui: 
  dr: 
  agreement_panel: 
  agreement: 
  licenseIssue: 
  mfa: 1
data:

This indicates that MFA enforcement is active and a valid token must be provided.

 

Verifying MFA and Retrieving a Token

To authenticate CLI access, you must verify an MFA code and retrieve a temporary token.

Step 1: Verify MFA Code

Run the following command using a valid 6-digit code from your Authenticator app:

jetbackup5api -F verifyMFACode -D 'code=******'

Response:

success: 1
data:
  token: ba6K9UkCeN+rMEyrqE3wQUmF+nNY3hlxs7i4Rm99MY+...​

The returned token is required for subsequent CLI API calls.

Step 2: Execute CLI API Calls With MFA Token

Include the token using the -T option:

jetbackup5api -F getDashboardDetails -T TOKEN

Once authenticated, the command will execute successfully.

 

Token Notes

  • MFA tokens are temporary

  • When a token expires, you must re-run verifyMFACode

  • All custom scripts, cron jobs, and hooks using the CLI API must be updated to handle MFA tokens

 

Important Considerations

  • Enabling Require MFA on CLI API without configuring MFA for the executing user will block all CLI API access

  • Automation scripts must be updated to:

    • Prompt for MFA verification

    • Cache and refresh tokens as needed

  • Recovery codes should be stored securely and treated as sensitive credentials

 

Summary

The Require MFA on CLI API feature significantly improves security by enforcing MFA on all CLI-based API interactions.
Proper configuration is essential, especially in environments like DirectAdmin where MFA must be initialized via the CLI.

If you rely on automation or custom integrations, ensure they are updated before enabling this option to avoid service disruption.

 

DirectAdmin: Configuring MFA via CLI (No GUI Access for Root)

In DirectAdmin environments, the panel login is typically performed using the admin user, not root.
As a result, there is no GUI option to configure MFA for the root account.

In these cases, MFA must be configured entirely via the CLI.

Step 1: Enable MFA for Root

Login to your DirectAdmin Server Terminal as root and execute the following command:

jetbackup5api -F manageMyAccount -D 'mfa=1'

This enables MFA for the root account.

Step 2: Retrieve MFA Secret and Recovery Code

Execute the following command:
jetbackup5api -F getMFAQRCode

This command returns:

  • Secret key – used to manually add MFA to an Authenticator app

  • Recovery code – must be stored securely for account recovery

Step 3: Add MFA to Authenticator App

Manually add a new account in your Authenticator app using the provided secret.

Step 4: Verify MFA for the First Time

 
jetbackup5api -F verifyMFACode -D 'code=CODE'

Where CODE is the current 6-digit MFA code.

This command returns an MFA token.

Step 5: Use the Token for All CLI API Calls

 
jetbackup5api -T TOKEN -F listAccounts

From this point forward, every CLI API command must include the -T option.

  • 0 Utilisateurs l'ont trouvée utile
Cette réponse était-elle pertinente?

Articles connexes

Email Notifications Are Not Being Sent

JetBackup 5 uses Notification Integrations to send Notifications based on the configured...

What are the level of Alerts in JetBackup 5?

JetBackup 5 now has only 3 Alert levels compared to JetBackp 4. All 3 levels will appear on the...

Create Destination Error: This destination path is already owned by other destination

On JetBackup 5, you may notice the following error when creating a destination that uses the same...

Common Backup Job Exclude List for DirectAdmin Accounts

Information regarding how to exclude certain files/folders from a backup in JetBackup 5 can be...

Why Does One Account Have All Database Backups?

In JetBackup 5 Linux, Databases and Database Users need to be assigned to specific accounts using...