[BlueOnyx:26142] BlueOnyx 5211R: Two-Factor-Auth (2FA)

Michael Stauber mstauber at blueonyx.it
Fri Apr 21 01:20:59 -05 2023 

Hi all,

I've been a little busy this week and this is what I've been working on:

https://www.blueonyx.it/auth

\o/

The URL above explains it all. Bascially BlueOnyx 5211R will soon have 
Two-Factor-Auth (2FA) for SSH.

The server administrator needs to enable "Two-Factor-Auth (2FA)" under 
"Server Management" / "Network Services" / "Shell & FTP". Please note 
that you may turn off "Password Authentication" and leave "Public Key 
Authentication" ticked. The way our 2FA integration works is this:

If a user has SSH keys exchanged, he can still login without password 
AND without 2FA. We consider exchanged SSH keys secure enough and see no 
reason to throw in an extra step such as 2FA for that.

If a user DOES NOT have SSH keys exchanged, but has Shell access and has 
2FA enabled? Regardless if "Password Authentication" is on or off: He 
will receive a username and password prompt and also the prompt to enter 
his 2FA key generated in the 2FA authenticator app.

If a user has Shell, 2FA is disabled for him and SSH is configured 
without "Password Authentication"? In that case login is *only* possible 
via exchanged SSH keys and no password prompt will be shown.

This way key exchange still works as before and 2FA can be used if a 
user doesn't have SSH keys exchanged yet.

Supported 2FA authenticator apps are the Google Authenticator app and 
the RedHat FreeOTP app. Both are available for Android and Apple devices 
from the official appstores. The "Personal Profile" page in the GUI will 
have links to https://www.blueonyx.it/auth and from there users in 
search for these apps can follow our links to the official appstore 
pages for the various devices.

I will also port this feature back to BlueOnyx 5210R, but make no 
promises for a BlueOnyx 5209R release of it. It's a lot of work and 
BlueOnyx 5209R will go EOL in June 2024 anyway.


Release of this feature for 5211R:
===================================

My finger is hovering over the "release" button and it's ready to go. 
But today being a Friday makes this a "no go". We don't rock the boat on 
Fridays (or weekends) unless we *really* have to. So this will be 
released on Monday, 24th April.

Meanwhile I'll start working on porting this to 5210R as well.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list