[BlueOnyx:26144] Re: BlueOnyx 5211R: Two-Factor-Auth (2FA)

Michael Stauber mstauber at blueonyx.it
Fri Apr 21 03:08:39 -05 2023 

Hi Taco,

> This is great, well done! 

Thank you!

> Are you planning to add 2FA to the BlueOnyx UI access too?

I am considering it, but there are some issues:

a.) 2FA details are only available in the GUI. If a user gets 2FA 
enabled by his siteAdmin or the serverAdmin, he has no way to access the 
details in the GUI. The details could be emailed on generation, though. 
So that's doable, but still could lead to some issues.

b.) CCEd auth.

We're using the google-auth-pam library for the 2FA stuff. As it ties 
into PAM, we could use it for any service that uses PAM. CCEd 
authentication does tie into PAM, yet the PAM integration itself in CCEd 
has no mechanisms for 2FA and I'm unable to mess with that code.

So the 2FA would need to be integrated on the PHP side of things.

When someone logs in via the GUI we do an "AUTH <username> <password>" 
against CCEclient and get a sessionId back, which is then stored in a 
cookie. All subsequent GUI accesses check if that user and sessionId are 
still valid and match.

If we enable 2FA for all or selected GUI users, an intermediate step 
needs to be added after username/password have been submitted in the 
login form to ask for the 2FA code. The whole 2FA check for the validity 
of the security code needs to be done entirely in PHP. I could perhaps 
use the pragmarx/google2fa composer-library for that. It has a simple 
function to check the token:

$code = '123456'; // The user entered code
$valid = $google2fa->verify($secretKey, $code);
if ($valid) {
     echo 'Code is valid';
} else {
     echo 'Code is invalid';
}

OTOH: I never saw anyone try to use the GUI as attack vector for brute 
force login attempts. And 5211R does have a built in mechanism against 
it, so several failed attempts will lead to a rate-limit and ultimately 
to a lock out.

But yeah: It's something to consider.

> While you are making changes to the SSH authentication and config, would you be so kind to change an option to:
> Server Management -> Network Services -> Shell & FTP
> 
> Here you have a tickbox to enable SSH Root Login by setting "PermitRootLogin yes” in /etc/ssh/sshd_config.
> 
> Can you change this from a tickbox to a select box and add an option to set "PermitRootLogin without-password” to have only root access using public key?
Yeah, that's not a big deal. I'll add it this afternoon and it'll be in 
the Monday release.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list