[BlueOnyx:26143] Re: BlueOnyx 5211R: Two-Factor-Auth (2FA)

Taco Scargo taco at blueonyx.nl
Fri Apr 21 02:38:07 -05 2023 

Hi Michael,

This is great, well done! Are you planning to add 2FA to the BlueOnyx UI access too?

While you are making changes to the SSH authentication and config, would you be so kind to change an option to:
Server Management -> Network Services -> Shell & FTP 

Here you have a tickbox to enable SSH Root Login by setting "PermitRootLogin yes” in /etc/ssh/sshd_config.

Can you change this from a tickbox to a select box and add an option to set "PermitRootLogin without-password” to have only root access using public key?

Thanks,

Taco


> On 21 Apr 2023, at 08:20, Michael Stauber <mstauber at blueonyx.it> wrote:
> 
> Hi all,
> 
> I've been a little busy this week and this is what I've been working on:
> 
> https://www.blueonyx.it/auth
> 
> \o/
> 
> The URL above explains it all. Bascially BlueOnyx 5211R will soon have Two-Factor-Auth (2FA) for SSH.
> 
> The server administrator needs to enable "Two-Factor-Auth (2FA)" under "Server Management" / "Network Services" / "Shell & FTP". Please note that you may turn off "Password Authentication" and leave "Public Key Authentication" ticked. The way our 2FA integration works is this:
> 
> If a user has SSH keys exchanged, he can still login without password AND without 2FA. We consider exchanged SSH keys secure enough and see no reason to throw in an extra step such as 2FA for that.
> 
> If a user DOES NOT have SSH keys exchanged, but has Shell access and has 2FA enabled? Regardless if "Password Authentication" is on or off: He will receive a username and password prompt and also the prompt to enter his 2FA key generated in the 2FA authenticator app.
> 
> If a user has Shell, 2FA is disabled for him and SSH is configured without "Password Authentication"? In that case login is *only* possible via exchanged SSH keys and no password prompt will be shown.
> 
> This way key exchange still works as before and 2FA can be used if a user doesn't have SSH keys exchanged yet.
> 
> Supported 2FA authenticator apps are the Google Authenticator app and the RedHat FreeOTP app. Both are available for Android and Apple devices from the official appstores. The "Personal Profile" page in the GUI will have links to https://www.blueonyx.it/auth and from there users in search for these apps can follow our links to the official appstore pages for the various devices.
> 
> I will also port this feature back to BlueOnyx 5210R, but make no promises for a BlueOnyx 5209R release of it. It's a lot of work and BlueOnyx 5209R will go EOL in June 2024 anyway.
> 
> 
> Release of this feature for 5211R:
> ===================================
> 
> My finger is hovering over the "release" button and it's ready to go. But today being a Friday makes this a "no go". We don't rock the boat on Fridays (or weekends) unless we *really* have to. So this will be released on Monday, 24th April.
> 
> Meanwhile I'll start working on porting this to 5210R as well.
> 
> -- 
> With best regards
> 
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list