[BlueOnyx:26747] GUI development: BlueOnyx 2FA for GUI logins

Michael Stauber mstauber at blueonyx.it
Thu Feb 8 00:36:25 -05 2024 

Hi all,

The work on the new Elmer Theme for BlueOnyx 5211R (and later on 5210R) 
is progressing nicely.

I've just completed porting all GUI elements and pages to the new Elmer 
theme after three months of hard work.

As the intention has always been to keep the old "Adminica" GUI as an 
option that could be reverted back to (both on a server- as well as 
individual user level) I sort of broke some parts of the Adminica GUI by 
adding new features.

I'm now in the process of fixing those "Adminica"-theme related issues. 
Means: An end is in sight. \o/

But before fixing those old theme issues I am currently toying with 2FA 
authentication for GUI logins.

I have a prototype of it currently working and it uses the same 2FA 
tokens and mechanisms that we already use to protect SSH.


My intended implementation for this is as follows:
===================================================

Under "Server Management" / "Maintenance" / "Server Desktop" any 
server-administrator can enable/disable the new switch "GUI access: 
Two-Factor-Auth (2FA)".

It will then show a selector where you can choose which accounts MUST 
use 2FA in order to be able to login to the GUI:

- All accounts (with enabled 2FA)
- Only Server-Administrator accounts (with enabled 2FA)
- Server-Administrator and siteAdmin accounts (with enabled 2FA)

If the switch for "GUI access: Two-Factor-Auth (2FA)" is NOT ticked, 
anyone can login to the GUI without 2FA by just providing a valid 
username and password. That will be the default until you manually turn 
2FA GUI access on.

Due to architectural reasons and to avoid undue complexity I don't want 
to allow 2FA for only GUI access on of off individually for accounts.

Means: You won't be able to say: "I want 2FA for SSH-access of User XYZ, 
but not for GUI access of User XYZ!!"

So if an account has 2FA enabled AND the GUI is configured to require 
2FA, then the user must provide username, password and 2FA token (or one 
of the "one-time-codes").


As for how the login will work in the future:
===============================================

If 2FA GUI access is required for everyone, the login form will show 
three input fields:

- Username
- Password
- 2FA Code

If 2FA GUI access is configured to be only required for certain Users 
(like serverAdmins and/or serverAdmins and siteAdmins)?

In that case the login form will first ask for ...

- Username
- Password

... and if the user is among the group of users for which 2FA is 
required, a second login page form will ask for the 2FA code.


My question:
=============

Before I do this I want to ask for general consent and consensus on this 
topic. Do you consider the outlined implementation "good enough" for 
your purposes? Or are there any other considerations or suggestions to 
implement this in a different way?

All input is welcome.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list