Text only | Text with Images

OPNsense Forum

Archive => 23.7 Legacy Series => Topic started by: Patrick M. Hausen on December 01, 2023, 10:11:35 AM

Title: 2FA - exceptions for individual users possible?
Post by: Patrick M. Hausen on December 01, 2023, 10:11:35 AM
Hi all,

I am in the process of setting up a larger customer project. We enabled 2FA (TOTP) and everything is working as expected. Of course we have individual admin users for everyone concerned.

Now what I would like to do is to exempt the root user from the 2FA server, give that user a really complex long password and store that somewhere safe. As an emergency access method should e.g. the time synchronisation ever fail.

Is that possible?

Thanks,
Patrick
Title: Re: 2FA - exceptions for individual users possible?
Post by: meyergru on December 01, 2023, 01:05:22 PM
You could always have a dedicated root user with SSH access use an SSH key - that is how I do it.

Also, AFAIK, you can enable several authentication servers. So, you could use LDAP+TOTP plus Local authentication. In that case, you would have the non-2FA user in the local database. It could be the other way around, but that defeats the use case somehow. And I think if you want Local+TOTP, you cannot discriminate by using another "local" source.
Title: Re: 2FA - exceptions for individual users possible?
Post by: Patrick M. Hausen on December 01, 2023, 01:18:23 PM
Quote from: meyergru on December 01, 2023, 01:05:22 PM
You could always have a dedicated root user with SSH access use an SSH key - that is how I do it.
Looks like that will be my only option for emergency measures.

Quote from: meyergru on December 01, 2023, 01:05:22 PM
Also, AFAIK, you can enable several authentication servers. So, you could use LDAP+TOTP plus Local authentication. In that case, you would have the non-2FA user in the local database. It could be the other way around, but that defeats the use case somehow. And I think if you want Local+TOTP, you cannot discriminate by using another "local" source.
Ah - now I understand. As soon as I create a Local+TOTP server all local users get 2FA activated. Grrr ... is there an OpenLDAP server plugin? FreeRADIUS only it seems. That adds another level of complexity and a huge can of worms.

Setting the authentication server that is used per user would be a huge improvement, IMHO. Small closed group of admins, we can trust everybody will use 2FA if the company policy says so.
Title: Re: 2FA - exceptions for individual users possible?
Post by: meyergru on December 01, 2023, 01:30:17 PM
Quote from: Patrick M. Hausen on December 01, 2023, 01:18:23 PM
Ah - now I understand. As soon as I create a Local+TOTP server all local users get 2FA activated.

Yes, unless you use both Local and Local+TOTP, but then, any user can bypass TOTP. But you should have "Local" only defined (yet normally disabled) in order to switch to that if TOTP goes south.
Title: Re: 2FA - exceptions for individual users possible?
Post by: Patrick M. Hausen on December 01, 2023, 01:37:06 PM
I'll go with the emergency SSH key route. Thanks.

Do you happen to know what I would need to do on the command line to re-enable local without TOTP?
Text only | Text with Images