Hello Team,
I am new to OPNsense product and currently working on hardening the authentication.
As far as I can see, there is no way to configure various authentication methods per user or per user group ? Is that correct ?
In my exemple, I would like to force MFA (LocalDB or LDAP + TOTP) for all users but one (emergency local account with no MFA). But as far as I can see the authentication servers are configured globally for all users. This means that as soon as "Local Database" is part of the allowed authenticated servers, all users existing locally will be able to connect without TOTP.
It would be nice being able to configure Authentication Server per Users or Users Groups rather than globally. Is there a trick to achieve this ? or a plugin ?
Thanks for your support !
Regards,
PiX
No trick, I am also dearly missing this feature.
I'd love to enforce 2FA but have the root account without and with a, say, 30 character password stored somewhere safe. Just in case e.g. time synchronisation is lost and 2FA stops working ...
I've experienced exactly that issue. I was helping a client with a DEC670 who had a routing issue that broke TOTP (by preventing NTP) and SSH. Luckily they'd forgotten to require a password for serial console access!
Since then I've looked for ways to create an "emergency access" user that can access the serial console with a password, while also requiring MFA or public key auth for any user logging in remotely.