2FA - exceptions for individual users possible?

Started by Patrick M. Hausen, December 01, 2023, 10:11:35 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 01, 2023, 10:11:35 AM
Hi all,

I am in the process of setting up a larger customer project. We enabled 2FA (TOTP) and everything is working as expected. Of course we have individual admin users for everyone concerned.

Now what I would like to do is to exempt the root user from the 2FA server, give that user a really complex long password and store that somewhere safe. As an emergency access method should e.g. the time synchronisation ever fail.

Is that possible?

Thanks,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 01, 2023, 01:05:22 PM #1
You could always have a dedicated root user with SSH access use an SSH key - that is how I do it.

Also, AFAIK, you can enable several authentication servers. So, you could use LDAP+TOTP plus Local authentication. In that case, you would have the non-2FA user in the local database. It could be the other way around, but that defeats the use case somehow. And I think if you want Local+TOTP, you cannot discriminate by using another "local" source.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
December 01, 2023, 01:18:23 PM #2
Quote from: meyergru on December 01, 2023, 01:05:22 PM
You could always have a dedicated root user with SSH access use an SSH key - that is how I do it.
Looks like that will be my only option for emergency measures.

Quote from: meyergru on December 01, 2023, 01:05:22 PM
Also, AFAIK, you can enable several authentication servers. So, you could use LDAP+TOTP plus Local authentication. In that case, you would have the non-2FA user in the local database. It could be the other way around, but that defeats the use case somehow. And I think if you want Local+TOTP, you cannot discriminate by using another "local" source.
Ah - now I understand. As soon as I create a Local+TOTP server all local users get 2FA activated. Grrr ... is there an OpenLDAP server plugin? FreeRADIUS only it seems. That adds another level of complexity and a huge can of worms.

Setting the authentication server that is used per user would be a huge improvement, IMHO. Small closed group of admins, we can trust everybody will use 2FA if the company policy says so.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 01, 2023, 01:30:17 PM #3 Last Edit: December 01, 2023, 01:32:30 PM by meyergru
Quote from: Patrick M. Hausen on December 01, 2023, 01:18:23 PM
Ah - now I understand. As soon as I create a Local+TOTP server all local users get 2FA activated.

Yes, unless you use both Local and Local+TOTP, but then, any user can bypass TOTP. But you should have "Local" only defined (yet normally disabled) in order to switch to that if TOTP goes south.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
December 01, 2023, 01:37:06 PM #4
I'll go with the emergency SSH key route. Thanks.

Do you happen to know what I would need to do on the command line to re-enable local without TOTP?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions