Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Double authentication and emergency account
« previous
next »
Print
Pages: [
1
]
Author
Topic: Double authentication and emergency account (Read 1369 times)
mc.gyver.reboot
Newbie
Posts: 6
Karma: 0
Double authentication and emergency account
«
on:
January 30, 2023, 05:08:44 pm »
Hello,
I want to put double authentication on my OPNSense but I read in the documentation that once activated, no account without 2FA can connect.
Do you have a solution for emergency access accounts, in case the authentication server is no longer reachable?
Thank you for your help !
Logged
Mks
Sr. Member
Posts: 272
Karma: 19
Re: Double authentication and emergency account
«
Reply #1 on:
January 30, 2023, 08:45:54 pm »
Hi, may this helps:
https://docs.opnsense.org/troubleshooting/password_reset.html
?
Br
Logged
mc.gyver.reboot
Newbie
Posts: 6
Karma: 0
Re: Double authentication and emergency account
«
Reply #2 on:
February 09, 2023, 09:15:44 am »
Hi, unfortunately this does not answer my question.
My problem is that if double authentication is enabled, I cannot create an account without MFA, which gives me a problem because we need to create an "emergency" account without MFA in the event that double authentication is n is not available.
Do you have a solution?
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: Double authentication and emergency account
«
Reply #3 on:
February 09, 2023, 10:32:50 am »
What's your recovery strategy?
Typically you can set the console to unlocked for recovery purposes or disable integrated authentication, which allows you to log into console, ssh or sudo with password and not MFA.
If you want this for the GUI that is impossible (and insecure).
Cheers,
Franco
Logged
Patrick M. Hausen
Hero Member
Posts: 6849
Karma: 575
Re: Double authentication and emergency account
«
Reply #4 on:
February 09, 2023, 10:41:37 am »
I'd suggest ssh with key.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: Double authentication and emergency account
«
Reply #5 on:
February 09, 2023, 11:30:29 am »
Right, didn't even come to mind as that should be the case always.
Cheers,
Franco
Logged
mc.gyver.reboot
Newbie
Posts: 6
Karma: 0
Re: Double authentication and emergency account
«
Reply #6 on:
February 14, 2023, 11:58:42 am »
Thank you for your help, so I think what we want to do is therefore impossible.
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: Double authentication and emergency account
«
Reply #7 on:
February 14, 2023, 12:22:11 pm »
I suppose eventually a strategy is to either use an external auth (that includes os-freeradius) on the same box, but has some added risk for emergence accounts when the network or software is not responding.
The risk-free approach would be to have multiple "local authentication" servers that you can hold accounts so that these accounts do not reach out to 2FA, but that would be the first request I've heard and likely not within core scope.
That being said, it's possible to create a plugin for this from the existing authenticators and a user selector added, but it will likely not meet inclusion standards for core and plugins repositories.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Double authentication and emergency account