2FA broken since the update

Started by jke, February 27, 2025, 01:06:17 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
March 02, 2025, 07:49:17 PM #15
Quote from: Mks on March 01, 2025, 07:45:32 PMHi,

I've analyzed the issue today and it was not related to OpnSense.

The NTP daemon on my Admin Workstation stopped for what ever reasons and due to that the time was out of sync.

br

Hi Mks,
in my case, this isn't the problem.
But i just figured out it may be the "daylight savings time", which seemingly isn't handled correctly by the OPNsense.
In the logs i can see the the timestamp of current actions with my time -1 hour.
Do you know if that could be the problem for the faulty OTP-token?

Also, if this is really the problem, can someone explain, why it just happens with version >=25.1?
March 16, 2025, 09:48:09 PM #16
Hi!
Not sure what's wrong, but 2FA stopped working since the update to 25.1 for me too. I'm using Google Authenticator, and it still works for every other login.
March 16, 2025, 11:46:04 PM #17
The usual cause is that the system time is off for whatever reason. 2FA generally works fine with 25.1.x.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
March 17, 2025, 10:16:46 PM #18
Hi!

Thanks, but system time was definitely not off.
I got in via console into my box and verified the system time was correct to a second. Veirfied ntp with ntpq -p, it has shown many reachable peers. Then I rebooted. 2FA still did not work. Updated from 25.1.2 to 25.1.3. Still no login possible, until I used "opnsense-shell password" to reset password and auth to local database.

Something is fishy.

Peter

March 18, 2025, 12:31:32 AM #19
Set up 2FA from scratch again, in trial mode only. See whether that testing works on a new instance. If clocks are right on both devices then the code string is wrong on one or the code is at the wrong end. I am not actually suggesting you got the latter wrong, it is just a remaining available cause.

I have had no problems at all with 2FA through upgrades from 24.7 to 25.1.3.
Deciso DEC697
+crowdsec +wireguard
March 18, 2025, 10:04:49 AM #20
Thanks for your time and your tests Passeri! It´s a possibility of course, that I got the "code string" wrong and I´m sure I did it wrong several times. I´m also sure though, that despite my lacking typing capabilities, I got it right some times. :) 
I will set 2FA up again this evening and do some further testing.
Print
Go Up Pages 1 2
User actions