Author Topic: 2FA - exceptions for individual users possible? (Read 825 times)

Patrick M. Hausen · « **on:** December 01, 2023, 10:11:35 am »

Hi all,

I am in the process of setting up a larger customer project. We enabled 2FA (TOTP) and everything is working as expected. Of course we have individual admin users for everyone concerned.

Now what I would like to do is to exempt the root user from the 2FA server, give that user a really complex long password and store that somewhere safe. As an emergency access method should e.g. the time synchronisation ever fail.

Is that possible?

Thanks,
Patrick

meyergru · « **Reply #1 on:** December 01, 2023, 01:05:22 pm »

You could always have a dedicated root user with SSH access use an SSH key - that is how I do it.

Also, AFAIK, you can enable several authentication servers. So, you could use LDAP+TOTP plus Local authentication. In that case, you would have the non-2FA user in the local database. It could be the other way around, but that defeats the use case somehow. And I think if you want Local+TOTP, you cannot discriminate by using another "local" source.

Patrick M. Hausen · « **Reply #2 on:** December 01, 2023, 01:18:23 pm »

Quote from: meyergru on December 01, 2023, 01:05:22 pm

You could always have a dedicated root user with SSH access use an SSH key - that is how I do it.

Looks like that will be my only option for emergency measures.

Quote from: meyergru on December 01, 2023, 01:05:22 pm

Also, AFAIK, you can enable several authentication servers. So, you could use LDAP+TOTP plus Local authentication. In that case, you would have the non-2FA user in the local database. It could be the other way around, but that defeats the use case somehow. And I think if you want Local+TOTP, you cannot discriminate by using another "local" source.

Ah - now I understand. As soon as I create a Local+TOTP server all local users get 2FA activated. Grrr ... is there an OpenLDAP server plugin? FreeRADIUS only it seems. That adds another level of complexity and a huge can of worms.

Setting the authentication server that is used per user would be a huge improvement, IMHO. Small closed group of admins, we can trust everybody will use 2FA if the company policy says so.

meyergru · « **Reply #3 on:** December 01, 2023, 01:30:17 pm »

Quote from: Patrick M. Hausen on December 01, 2023, 01:18:23 pm

Ah - now I understand. As soon as I create a Local+TOTP server all local users get 2FA activated.

Yes, unless you use both Local and Local+TOTP, but then, any user can bypass TOTP. But you should have "Local" only defined (yet normally disabled) in order to switch to that if TOTP goes south.

Patrick M. Hausen · « **Reply #4 on:** December 01, 2023, 01:37:06 pm »

I'll go with the emergency SSH key route. Thanks.

Do you happen to know what I would need to do on the command line to re-enable local without TOTP?

Author Topic: 2FA - exceptions for individual users possible? (Read 825 times)

Patrick M. Hausen

2FA - exceptions for individual users possible?

meyergru

Re: 2FA - exceptions for individual users possible?

Patrick M. Hausen

Re: 2FA - exceptions for individual users possible?

meyergru

Re: 2FA - exceptions for individual users possible?

Patrick M. Hausen

Re: 2FA - exceptions for individual users possible?