[solved] 2FA

[qinohe]

Hi all,

Thanks for all the labour done on opnsense already. Kept my eye on opnsense from teh beginning and installed it a few times and am now 'officially' migrated to it from pfsense.
Everything works as expected, though, there are a few things and they may be features.
I use 2FA for openvpn and an admin to login, both work fine. But I have that same admin login on SSH using keys (I know SSH is not part of 2FA, plans?) and was able to elevate my rights becoming root with su, without 2FA enabled.
After enabling 2FA su to root was not possible anymore. Since I can login on SSH (keyfile) using the admin who is using 2FA, I want to become root (doesn't use 2FA) why be bothered by 2FA since the login with token won't work anyway?

Thanks mark

[fabian]

2FA in the shell is using PAM. In case of su you are asked for the root password / token, while sudo asks for yours. Also sudo is allowed for admin users.

[qinohe]

So using sudo with 2FA works in the shell, just tested.
Now if I understand correct, I have to give root OTP also to login using su?

Thanks mark

edit: NVM, I gave root OTP and it's working, thanks fabian

[franco]

Hi there,

Welcome! 

If you want a more traditional approach to console / SSH usage you can check "Disable integrated authentication" under System: Settings: Administration. It disables fancy web GUI bound authentication for such low level services reverting it to a standard password verify.

Generally what Fabian said is true: "su" asks for the target user's password (root by default), sudo asks for the user's password (by default, but you can change that on the Administration page as well do disable or allow without password).

My favourite setup is SSH with key login only, no root login allowed, GUI with 2FA, scrambled root password and no OTP token and the auxiliary admin user with 2FA and sudo set to "without password".

In recovery cases, it makes sense to enable auto-login of the console menu for reverts and corrections. Also found on the Administration page. But it generally means to secure physical console access...

All in all, many options.


Cheers,
Franco

[qinohe]

Hey franco thanks for the welcome,

I know what su & sudo do but I messed that up thinking if I can login with SSH whith a user that is using 2FA without using the token because SSH don't have 2FA, then I can also elvate my rights and become root, but of course that is a shell login and using 2FA, I get that now thanks.

Hehe mine is the same the difference is I have sudo with password the rest is the same.

Will look into that recovery item, I make regular backup.xml, because if things go wrong like it did earlier this week it became impossible to login using 2FA, the phone not being able to lock on to a time server as I found that being the culprit afterwards, I already restored a backup...

Thanks mark

[franco]

Hi Mark,

Oh yes, if root does not have an OTP seed you cannot gain access if no authentication fallback is supplied.

NTP is the achilles heel of TOTP. The unlocked root console menu is one way to deal with it, the other is using SSH keys without said password.

Maybe in time we will extend the solution a little bit to optionally disallow TOTP users to use a plain password even if the fallback is set, but it requires a bit of discussion or some kind of group abstraction to make sure we have a portable/flexible solution going forward that does not break POLA.

Authentication can be tricky at times. 


Cheers,
Franco

[qinohe]

Hi franco,

Thanks for the heads up, I think I just stick to SSH with keys for now, but with password  and console access without 2FA, at least until I get a better grasp of the whole situation. I didn't really use it before, besides my bank.

Will keep a eye on development of TOTP within Opnsense, btw. what is POLA?

Yes, probably authentication is tricky hope I don't meet that 'biatch' to often though 

Thanks mark

[franco]

Hi mark,

It's just a way of saying the UI should behave in accordance with your / generally shared expectations within the target domain.

https://en.wikipedia.org/wiki/Principle_of_least_astonishment


Cheers,
Franco

[qinohe]

Hi franco,

Makes sense, read teh article, personally I find Opnsense works to my expactations and very intuitive, I'm not that much supprised about new things as I know they were coming anyway, thanks 

Greetings mark