I played a bit with 2FA recently for example you can protect cockpit easily, the principle, you use your login and password then cockpit asks you a time based code that you can query with your smartphone
to protect cockpit
yum install google-authenticator
then launch the command
google-authenticator -t -d -f -r 3 -R 30 -W
you have a QR code with the secret keys and some recover codes
Add at the end of the file /etc/pam.d/cockpit (nullok means if you have not 2FA in your home, you can still login)
auth required pam_google_authenticator.so nullok
you can find your 2FA settings, copy them somewhere safe
now install the android application google authentificator on your smartphone , pass the wizard, then it asks you either to write the secret key, or to flash the QR code
go to cockpit, fill your login/password for root, it will ask after the code verification that you can read on your smartphone.
SSH can also be protected like this way simply, with the same 2FA settings
I understood something one day, to be true alone is not good. We have to comply many protocols, many cases, so for me if google is the easiest way and the most compatible, it is probably a way, maybe not the best I agree
But is it really? Yes, it’s provided by Google, but it’s an entirely standalone application–the only connection to Google’s services at all is that it can optionally use them to generate the QR code you’d use to configure your auth token (which can, but need not, be an app provided by Google–it can just as well be a third-party app like Authy, or even a password manager like Bitwarden). And the QR code isn’t even necessary, it just greatly simplifies setting up the auth token. The protocol is well-documented and free, and can be implemented by anyone with the skill to code it.
If there’s a concern about using Google to generate the QR code, no doubt this could be done locally as well; we’d just need to code it ourselves.
Edit: This same discussion came up about five years ago on the SME forums; here’s what I found then:
I would not say “it’s google”.
There is an app developed by google, the version in the official store has a proprietary license, but there’s an open source version, the sources are on github, the protocol (OATH) is based on standards.
And you could use an app of your choice supporting OATH (there’s one from Microsoft).
All that would have to be done is to generate a QR code with the content of otpauth://totp/user@host?secret=longsecretkey, and there’s a free PHP library available to do just that. And with that, there’s no reason that use of Google Authenticator would need to touch Google’s services in any way.
None whatsoever, unless you have them generate the QR code for you. If you do, then you send them the username, the host, and the secret key. Whether they log that (and if so, how long they keep it and what other information they attach to it) is another question–but there’s no reason you need to have them generate the QR code.
That would be up to Google, but there’s no reason the QR code (which does make setting up the authenticator app much easier) can’t be generated directly on the Neth box.
the time based code is available either on freeotp or the google apps
This method is better scriptable, the cons I can see is you cannot make exception for a user without TOTP, indeed we maintain a list. Further more we could even pass the key at the command line, and save it in the secrets of nethserver db
For the google pam, the setting must be in the home of the user, and it is created only at the first login, this lead to share the same TOTP secret key because we copy it from the skel
I’m also very interested in MFA, problem is there are so many standards.
Anyone knows this solution: https://www.rcdevs.com/products/ldproxy/
It seems very straightforward and integrates with every client that talks LDAP, so the client is not MFA aware.
In short: as password you use your LDAP/AD password and you append a TOTP, te proxy splits the password from the TOTP and verifies both.
Would be great is we could implement such thing in Nethserver.
Does this solution allow for only some (and not all) users to use MFA? I’d think that would be a critical requirement for anything that would go in Neth. Otherwise, the ability to work with anything that uses LDAP authentication, without requiring a separate entry field for the PIN, sounds like a big win.
A second question would be whether this is Free/Open Source software–and the “Completely free for up to 40 users” suggests it isn’t. (and a closer look at their “standard terms and conditions” seems to confirm this; this is pure commercial, closed-source software).
I haven’t tested this solution, just came across it during my search. I think MFA can be enabled per user from what I’ve read in the docs.
This solution is indeed commercial (although it’s called openOTP), so no integration possible.
But i was just thinking about the concept of an LDAP bridge / proxy, might be possible with opensource solutions to.
