2FA or two-factor authentication with cockpit

I played a bit with 2FA recently for example you can protect cockpit easily, the principle, you use your login and password then cockpit asks you a time based code that you can query with your smartphone

to protect cockpit

yum install google-authenticator

then launch the command

google-authenticator -t -d -f -r 3 -R 30 -W

you have a QR code with the secret keys and some recover codes

Add at the end of the file /etc/pam.d/cockpit (nullok means if you have not 2FA in your home, you can still login)

auth required pam_google_authenticator.so nullok

you can find your 2FA settings, copy them somewhere safe

[root@ns7loc14 ~]# cat .google_authenticator

IGKSV2QCRAXDFB2LPAWLHVCSZI                          # secret key
" RATE_LIMIT 3 30 1576007886                                # settings
" WINDOW_SIZE 3
" DISALLOW_REUSE 52533596
" TOTP_AUTH
32144227                                    # recover codes 
32980279
70603244
96805642
96022632

then restart cockpit

systemctl restart cockpit

now install the android application google authentificator on your smartphone , pass the wizard, then it asks you either to write the secret key, or to flash the QR code

go to cockpit, fill your login/password for root, it will ask after the code verification that you can read on your smartphone.

SSH can also be protected like this way simply, with the same 2FA settings

what do you think ?

9 Likes

It’s a nice security feature for an admin console I think.

Would it be possible to add freeotp as alternative to google authenticator?

Found this for ssh.

2 Likes

pro : google_authenticator

cons:

cons: it’s google… please stay away from it!

you are right, in the next version of NS, no more Samba4, you are my hero :slight_smile:

EDIT : i am kidding !

What did I miss? Since when is Samba4 owned or controlled by Google?

no but without samba4 we are far from microsoft world

I understood something one day, to be true alone is not good. We have to comply many protocols, many cases, so for me if google is the easiest way and the most compatible, it is probably a way, maybe not the best I agree

3 Likes

cons google_authenticator

drop a setting in the home of the user, oath is a file based that we could overwrite by a template

pro oath, it is redhat based

2 Likes

I can valid a google code with a freeotp android app, It sounds like some standard protocol on TOTP

2 Likes

But is it really? Yes, it’s provided by Google, but it’s an entirely standalone application–the only connection to Google’s services at all is that it can optionally use them to generate the QR code you’d use to configure your auth token (which can, but need not, be an app provided by Google–it can just as well be a third-party app like Authy, or even a password manager like Bitwarden). And the QR code isn’t even necessary, it just greatly simplifies setting up the auth token. The protocol is well-documented and free, and can be implemented by anyone with the skill to code it.

If there’s a concern about using Google to generate the QR code, no doubt this could be done locally as well; we’d just need to code it ourselves.

Edit: This same discussion came up about five years ago on the SME forums; here’s what I found then:
https://forums.contribs.org/index.php/topic,51306.msg260537.html#msg260537

2 Likes

I would not say “it’s google”.
There is an app developed by google, the version in the official store has a proprietary license, but there’s an open source version, the sources are on github, the protocol (OATH) is based on standards.
And you could use an app of your choice supporting OATH (there’s one from Microsoft).

2 Likes

All that would have to be done is to generate a QR code with the content of otpauth://totp/user@host?secret=longsecretkey, and there’s a free PHP library available to do just that. And with that, there’s no reason that use of Google Authenticator would need to touch Google’s services in any way.

1 Like

Question is: how much data is sent to google via the Open Source?
How this data can comply with GDPR management?

None whatsoever, unless you have them generate the QR code for you. If you do, then you send them the username, the host, and the secret key. Whether they log that (and if so, how long they keep it and what other information they attach to it) is another question–but there’s no reason you need to have them generate the QR code.

That would be up to Google, but there’s no reason the QR code (which does make setting up the authenticator app much easier) can’t be generated directly on the Neth box.

2 method

yum install liboath gen-oath-safe pam_oath

then generate the key
[root@ns7loc13 ~]# gen-oath-safe root totp

INFO: No secret provided, generating random secret.

Key in Hex: dff5c98e985c76298574154a0530b444b127e873
Key in b32: 3724TDUYLR3CTBLUCVFAKMFUISYSP2DT (checksum: 6)

URI: otpauth://totp/root?secret=3724TDUYLR3CTBLUCVFAKMFUISYSP2DT
                                                              
                .  .  .     .       .     .  .              . 
 .   .  .  .                          .          .  .  .      
             .   .               .      .    .           .    
     .                                                       .
                      . .   .       .     . .    .            
 .          .    .               .     .                .     
                     .                       .               .
    .  .  .    .            .              .      .  .     .  
            .      .     .        . . .  .                    
 .     .              .    .                 .         .    . 
                 .  .        . . .    .           . .         
         .   .          .           .     .    .           .  
      .                                                      .
 .       .     .           .     .         .    .  .   . .    
            .    . .  .                 .    .                
  .    .                       .                      .     . 
           . .  .      .                      .   . .         
     .             .         .            .              .  . 
 .                                   .  .           .         
    .  .  .    .     .             .         .   .           .
        .    .     .        .                             .   
 .  . .                .  .                                   
                .                            .  .           . 
          .                   .   .  .   .                    
     .       .   .      .                               .  .  
 .                  .                                        .
             .    .        .                   .     .   .    
     .     .                    .     .                       
                 .            .     .                  .   . .
 .     .        .        .  .     .     .   . .  .   .        

users.oath / otp.users configuration:
HOTP/T30 root - dff5c98e985c76298574154a0530b444b127e873

copy HOTP/T30 root - dff5c98e985c76298574154a0530b444b127e873 to /etc/liboath/users.oath

add
auth required pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6

to /etc/pam.d/cockpit

and restart cockpit

the time based code is available either on freeotp or the google apps

This method is better scriptable, the cons I can see is you cannot make exception for a user without TOTP, indeed we maintain a list. Further more we could even pass the key at the command line, and save it in the secrets of nethserver db

For the google pam, the setting must be in the home of the user, and it is created only at the first login, this lead to share the same TOTP secret key because we copy it from the skel

2 Likes

I’m also very interested in MFA, problem is there are so many standards.
Anyone knows this solution:
https://www.rcdevs.com/products/ldproxy/
It seems very straightforward and integrates with every client that talks LDAP, so the client is not MFA aware.
In short: as password you use your LDAP/AD password and you append a TOTP, te proxy splits the password from the TOTP and verifies both.
Would be great is we could implement such thing in Nethserver.

Does this solution allow for only some (and not all) users to use MFA? I’d think that would be a critical requirement for anything that would go in Neth. Otherwise, the ability to work with anything that uses LDAP authentication, without requiring a separate entry field for the PIN, sounds like a big win.

A second question would be whether this is Free/Open Source software–and the “Completely free for up to 40 users” suggests it isn’t. (and a closer look at their “standard terms and conditions” seems to confirm this; this is pure commercial, closed-source software).

I haven’t tested this solution, just came across it during my search. I think MFA can be enabled per user from what I’ve read in the docs.
This solution is indeed commercial (although it’s called openOTP), so no integration possible.
But i was just thinking about the concept of an LDAP bridge / proxy, might be possible with opensource solutions to.

I confirm that without Microsoft, Google, … is really better.

1 Like