-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
2FA issue
- Thread starter stanthewizzard
- Start date
Dave Hamby
Dabbler
- Joined
- May 16, 2017
- Messages
- 44
If you have physical or IPMI console access, use Option 7 to reset the root password. That will disable 2FA and you can reconfigure it from the WebUI.
asw2012
Contributor
- Joined
- Dec 17, 2012
- Messages
- 182
@Dave Hamby
I also have IPMI access. This is probably the best way incase of disaster.
Thanks for the help!
I also have IPMI access. This is probably the best way incase of disaster.
Thanks for the help!
Hello, I'm back. I have now 2 weeks ago set up the same NTP servers on all computers in the network. The times are running synchronously. Today I tried to log in with my password and the 2FA token - no success. Even on the SSH the password was not accepted! - although it was definitely correct!
I have reset the password on the server itself and leave 2FA out for now. I have no idea what is going on. The version is the latest TrueNAS-12.0-U6. Many greetings Mario
I have reset the password on the server itself and leave 2FA out for now. I have no idea what is going on. The version is the latest TrueNAS-12.0-U6. Many greetings Mario
- Joined
- Feb 2, 2018
- Messages
- 1,401
Hey @Mario1971,
What are you using as a 2FA token ?
Also, when you say that the time is in sync, how did you checked that ?
Please, post the output of your time sync check. There are many details that may be relevant.
What are you using as a 2FA token ?
Also, when you say that the time is in sync, how did you checked that ?
Please, post the output of your time sync check. There are many details that may be relevant.
Ok I have gone through all the settings again.
The Windows computer had still used a NTP from Mircosoft, was switched to the Fritzbox.
The Fritzbox looks at the NTP of the PTB-Braunschweig (atomic clock).
The output of ntpq -pn gives this:
Code:
root@TrueNAS[~]# ntpq -pn remote refid st t when poll reach delay offset jitter ============================================================================== *192.168.178.1 192.53.103.104 3 u 2 32 377 0.565 -0.179 0.390
The output of ntpq -c rv this:
Code:
root@TrueNas[~]# ntpq -c rv associd=0 status=0615 leap_none, sync_ntp, 1 event, clock_sync, version="ntpd 4.2.8p15-a (1)", processor="amd64", system="FreeBSD/12.2-RELEASE-p10", leap=00, stratum=4, precision=-24, rootdelay=22.584, rootdisp=4.366, refid=192.168.178.1, reftime=e5255cc0.31ccf9fa Thu, Oct 28 2021 19:30:40.194, clock=e5255d13.e94b1485 Thu, Oct 28 2021 19:32:03.911, peer=34591, tc=5, mintc=3, offset=-0.179060, frequency=+80.332, sys_jitter=0.357319, clk_jitter=0.123, clk_wander=0.007
On Windows, w32tm /stripchart reports this:
Code:
C:\Users\Guo>w32tm /stripchart /computer:192.168.178.1 /dataonly /samples:5 192.168.178.1 wird verfolgt [192.168.178.1:123]. 5 Proben werden gesammelt. Es ist 28.10.2021 19:35:30. 19:35:30, -00.8791080s 19:35:32, -00.8791828s 19:35:34, -00.8794163s 19:35:37, -00.8792029s 19:35:39, -00.8793492s
I am accessing TrueNas from a Windows 10 machine. The 2FA is generated by "Bitwarden" on this machine. As a fallback layer I have installed the Google Auth on my Android Samsung S20+. Both tokens are regenerated on the devices (PC and S20+) at the same time. The tokens are identical. TrueNas denies access.
What surprises me, I did not enable 2FA when accessing via SSH Console, yet the Console reports that the password would be wrong. No further access to TrueNas was recorded in the log files - a change of the password in the meantime by an unauthorized person should be excluded.
2FA is not that important, the versions of TrueNas up to and including TrueNAS-12.0-U4 did not have this problem with me.
Many greetings
Mario
- Joined
- Feb 2, 2018
- Messages
- 1,401
Hi,
So these numbers look good. Because the password is not accepted on SSH either, there may have been an misconfiguration around the primary factor, the static password. Once you got it cleared and re-configured, you may well need to also re-configure 2FA and generate new keys for the account.
So I would suggest you do that : force to a new strong static password, re-configure 2FA for new keys, re-configure your TOTP client (bitwarden and Google) and do from there. They should work at first (if not, the problem is the way you configure it) and keep working (now that NTP is used everywhere).
As for SSH, I suggest you use crypto keys to authenticate. Stronger and independent from 2FA.
So these numbers look good. Because the password is not accepted on SSH either, there may have been an misconfiguration around the primary factor, the static password. Once you got it cleared and re-configured, you may well need to also re-configure 2FA and generate new keys for the account.
So I would suggest you do that : force to a new strong static password, re-configure 2FA for new keys, re-configure your TOTP client (bitwarden and Google) and do from there. They should work at first (if not, the problem is the way you configure it) and keep working (now that NTP is used everywhere).
As for SSH, I suggest you use crypto keys to authenticate. Stronger and independent from 2FA.
Hello and thanks for your help. I have now changed the SSH access to RSA-2048 key. There runs so far.
Also I have renewed the 2FA keys and enabled 2FA for the GUI. I watch the system now times and log I daily on the GUI, let's see if now so works.
Thank you very much - I will give you a feedback in 14 days.
Many greetings Mario
