2FA With Authy

[ByerRA]

Is there any plans on adding 2FA to FreeNAS? I would like to have the ability to have 2FA with Authy for users using the web management interface or SSH.

 

[Ericloewe]

SSH with Public Key authentication generally implies two-factor authentication, since you need a passphrase to decrypt the key you sign the server's challenge with.

 

[danb35]

...and the only user allowed to use the web management interface is root; normal users can't log in to that.

 

[sweeze]

Using Duo works; integration is simple and push authentication to mobile phone is much nicer than generating codes.

 

[Ericloewe]

Using Duo works; integration is simple and push authentication to mobile phone is much nicer than generating codes.

You'll have to explain that much better, because what you're suggesting does not make sense.

 

[danb35]

SSH with Public Key authentication generally implies two-factor authentication, since you need a passphrase to decrypt the key you sign the server's challenge with.

...assuming that key is encrypted in the first place, and there's really no way for the FreeNAS admin to enforce that.

 

[sweeze]

You'll have to explain that much better, because what you're suggesting does not make sense.

Which part do you not understand? I'm using Duo Security for MFA.

 

[Ericloewe]

Which part do you not understand? I'm using Duo Security for MFA.

And how does that integrate with FreeNAS?

...assuming that key is encrypted in the first place, and there's really no way for the FreeNAS admin to enforce that.

The really big issue is with root's SSH access. Regular users are a whole different matter - they probably shouldn't have SSH access at all.

 

[sweeze]

via login_duo or PAM

https://duo.com/docs/loginduo
https://duo.com/docs/duounix

 

[Kevin Galbraith]

via login_duo or PAM

https://duo.com/docs/loginduo
https://duo.com/docs/duounix

I am trying to set this up, I have used duo on other systems, but keep failing because It seems i do not have a compiler installed. When I run pkg isntall gcc, I get the following error. pkg: archive_read_open_filename(//usr/ports/packages/All/mpfr-3.1.3_1.txz): Failed to open '//usr/ports/packages/All/mpfr-3.1.3_1.txz

I have no idea how to fix this, or get a different compiler installed. Can you give me a nudge in the right direction of fixing this?

 

[sweeze]

Use the FreeBSD pkg for duo: https://www.freshports.org/security/duo/

Trying to get a functional compiler and libraries on your FreeNAS dataset is probably a bad idea.

 

[Kevin Galbraith]

Use the FreeBSD pkg for duo: https://www.freshports.org/security/duo/

Trying to get a functional compiler and libraries on your FreeNAS dataset is probably a bad idea.

I am going to shock you here, but I am a giant noob with freenas. I am now trying to figure out how to use freshports with freenas. But i also have a potentially related question. Should I be installing duo in a jail, or on base freenas?

 

[danb35]

You should never install anything on base FreeNAS.

 

[Kevin Galbraith]

You should never install anything on base FreeNAS.

So, you are saying create a jail and install Duo in there? I don't see how that will provide 2fa for ssh/sftp?

 

[danb35]

I don't see how that will provide 2fa for ssh/sftp?

I don't see any way to do that on FreeNAS without breaking a lot of rules. I also don't see any reason to use 2FA for SSH or SFTP, when public key authentication is an option instead.

 

[Kevin Galbraith]

I don't see any way to do that on FreeNAS without breaking a lot of rules. I also don't see any reason to use 2FA for SSH or SFTP, when public key authentication is an option instead.

Not to sound like a dick, but i guess I should be looking for help from one of the people who tackled this problem earlier. As for the need, again, being heavily invested in 2fa across other systems, this is easier to get access to. Plus it allows access when I am not at my primary machine.

Thanks though.