Made a newbie mistake with 2FA on TrueNAS Core 12 Beta2

[JKzpool]

Hi All

A few moments, I went through the set up of 2FA via Systems on my TrueNAS Core 12 Beta2 server.
The following are the rough guideline of steps taken:

1. Left everything as it is stated in 2FA
2. Clicked on Enable 2FA
3. Clicked on Show QR Code

At this moment, I used Google Authenticator app from my mobile to scan the QR Code.

Mobile was set up with generating the codes and then I clicked on Save in 2FA.

I logged out as I thought, there was nothing else to do and now when I try to login, I keep get the following:

I'm now unable to login.
I'm thinking I missed a step but nore sure?
Maybe I need to disable 2FA?

Can anyone advise and help, as I'm trying to get back in.

Thanks
JKzpool

 

[Basil Hendroff]

I was wondering when that would happen to someone. I haven't personally tried 2FA on 12. If you haven't got ILO on the server, you should be able to hook up a console and I would hope you can change the password (and disable 2FA) from the menu.

 

[JKzpool]

I was wondering when that would happen to someone. I haven't personally tried 2FA on 12. If you haven't got ILO on the server, you should be able to hook up a console and I would hope you can change the password (and disable 2FA) from the menu.

View attachment 41019

I went through this process and changed the password.
However when I go to the login and enter the new password. I still get the same result as shown in the screenshot I attached to my original message.
Any more ideas?

Thanks
JKzpool

 

[ornias]

There are two options if that didn't work I think:
1. Make a manual API call to remove 2FA
2. Download backup/dump and manually change the 2FA setting with a SQLite browser

However:
Resetting the root password should also reset 2FA or we should have that as a seperate option in the GUI.
I suggest filing a issue on the issue tracker about it if resetting the root password didn't work:

https://jira.ixsystems.com/

 

[JKzpool]

There are two options if that didn't work I think:
1. Make a manual API call to remove 2FA
2. Download backup/dump and manually change the 2FA setting with a SQLite browser

However:
Resetting the root password should also reset 2FA or we should have that as a seperate option in the GUI.
I suggest filing a issue on the issue tracker about it if resetting the root password didn't work:

https://jira.ixsystems.com/

Thanks for the details, as I'm still learning. Do you have any documents that I can follow to do the proposed options that you provided?
I will also raise a issue/bug via Jira to iXsystems.

Thanks again

JKzpool

 

[ornias]

For conversation sake i'll copy my comment from the JIRA here:
"I didn't suggest to add an issue about being unable to login. Thats not a bug.
I suggested you should file a bug report about being unable to reset the 2FA by resetting the root password "

About setting it using the api (or midclt)...
I don't really feel like finding out the exact steps required... sorry. (time/energy etc)

 

[JKzpool]

Thanks all for you help, I was able to get the midclt call to disable 2FA.

 

[Freedom86]

Thanks all for you help, I was able to get the midclt call to disable 2FA.

For the sake of helping other visitors to this thread with a similar problem , the call required is:

midclt call auth.twofactor.update '{"enabled": false}'

As an aside, I believe this happened as the time slipped on the NAS and so the codes it was expecting were already 15 minutes old. With that knowledge I could have tested holding onto a code for the 15 minutes and seeing if it then worked but ICBA to do so as I needed access.

 

[Dartis4]

For others that come to this thread, I tested the time slip theory. I connected to my server via console and I checked the time on the server since I had this issue. My server was only about a minute behind, which caused me issues since the 2FA code updates every 30 seconds. I know there is a setting to allow for a greater buffer for the codes, but obviously that negates some of the security of the 2FA. I just waited two cycles on the codes with one already entered and then tried logging in, and it went through no problem. So, there needs to be some effort to mitigate time inconsistency on the server or I guess make sure you can access it by console to check the time so you can still login.

 

[EvanVanVan]

For others that come to this thread, I tested the time slip theory. I connected to my server via console and I checked the time on the server since I had this issue. My server was only about a minute behind, which caused me issues since the 2FA code updates every 30 seconds. I know there is a setting to allow for a greater buffer for the codes, but obviously that negates some of the security of the 2FA. I just waited two cycles on the codes with one already entered and then tried logging in, and it went through no problem. So, there needs to be some effort to mitigate time inconsistency on the server or I guess make sure you can access it by console to check the time so you can still login.

Just wanted to add this time slippage issue just happened to me. Thank you for the simple workaround. I plugged a monitor into the freenas box and saw the time stamps on my failed login attempts were about 1:30 behind. After waiting to use a 2FA code for 2-3 cycles I was able to login successfully. I'm updating the TrueNas hoping the issue is fixed in the most recent builds, and if not, I'm bumping this thread to bring more attention to it.

 

[NugentS]

Surely the answer is to configure NTP and use that?

 

[EvanVanVan]

Surely the answer is to configure NTP and use that?

It just happened to me again. I was able to log in with 2FA one minute. I started the process of upgrading my jails (through ssh). I tried to refresh the GUI and got an error about the token having expired. When I tried to log in again I couldn't.. I checked "date" through SSH and saw the time was mismatched again by ~11 seconds. After holding back the 2FA code until just after it expired I was able to log in.

Looking at the NTP servers page I do have the 3 default servers configured...they're set to poll between 6-9 minutes, so maybe had I waited longer enough it would have fixed itself? Maybe when this issue occurs those of us affected are just hitting it perfectly when NTP hasn't been polled in a few minutes?

edit: clarity/typos

 

[Patrick M. Hausen]

Are you running your NAS virtualised? If this is on hardware, the clock should deviate at most a couple of milliseconds. System clock going astray is a common problem in VMs with Linux and FreeBSD guests alike.
Doesn't your uplink router serve the time via NTP?

 

[EvanVanVan]

Are you running your NAS virtualised? If this is on hardware, the clock should deviate at most a couple of milliseconds. System clock going astray is a common problem in VMs with Linux and FreeBSD guests alike.
Doesn't your uplink router serve the time via NTP?

No, it's a dedicated system running on the hardware in my signature. I assume (maybe totally incorrectly) that the system stopped responding momentarily while attempting to upgrade the jail because that's what appeared to happen during the ssh upgrade and just after there was the 11 second time mismatch. I'm not sure of the technical details regarding your last question, I have the newest Verizon FiOS router (g3100).

edit: I just checked the router configuration page, and yes automatic time update is enabled via NTP and the localized time is correct. So it's just the TrueNAS box's time that is lagging periodically.

 

[Patrick M. Hausen]

I just wanted to suggest to configure your router's IP address as the preferred NTP server in TrueNAS ...

 

[EvanVanVan]

Ok, thank you, I'll give that a shot. They were the default 0.freebsd.pool.ntp.org, 1.freebsd.pool.ntp.org, and 2.freebsd.pool.ntp.org.

 

[Patrick M. Hausen]

The defaults are reasonable if you ship a product, but in most networks there probably is also a local NTP server available, which is naturally closer, hence less jitter and better synchronisation. The system is distributed for a reason

 

[EvanVanVan]

I was coming here to ask for advice on how to set up my router as the NTP server because I am still getting locked out by 2FA as the system clock falls behind. (I read the documentation but am still a little lost.) I happened to restart my server before I got here and noticed two errors in the console related to the NTP servers:

Code:

Oct 16 16:50:16 freenas 1 2021-10-16T16:50:16.638333-04:00 freenas.local ntpd 1214 - - restrict: ignoring line 10, address/host '0.freebsd.pool.ntp.org' unusable.
Oct 16 16:50:16 freenas 1 2021-10-16T16:50:16.638632-04:00 freenas.local ntpd 1214 - - restrict: ignoring line 11, address/host '1.freebsd.pool.ntp.org' unusable.
Oct 16 16:50:16 freenas 1 2021-10-16T16:50:16.638858-04:00 freenas.local ntpd 1214 - - restrict: ignoring line 12, address/host '2.freebsd.pool.ntp.org' unusable.

Any ideas on what is causing this to happen?

edit: https://www.truenas.com/community/threads/ntp-not-working-with-freenas-11-3-u5.87890/ found a similar issue here

edit2: I actually probably know exactly what the issue is... I have pi-hole setup in a jail as my DNS server for all network traffic. I'm wondering if TrueNas tries to sync the time time before the pi-hole jail is started (and therefore all DNS network traffic fails to resolve). I can I delay or resync the time after TrueNAS is fully loaded? On the plus side, once I use my gateway that should fix it anyway...(as suggested)

edit3: yeah, swapping 0.freebsd.pool.ntp.org, 1.freebsd.pool.ntp.org, 2.freebsd.pool.ntp.org for their IP addresses fixes the error on startup...we'll see if it lasts...

Secondly, how can I configure NTP properly? Do I just use my local gateway (myfiosgateway.com) instead of "X.freebsd.pool.ntp.org"? Or do I use the two addresses that my router uses? (cpe-ntpr.verizon.com, cpe-ntpb.verizon.com)

Thank you

 

[Patrick M. Hausen]

You use the internal LAN address of your router. You might need to login to whatever admin interface the router has and explicitly enable NTP. If and how etc. is all dependent on your router brand and model so you should check the documentation for that one.