Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

UnRAID need better login security's, login&password are not enought.

Featured Replies

1 hour ago, primeval_god said:

No i wouldnt, but what i consider an acceptably complex password for a device on a home network is likely well below that of someone who thinks 2fa is worthwhile. If unRAID were a multi user system, or enabled SMB users to change their own passwords, I could see having a policy setting, but for a single administrator system I dont see a point. Do they have a password strength graphic for the initial setup (its been so long since i did initial setup i dont remember)?

 

Valid points, no argument there. I've asked for a proper multi-user support in the past myself to have a proper RBAC within unRAID - but to no avail. You are spot on - it is a single-user, single-admin system. Honestly, I wouldn't expose this system externally and would not use it outside of the home.

 

For home use - I think it's a pretty solid system.

 

And regarding password strength graphic, they do not. I recently stood up a new system using 6.2.6 - not there.

Edited by ezhik

  • Replies 51
  • Views 19k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • I think the glaring issue is that this thread seems to imply that the unraid user interface, or server itself should be hardened against external attacks. This would mean that unraid itself is exposed

  • While I agree with you that the security in UnRAID seems pretty weak at default settings, your router admin page should not be accessible from the outside if you configure it correctly and keep it up

  • WenzelComputing
    WenzelComputing

    That's because unraid isn't meant to be enterprise software or externally accessible via webui.   Unraid software is SMB at best and at worst more of a homelab software.   As a sec

3 hours ago, ezhik said:

I wouldn't expose this system externally and would not use it outside of the home.

https://connect.myunraid.net/ (an official unRAID product) seems to contradict the constant user posts on this forum saying not to expose unRAID to the internet. The entire premise of https://connect.myunraid.net/ is to expose and manage your unRAID systems remotely. This exposes the unRAID web login form to the internet. Since this seems to be officially supported behavior it would make sense for there to be a greater care for security. Another good example would be strengthening the default SSH configurations to require keypairs in order to connect to SSH by default. SSH in unRAID can be configured for proper security with SSH, making it entirely safe to expose to the internet (at least as safe as any VPS you would access via SSH), but these safer configurations are not the default. The web UI has no such configurations to improve security, such as requiring 2fa.

 

It's fair and reasonable to tell a user that if they are not educated on the risks of exposing their system to the internet that they should not do it, but it's also fair to point out that unRAID's web UI login could be improved by adding 2fa. unRAID's login seems to be php based, and there are a handful of very good composer packages that make implementing 2fa very easy. Hopefully unRAID considers this.

I personally consider UNRAID a system that always preferred the ease of use over security concerns and I just learned to treat it accordingly. Meaning that I only allow LAN access, share nothing to the internet, install no plugins that I don't trust and use restrictive Docker settings (e.g. for volume mounts, no privileged containers). I love UNRAID for its ease of use as a dataserver and wouldn't want to have it any other way, so requiring 2FA would mostly be an annoyance for me personally. Because as long as everything continues to run as root (which I like, as it makes administration much easier) the only thing that 2FA would accomplish - I think - is leading people into a false sense of security and making stupid decisions in the process... exposing unsecured services to the internet among the various possibilities.

 

I continue to read posts where people ask for LTS versions (which keep getting "security updates"), calling for 2FA or other more advanced security mechanisms. It seriously makes me wonder what their expectations towards UNRAID are and if I'm the only one who doesn't have any such expectations. Because, myself, I want a rock stable dataserver for my LAN (or at most accessible over VPN) which works and requires minimum effort on my part - best case it runs without problems and I don't need to login for anything ever. I have UNRAID servers which still are on 6.8.3. with hundreds of days of uptime, zero issues and I've never been hacked or had any significant efforts from external parties to breach into my servers. I keep my network as secure as possible and apply a principle of no trust towards letting people on my network, which I think is the most important factor for me.

 

I think many people try to make base UNRAID into some kind of "jack of all trades" that can do everything from hosting gameservers to crypto mining while 100% secure with all ports exposed to the internet but also having premium ZFS support and whatnot. For me that makes no sense and I compare it to preferring to eat at a restaurant which does fewer dishes excellently rather than one that offers 500 dishes which are all mediocre at best. There's various software for various use-cases, for me base UNRAID will always be an easy to use dataserver OS - for the rest I have VMs and other software.

 

I'm not saying my personal view is the right one, just wanted to offer another perspective here. 🙂

 

Edited by Rysz

Just as a clarification: I'm not advocating to require 2fa for all logins. Making it available for those who want it would be ideal. Requiring it when using https://connect.myunraid.net/ to allow remote access would also be sane.

  • 1 month later...

To add almost all of us have WiFi. So even if we do our absolute best if any router we have has a security vulnerability it is still potentially possible an outside actor could get on our network 

even the best of us unraid without 2fa wouldn’t help in that scenario. Having the option to add 2fa for those who want it just makes sense in the modern day and age with all the wireless tech we have 

  • 1 month later...

I would be willing to assist in the design and implementation of an optional '2fa' section. While I am NOT a coder, I do have significant experience in designing and working with devs etc. to help implement such a feature. I would think that we could start off with 'easy' ones like the changing digits every x seconds (totp), and then tackle the harder ones like u2f/fido2.

 

I sent a request to support to offer my services and time to develop this feature. I am a 'paid' memeber and VERY happy with unraid.

 

Thomas

  • 1 month later...
On 9/24/2021 at 11:02 PM, EArroyo said:

I think a 2FA on the Web login would be a VERY useful and wise addition to unRAID.  Right now username/password is limiting me to have to connect to my VPN in order to peek at my server and see how it's doing...

 

Even given 2fa you should probably still use VPN. The risk of someone brute forcing your u/p is probably not as big of a concern as some unknown vulnerability that just bypasses login all together. 

  • 4 weeks later...

This would require similar instalion that nextcloud/own cloud does, which is server side encryption.

You would require some form of email/telecom voip server (irc for text).
If all unraid server were connected to brokerage servers to unraid.net and management was via the unriad connect, I could see this. 

Otherwise one could implement this as this is a web page edit and an email code oath change.

17 hours ago, bmartino1 said:

This would require similar instalion that nextcloud/own cloud does, which is server side encryption.

You would require some form of email/telecom voip server (irc for text).
If all unraid server were connected to brokerage servers to unraid.net and management was via the unriad connect, I could see this. 

Otherwise one could implement this as this is a web page edit and an email code oath change.

 

Easier and more secure to just TOTP.  Just add it to your 2 factor app of choice and you are done.   This of course only protects the login page from remote users.  Anyone with physical access has the keys to the kingdom. And if there is a vulnerability in the web UI that could bypass any security implemented.

 

A simple implementation of this could be implemented in an hour or two probably. Just a screen for the setup, and some setting on the USB for the time seed. 

  • 1 month later...
On 4/26/2024 at 1:38 PM, Terebi said:

Easier and more secure to just TOTP

TOTP is good and much better than what exists in Unraid today, but FIDO2/WebAuthn would be ideal. 

 

Many companies are slowly trying to migrate away from TOTP, as it doesn't really solve the way that passwords are most commonly stolen - phishing attacks. A fake login form can just ask for the TOTP code in addition to the username and password, and in the backend immediately authenticate then store the session cookie for later use. My employer completely moved away from TOTP codes internally, and I know Google tries to nudge people away from it these days too. 

 

WebAuthn usually uses biometrics (eg fingerprint on phones and laptops that support it) or a hardware token like a Yubikey. 

 

Ideally we'd also get SSO (OIDC or SAML) support one day, so that everything in our home lab can use the same log in system (like Authentik) and permissions for everything can be centrally managed. Probably extremely low priority for Unraid though. I can dream :)

Edited by Daniel15

  • 5 weeks later...

 I just got a YubiKey and I managed to use the keygen on my local machine and copy these keys using the following
 

Create Keys

 

ssh-keygen -t ed25519-sk -f /boot/config/ssh/root/Yubico

Copy to server

ssh-copy-id -i ~/.ssh/Yubico root@unraid

 

Then logging in to the UNRAID server using

ssh -i ~/.ssh/Yubico root@unraid

 

Works! Credits to: 
Akamai Developer - Using YubiKey to Secure Remote Servers in 10 minutes or less | Nextcloud 2FA

I also use the Termius application and it also works great!



Detail is that I want this key to be the only way to SSH into the system. Even though the YubiKey certs are copied into the server, you can still log in with just the password like one will usually would. I then tried to create a new pair of keys under the root folder on the UNRAID server to see if I could replace the current certs with a new pair of ed25519-sk certs but for some reason UNRAID will not recognize the YubiKey

Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
No FIDO SecurityKeyProvider specified
Key enrollment failed: invalid format


I noticed that the config file under '/boot/config/ssh/root' points to 'unraidbackup_id_ed25519  unraidbackup_id_ed25519.pub'. These were the files I was trying to replicate, or at least have the config point to a new pair of YubiKey files/

 

/boot/config/ssh/root/config

ost backup.unraid.net
IdentityFile ~/.ssh/unraidbackup_id_ed25519
IdentitiesOnly yes


Any ideas on how to get the device working or has anyone tried this already?





 

Edited by DEOVI

  • 2 weeks later...
On 7/21/2024 at 4:23 PM, DEOVI said:

 I just got a YubiKey and I managed to use the keygen on my local machine and copy these keys using the following
 

Create Keys

 

ssh-keygen -t ed25519-sk -f /boot/config/ssh/root/Yubico

Copy to server

ssh-copy-id -i ~/.ssh/Yubico root@unraid

 

Then logging in to the UNRAID server using

ssh -i ~/.ssh/Yubico root@unraid

 

Works! Credits to: 
Akamai Developer - Using YubiKey to Secure Remote Servers in 10 minutes or less | Nextcloud 2FA

I also use the Termius application and it also works great!



Detail is that I want this key to be the only way to SSH into the system. Even though the YubiKey certs are copied into the server, you can still log in with just the password like one will usually would. I then tried to create a new pair of keys under the root folder on the UNRAID server to see if I could replace the current certs with a new pair of ed25519-sk certs but for some reason UNRAID will not recognize the YubiKey

Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
No FIDO SecurityKeyProvider specified
Key enrollment failed: invalid format


I noticed that the config file under '/boot/config/ssh/root' points to 'unraidbackup_id_ed25519  unraidbackup_id_ed25519.pub'. These were the files I was trying to replicate, or at least have the config point to a new pair of YubiKey files/

 

/boot/config/ssh/root/config

ost backup.unraid.net
IdentityFile ~/.ssh/unraidbackup_id_ed25519
IdentitiesOnly yes


Any ideas on how to get the device working or has anyone tried this already?





 


I can get yubi keys from work. but wasn't sure how to generate and use it for other ssh servers. Thank you for this.

  • 5 months later...

I wish they would allow FIDO security keys for access.

  • 5 months later...

While a few years ago I would be more tolerant about this missing feature, in today's world now the lack of integration with oidc is pretty much inexcusable. It's pretty easy to setup key cloak, it's pretty easy to setup samba which is best for secure access to unraid filesystem, and it's pretty easy to setup a ca for ldaps and tls. Unraid really needs to put this in to at least look like they still care about security.

+1 for MFA. At least implement simple TOTP. I have done implementation myself (in couple of my projects) in node.js and it was simple.

2 hours ago, paradoxum said:

Is there any way to secure my server against local access attempts, if all somebody has to do is pull the USB and delete those 2 files?

Get a USB port inside the computer, by using something like this part from StarTech that connects to a USB header on the motherboard:

StarTech.com
No image preview

2 Port USB Motherboard Header Adapter

Connect two internal USB devices directly to the motherboard header connection

Of course, to protect against local attacks you'd also need a case that locks (and sets a flag in the BIOS if it's been opened), plus a Kensington lock to secure the server to a solid object that's not easily moved, so that somebody doesn't just steal the whole thing.

2 hours ago, paradoxum said:

could I replace my entire 1Password vault with it?

To log in with just a username and Yubikey, the site needs to support passkeys. At the moment, many sites only accept a Yubikey as a two-factor authentication method, not as primary authentication. I still have most of my passwords in my Bitwarden vault, with traditional TOTP two-factor, and use the Yubikey to authenticate to Bitwarden and other important things that support FIDO2 or passkeys.

2 hours ago, paradoxum said:

I was looking at the Yubikey Bio

Note that to use the Yubikey with SSH cross-platform, you currently need one with either PIV or OpenPGP support, and the Bio has neither of those. OpenSSH added support for FIDO auth a few years ago, but according to Yubico it currently only works on Linux (not implemented on Windows at all, and disabled in the version of OpenSSH bundled with MacOS). See https://developers.yubico.com/SSH/ for more details and https://www.yubico.com/store/compare/ for a chart comparing all the different Yubikeys.

I'd get a version with NFC, since it makes it easy to use the Yubikey with your phone by just tapping it to the back of the phone.

In any case, when you buy a USB security key, you should really buy at least two. Everywhere you want to use it, register both of them. Use one of them for day-to-day use, and store the other one in a safe place. It'll prevent you from being locked out if you ever lose or damage the primary one.

Edited by Daniel15

I am surprised that there is no F2A.

Adding support for OIDC would be appreciated, so +1 from me.

If the point is Unraid should have 2FA because the router might have a default login or some such vulnerability, I think you should focus on that and not Unraid. I know, layers of security and all, but Unraid isn't really the issue in that scenario. I really don't see a point in 2FA for a NAS anyway. If you're using Unraid how it's designed to be used (in a LAN and not accessible to the outside and all that), realistically, 2FA would just serve to make the user feel more secure without really being so in any practical sense. Only if you plan on doing something very ill-advised.

Edited by bobbintb

7 hours ago, bobbintb said:

the router might have a default login

For what it's worth, any router sold in the USA should not have a hard-coded default password.

There's a law in California (SB 327), enacted in 2020, that network-connected devices can't have an insecure default password. They need to either have a randomly generated one (listed on a sticker on the device or in the manual) or prompt the user to set one on first login. Most companies aren't going to produce a California-specific model, so they just do it worldwide.

Edited by Daniel15

I am guessing the original comment about the router is maybe trying to say that if someone gains access to your local network (already an issue) and unraid is only accessible locally, then having 2fa on the unraid web UI login would be an additional protection that would be appreciated. There are still many other concerns in that scenario.

In a previous post, I described a different scenario where local security (router, etc) are not the concern, but rather the concern with exposing the unraid web UI to the internet means having a login with no 2fa. Additionally, anyone using unraid connect is (whether they know it or not) exposing their unraid web UI to the internet if they enable the remote access feature. This is functionality that is clearly intended and wanted, but the lack of 2fa on the web UI login is a concern, even with unraid connect's remote access URLs being fairly long and random(ish).

Edited by iXNyNe

10 hours ago, iXNyNe said:

I am guessing the original comment about the router is maybe trying to say that if someone gains access to your local network (already an issue) and unraid is only accessible locally, then having 2fa on the unraid web UI login would be an additional protection that would be appreciated. There are still many other concerns in that scenario.

In a previous post, I described a different scenario where local security (router, etc) are not the concern, but rather the concern with exposing the unraid web UI to the internet means having a login with no 2fa. Additionally, anyone using unraid connect is (whether they know it or not) exposing their unraid web UI to the internet if they enable the remote access feature. This is functionality that is clearly intended and wanted, but the lack of 2fa on the web UI login is a concern, even with unraid connect's remote access URLs being fairly long and random(ish).

Exposing the Unraid WebGUI to the internet is not a recommended practice. A better approach is to configure a VPN (such as Tailscale) and then use that to provide a secure connection to the WebGUI.

TOTP would be a nice addition for users who choose to expose the WebGUI anyways. In theory, it wouldn't be that hard to add to the login process (there are PHP libraries that exist to handle TOTP), but there would be some caveats (particularly, that the TOTP secret would have to be stored in plain text on the flash drive).

I did even look to see if there was a practical way to add TOTP via a plugin, but all of the choices to do that are bad (requiring modifications to the WebGUI login code, etc.), so that's a no-go.

  • 4 weeks later...

Unraid 7.2 beta adds support for SSO via Unraid.net account: https://unraid.net/blog/unraid-7-2-0-beta.1. Hopefully the ability to log in using other SSO providers gets added too. This could allow for 2FA support at the identity provider, which would probably be sufficient for Unraid.

I think the new SSO support that was announced is a great step forward. I do wonder if there will be the ability to require logging in via SSO. I'd be perfectly happy with the absense of native 2FA/MFA if SSO could be required and the SSO provider used supports requiring 2FA/MFA. I am pretty sure Unraid.net does support 2FA/MFA but I don't recall being prompted for it anytime recently (I don't really log in often, it's just remembered in cookies).

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.