BRiT Posted February 15, 2020 Share Posted February 15, 2020 Interesting, but then it becomes even more important to have server and the 2F Device synced to the proper time. One tablet I used had clock drift issues and would require time adjustments every other day to keep the 2F systems working. I have not looked into the implementation details of most 2FA systems, do they require internet connections to work or are they more of an algorithm with shared common seed using time as a mutator? Quote Link to comment
testdasi Posted February 15, 2020 Share Posted February 15, 2020 Please make 2FA an optional feature. My server is not exposed to the Internet so there's really no need for extra security. It would be a massive pain in the backside having to grab my phone just to check if a docker has crashed. 5 2 Quote Link to comment
ezhik Posted February 15, 2020 Share Posted February 15, 2020 (edited) 21 hours ago, limetech said: .Something else I wanted to add, as long as we're talking about security measures in the pipe: we are looking at integrating various 2-Factor solutions directly in Unraid OS, such as google authenticator. This is a solid feature and I can attest to the importance of it. TOTP can be used with Google Auth, but I would strongly recommend Authy as it allows backing up the seeds and encrypting it. There is also multi-device support. Can we have TOTP for SSH as well? https://github.com/google/google-authenticator-libpam . NOTE: This will obviously have impact on 'not-so-tech-savvy-users', but those who sleep in tinfoil hats, will definitely appreciate it. Edited February 15, 2020 by ezhik 1 1 Quote Link to comment
Marshalleq Posted February 15, 2020 Share Posted February 15, 2020 +1 for Authy. I learnt this lesson when I got a new device and had to transfer my Google Auth settings across. You can't with google Auth! As an aside, for the not so tech savvy that this appliance seems to be aimed at, having two factor and at least 'highly recommending' it when people insist on exposing unraid to the internet, would be a very good improvement. 1 Quote Link to comment
HNGamingUK Posted February 16, 2020 Share Posted February 16, 2020 16 hours ago, ezhik said: This is a solid feature and I can attest to the importance of it. TOTP can be used with Google Auth, but I would strongly recommend Authy as it allows backing up the seeds and encrypting it. There is also multi-device support. Can we have TOTP for SSH as well? https://github.com/google/google-authenticator-libpam . NOTE: This will obviously have impact on 'not-so-tech-savvy-users', but those who sleep in tinfoil hats, will definitely appreciate it. From what I have seen anything that says "Google Auth" you can use Authy. Quote Link to comment
cybrnook Posted February 16, 2020 Share Posted February 16, 2020 (edited) 4 hours ago, Conmyster said: From what I have seen anything that says "Google Auth" you can use Authy. Exactly. I use last pass for example, and it has a companion app called authenticator. With this, I use it for anything 2-FA that offers Google authenticator support, and it all syncs to my profile. So when I get a new phone, just install last pass and all my rolling codes come down. I think these are all pretty universal, it's just the QR codes they want. Edited February 16, 2020 by cybrnook Quote Link to comment
Alphahelix Posted February 17, 2020 Share Posted February 17, 2020 @limetech Thank you for your transparency it is very much appreciated! and thank you for evolving unRAID. I 100% back you up in your priority! If I am not mistaken unRAId is not an enterprise system (might be in the future, who knows?), but a home system. I feel we users tend to forget this from time to time, myself included. Bottom line, keep up the good work. Let take the opportunity to mention the polling for new features is a great tool for you to show us users which features you plan on implementing. We users can use it to tell you the priority to implement them. /Alphahelix 2 Quote Link to comment
Stan464 Posted February 17, 2020 Share Posted February 17, 2020 On 2/15/2020 at 6:48 PM, Marshalleq said: +1 for Authy. I learnt this lesson when I got a new device and had to transfer my Google Auth settings across. You can't with google Auth! As an aside, for the not so tech savvy that this appliance seems to be aimed at, having two factor and at least 'highly recommending' it when people insist on exposing unraid to the internet, would be a very good improvement. Its a pain but you can migrate if you use "Titanium Backup" been doing that method for 3-4 years, Quote Link to comment
ezhik Posted February 18, 2020 Share Posted February 18, 2020 13 hours ago, Stan464 said: Its a pain but you can migrate if you use "Titanium Backup" been doing that method for 3-4 years, Don't you need to root your phone to do it properly on Android ? Quote Link to comment
spazmc Posted February 18, 2020 Share Posted February 18, 2020 On 2/15/2020 at 11:09 AM, testdasi said: Please make 2FA an optional feature. My server is not exposed to the Internet so there's really no need for extra security. It would be a massive pain in the backside having to grab my phone just to check if a docker has crashed. Optional would be ok. I don`t use it. Quote Link to comment
Helmonder Posted February 20, 2020 Share Posted February 20, 2020 On 2/14/2020 at 8:51 PM, limetech said: Something else I wanted to add, as long as we're talking about security measures in the pipe: we are looking at integrating various 2-Factor solutions directly in Unraid OS, such as google authenticator. That would be great ! If possible especially when used from a non-authorized device.. Quote Link to comment
starbetrayer Posted February 21, 2020 Share Posted February 21, 2020 This post is exactly why I trust the unraid team, great job in the transparency !!!! 2 Quote Link to comment
ezhik Posted February 22, 2020 Share Posted February 22, 2020 (edited) On 2/20/2020 at 8:55 PM, starbetrayer said: This post is exactly why I trust the unraid team, great job in the transparency !!!! Just to be constructive here, the vulnerability was handled responsibly from both parties - those who found it and those who fixed it. I want to make sure the credit is given where it is due. https://en.wikipedia.org/wiki/Responsible_disclosure Edited February 22, 2020 by ezhik 1 Quote Link to comment
LEKO Posted February 25, 2020 Share Posted February 25, 2020 I'm glad to hear that the software I just purchased is well maintained. Thanks for the quick patch and your full and (immediate) disclosure. 2 Quote Link to comment
Abe87 Posted February 26, 2020 Share Posted February 26, 2020 Hopefully hardware security keys like the Yubikey will be considered. 2 Quote Link to comment
dirknina Posted February 27, 2020 Share Posted February 27, 2020 As a user of unraid i would like to see when very important updates are needed like this one flash on your main or dashboard page of unraid and can't ignore tell you read the info on the update. I work most times and dont check the forums often unless i need help with a issue im having and not having to check for updates yourself, unraid should show that a update is ready and if it a normal or critacal update. thats my 2 cents keep up the good work guys. Quote Link to comment
Squid Posted February 27, 2020 Share Posted February 27, 2020 The fix common problems plugin handles that, and shortly a new update to CA will also handle the most egregious must-be-seen notifications. 6 Quote Link to comment
Fredrick Posted March 1, 2020 Share Posted March 1, 2020 On 2/28/2020 at 12:42 AM, Squid said: The fix common problems plugin handles that, and shortly a new update to CA will also handle the most egregious must-be-seen notifications. This is how I found out. Push notification from "fix common problems"-error. Thanks! Quote Link to comment
starbetrayer Posted March 2, 2020 Share Posted March 2, 2020 On 2/22/2020 at 10:38 AM, ezhik said: Just to be constructive here, the vulnerability was handled responsibly from both parties - those who found it and those who fixed it. I want to make sure the credit is given where it is due. https://en.wikipedia.org/wiki/Responsible_disclosure agreed Quote Link to comment
Alex.vision Posted March 3, 2020 Share Posted March 3, 2020 It may be a bit overkill, but I use Duo on a few servers, it can push a request for login authentication to your device and allow you to approve it. It also has 2FA revolving codes, but I like the seamlessness of tapping "Approve" on my smartwatch instead of getting out my device, logging into Lastpass authenticator or Google or Auth, then typing in the codes. Duo or any 2FA isn't for everyone, but my vote would be to have it at least as an option. Quote Link to comment
ezhik Posted March 3, 2020 Share Posted March 3, 2020 4 hours ago, Alex.vision said: It may be a bit overkill, but I use Duo on a few servers, it can push a request for login authentication to your device and allow you to approve it. It also has 2FA revolving codes, but I like the seamlessness of tapping "Approve" on my smartwatch instead of getting out my device, logging into Lastpass authenticator or Google or Auth, then typing in the codes. Duo or any 2FA isn't for everyone, but my vote would be to have it at least as an option. You are constrained on having an active and working internet connection. With TOTP, you only need the seed and synchronized date/time. Quote Link to comment
Alex.vision Posted March 3, 2020 Share Posted March 3, 2020 17 hours ago, ezhik said: You are constrained on having an active and working internet connection. With TOTP, you only need the seed and synchronized date/time. Oh, right, I forgot about that. Sometimes it's hard to remember that your internet can go down. I have a dedicated gigabit synchronous fiber line that hasn't gone down in over a year, I forget that it is uncommon. Quote Link to comment
Greebo Posted March 4, 2020 Share Posted March 4, 2020 On 2/26/2020 at 9:40 PM, Abe87 said: Hopefully hardware security keys like the Yubikey will be considered. I would love to see the yubikey implemented, and to be able to use at least 2 keys (Primary and Backup). Quote Link to comment
tsawind Posted March 5, 2020 Share Posted March 5, 2020 Limetech is the best! I can't say enough for the transparency of this company! Thank You! I have been running unRAID as a daily driver for over a year now, and it has been GREAT, if it quits working properly because of a security breach or something, well that is okay, i'm sure it would get fixed as a top priority. unRAID isn't an enterprise grade product, though I think it performs better than some, and there aren't thousands of workers behind the scenes. If you want that level of stuff, then you have to deal with constant forced updates and go pay the premium for it. I will back this company for as long as it stands! 2 Quote Link to comment
ezhik Posted March 6, 2020 Share Posted March 6, 2020 On 3/3/2020 at 5:42 PM, Alex.vision said: Oh, right, I forgot about that. Sometimes it's hard to remember that your internet can go down. I have a dedicated gigabit synchronous fiber line that hasn't gone down in over a year, I forget that it is uncommon. Even if your internet is up and running, the world will stop without DNS: https://techcrunch.com/2016/10/21/many-sites-including-twitter-and-spotify-suffering-outage/ Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.