February 15, 20206 yr Interesting, but then it becomes even more important to have server and the 2F Device synced to the proper time. One tablet I used had clock drift issues and would require time adjustments every other day to keep the 2F systems working. I have not looked into the implementation details of most 2FA systems, do they require internet connections to work or are they more of an algorithm with shared common seed using time as a mutator?
February 15, 20206 yr Please make 2FA an optional feature. My server is not exposed to the Internet so there's really no need for extra security. It would be a massive pain in the backside having to grab my phone just to check if a docker has crashed.
February 15, 20206 yr 21 hours ago, limetech said: .Something else I wanted to add, as long as we're talking about security measures in the pipe: we are looking at integrating various 2-Factor solutions directly in Unraid OS, such as google authenticator. This is a solid feature and I can attest to the importance of it. TOTP can be used with Google Auth, but I would strongly recommend Authy as it allows backing up the seeds and encrypting it. There is also multi-device support. Can we have TOTP for SSH as well? https://github.com/google/google-authenticator-libpam . NOTE: This will obviously have impact on 'not-so-tech-savvy-users', but those who sleep in tinfoil hats, will definitely appreciate it. Edited February 15, 20206 yr by ezhik
February 15, 20206 yr +1 for Authy. I learnt this lesson when I got a new device and had to transfer my Google Auth settings across. You can't with google Auth! As an aside, for the not so tech savvy that this appliance seems to be aimed at, having two factor and at least 'highly recommending' it when people insist on exposing unraid to the internet, would be a very good improvement.
February 16, 20206 yr 16 hours ago, ezhik said: This is a solid feature and I can attest to the importance of it. TOTP can be used with Google Auth, but I would strongly recommend Authy as it allows backing up the seeds and encrypting it. There is also multi-device support. Can we have TOTP for SSH as well? https://github.com/google/google-authenticator-libpam . NOTE: This will obviously have impact on 'not-so-tech-savvy-users', but those who sleep in tinfoil hats, will definitely appreciate it. From what I have seen anything that says "Google Auth" you can use Authy.
February 16, 20206 yr 4 hours ago, Conmyster said: From what I have seen anything that says "Google Auth" you can use Authy. Exactly. I use last pass for example, and it has a companion app called authenticator. With this, I use it for anything 2-FA that offers Google authenticator support, and it all syncs to my profile. So when I get a new phone, just install last pass and all my rolling codes come down. I think these are all pretty universal, it's just the QR codes they want. Edited February 16, 20206 yr by cybrnook
February 17, 20206 yr @limetech Thank you for your transparency it is very much appreciated! and thank you for evolving unRAID. I 100% back you up in your priority! If I am not mistaken unRAId is not an enterprise system (might be in the future, who knows?), but a home system. I feel we users tend to forget this from time to time, myself included. Bottom line, keep up the good work. Let take the opportunity to mention the polling for new features is a great tool for you to show us users which features you plan on implementing. We users can use it to tell you the priority to implement them. /Alphahelix
February 17, 20206 yr On 2/15/2020 at 6:48 PM, Marshalleq said: +1 for Authy. I learnt this lesson when I got a new device and had to transfer my Google Auth settings across. You can't with google Auth! As an aside, for the not so tech savvy that this appliance seems to be aimed at, having two factor and at least 'highly recommending' it when people insist on exposing unraid to the internet, would be a very good improvement. Its a pain but you can migrate if you use "Titanium Backup" been doing that method for 3-4 years,
February 18, 20206 yr 13 hours ago, Stan464 said: Its a pain but you can migrate if you use "Titanium Backup" been doing that method for 3-4 years, Don't you need to root your phone to do it properly on Android ?
February 18, 20206 yr On 2/15/2020 at 11:09 AM, testdasi said: Please make 2FA an optional feature. My server is not exposed to the Internet so there's really no need for extra security. It would be a massive pain in the backside having to grab my phone just to check if a docker has crashed. Optional would be ok. I don`t use it.
February 20, 20206 yr On 2/14/2020 at 8:51 PM, limetech said: Something else I wanted to add, as long as we're talking about security measures in the pipe: we are looking at integrating various 2-Factor solutions directly in Unraid OS, such as google authenticator. That would be great ! If possible especially when used from a non-authorized device..
February 21, 20206 yr This post is exactly why I trust the unraid team, great job in the transparency !!!!
February 22, 20206 yr On 2/20/2020 at 8:55 PM, starbetrayer said: This post is exactly why I trust the unraid team, great job in the transparency !!!! Just to be constructive here, the vulnerability was handled responsibly from both parties - those who found it and those who fixed it. I want to make sure the credit is given where it is due. https://en.wikipedia.org/wiki/Responsible_disclosure Edited February 22, 20206 yr by ezhik
February 25, 20206 yr I'm glad to hear that the software I just purchased is well maintained. Thanks for the quick patch and your full and (immediate) disclosure.
February 27, 20206 yr As a user of unraid i would like to see when very important updates are needed like this one flash on your main or dashboard page of unraid and can't ignore tell you read the info on the update. I work most times and dont check the forums often unless i need help with a issue im having and not having to check for updates yourself, unraid should show that a update is ready and if it a normal or critacal update. thats my 2 cents keep up the good work guys.
February 27, 20206 yr The fix common problems plugin handles that, and shortly a new update to CA will also handle the most egregious must-be-seen notifications.
March 1, 20206 yr On 2/28/2020 at 12:42 AM, Squid said: The fix common problems plugin handles that, and shortly a new update to CA will also handle the most egregious must-be-seen notifications. This is how I found out. Push notification from "fix common problems"-error. Thanks!
March 2, 20206 yr On 2/22/2020 at 10:38 AM, ezhik said: Just to be constructive here, the vulnerability was handled responsibly from both parties - those who found it and those who fixed it. I want to make sure the credit is given where it is due. https://en.wikipedia.org/wiki/Responsible_disclosure agreed
March 3, 20206 yr It may be a bit overkill, but I use Duo on a few servers, it can push a request for login authentication to your device and allow you to approve it. It also has 2FA revolving codes, but I like the seamlessness of tapping "Approve" on my smartwatch instead of getting out my device, logging into Lastpass authenticator or Google or Auth, then typing in the codes. Duo or any 2FA isn't for everyone, but my vote would be to have it at least as an option.
March 3, 20206 yr 4 hours ago, Alex.vision said: It may be a bit overkill, but I use Duo on a few servers, it can push a request for login authentication to your device and allow you to approve it. It also has 2FA revolving codes, but I like the seamlessness of tapping "Approve" on my smartwatch instead of getting out my device, logging into Lastpass authenticator or Google or Auth, then typing in the codes. Duo or any 2FA isn't for everyone, but my vote would be to have it at least as an option. You are constrained on having an active and working internet connection. With TOTP, you only need the seed and synchronized date/time.
March 3, 20206 yr 17 hours ago, ezhik said: You are constrained on having an active and working internet connection. With TOTP, you only need the seed and synchronized date/time. Oh, right, I forgot about that. Sometimes it's hard to remember that your internet can go down. I have a dedicated gigabit synchronous fiber line that hasn't gone down in over a year, I forget that it is uncommon.
March 4, 20206 yr On 2/26/2020 at 9:40 PM, Abe87 said: Hopefully hardware security keys like the Yubikey will be considered. I would love to see the yubikey implemented, and to be able to use at least 2 keys (Primary and Backup).
March 5, 20206 yr Limetech is the best! I can't say enough for the transparency of this company! Thank You! I have been running unRAID as a daily driver for over a year now, and it has been GREAT, if it quits working properly because of a security breach or something, well that is okay, i'm sure it would get fixed as a top priority. unRAID isn't an enterprise grade product, though I think it performs better than some, and there aren't thousands of workers behind the scenes. If you want that level of stuff, then you have to deal with constant forced updates and go pay the premium for it. I will back this company for as long as it stands!
March 6, 20206 yr On 3/3/2020 at 5:42 PM, Alex.vision said: Oh, right, I forgot about that. Sometimes it's hard to remember that your internet can go down. I have a dedicated gigabit synchronous fiber line that hasn't gone down in over a year, I forget that it is uncommon. Even if your internet is up and running, the world will stop without DNS: https://techcrunch.com/2016/10/21/many-sites-including-twitter-and-spotify-suffering-outage/
Archived
This topic is now archived and is closed to further replies.