Critical Security Vulnerabilies Discovered


limetech

Recommended Posts

Interesting, but then it becomes even more important to have server and the 2F Device synced to the proper time. One tablet I used had clock drift issues and would require time adjustments every other day to keep the 2F systems working.

 

I have not looked into the implementation details of most 2FA systems, do they require internet connections to work or are they more of an algorithm with shared common seed using time as a mutator?

Link to comment
21 hours ago, limetech said:

.Something else I wanted to add, as long as we're talking about security measures in the pipe: we are looking at integrating various 2-Factor solutions directly in Unraid OS, such as google authenticator.

This is a solid feature and I can attest to the importance of it. TOTP can be used with Google Auth, but I would strongly recommend Authy as it allows backing up the seeds and encrypting it. There is also multi-device support.

 

Can we have TOTP for SSH as well? https://github.com/google/google-authenticator-libpam .

 

NOTE: This will obviously have impact on 'not-so-tech-savvy-users', but those who sleep in tinfoil hats, will definitely appreciate it.

Edited by ezhik
  • Like 1
  • Thanks 1
Link to comment

+1 for Authy.  I learnt this lesson when I got a new device and had to transfer my Google Auth settings across.  You can't with google Auth!  As an aside, for the not so tech savvy that this appliance seems to be aimed at, having two factor and at least 'highly recommending' it when people insist on exposing unraid to the internet, would be a very good improvement.

  • Thanks 1
Link to comment
16 hours ago, ezhik said:

This is a solid feature and I can attest to the importance of it. TOTP can be used with Google Auth, but I would strongly recommend Authy as it allows backing up the seeds and encrypting it. There is also multi-device support.

 

Can we have TOTP for SSH as well? https://github.com/google/google-authenticator-libpam .

 

NOTE: This will obviously have impact on 'not-so-tech-savvy-users', but those who sleep in tinfoil hats, will definitely appreciate it.

From what I have seen anything that says "Google Auth" you can use Authy.

Link to comment
4 hours ago, Conmyster said:

From what I have seen anything that says "Google Auth" you can use Authy.

Exactly. I use last pass for example, and it has a companion app called authenticator. With this, I use it for anything 2-FA that offers Google authenticator support, and it all syncs to my profile. So when I get a new phone, just install last pass and all my rolling codes come down. I think these are all pretty universal, it's just the QR codes they want.

Edited by cybrnook
Link to comment

@limetech Thank you for your transparency it is very much appreciated! and thank you for evolving unRAID. I 100% back you up in your priority! If I am not mistaken unRAId is not an enterprise system (might be in the future, who knows?), but a home system. I feel we users tend to forget this from time to time, myself included.

 

Bottom line, keep up the good work. Let take the opportunity to mention the polling for new features is a great tool for you to show us users which features you plan on implementing. We users can use it to tell you the priority to implement them.

 

/Alphahelix

  • Like 2
Link to comment
On 2/15/2020 at 6:48 PM, Marshalleq said:

+1 for Authy.  I learnt this lesson when I got a new device and had to transfer my Google Auth settings across.  You can't with google Auth!  As an aside, for the not so tech savvy that this appliance seems to be aimed at, having two factor and at least 'highly recommending' it when people insist on exposing unraid to the internet, would be a very good improvement.



Its a pain but you can migrate if you use "Titanium Backup" been doing that method for 3-4 years,

Link to comment
On 2/15/2020 at 11:09 AM, testdasi said:

Please make 2FA an optional feature. My server is not exposed to the Internet so there's really no need for extra security. It would be a massive pain in the backside having to grab my phone just to check if a docker has crashed.

Optional would be ok. I don`t use it.

Link to comment
On 2/14/2020 at 8:51 PM, limetech said:

Something else I wanted to add, as long as we're talking about security measures in the pipe: we are looking at integrating various 2-Factor solutions directly in Unraid OS, such as google authenticator.

 

That would be great ! If possible especially when used from a non-authorized device..

Link to comment
On 2/20/2020 at 8:55 PM, starbetrayer said:

This post is exactly why I trust the unraid team, great job in the transparency !!!!


Just to be constructive here, the vulnerability was handled responsibly from both parties - those who found it and those who fixed it.

 

I want to make sure the credit is given where it is due.

 

https://en.wikipedia.org/wiki/Responsible_disclosure 

 

Edited by ezhik
  • Thanks 1
Link to comment

As a user of unraid i would like to see when very important updates are needed like this one flash on your main or dashboard page of unraid and can't ignore tell you read the info on the update.  I work most times and dont check the forums often unless i need help with a issue im having  and not having to check for updates yourself,  unraid should show that a update is ready and if it a normal or critacal update.  thats my 2 cents  keep up the good work guys.

Link to comment

It may be a bit overkill, but I use Duo on a few servers, it can push a request for login authentication to your device and allow you to approve it.  It also has 2FA revolving codes, but I like the seamlessness of tapping "Approve" on my smartwatch instead of getting out my device, logging into Lastpass authenticator or Google or Auth,  then typing in the codes.  Duo or any 2FA isn't for everyone, but my vote would be to have it at least as an option. 

Link to comment
4 hours ago, Alex.vision said:

It may be a bit overkill, but I use Duo on a few servers, it can push a request for login authentication to your device and allow you to approve it.  It also has 2FA revolving codes, but I like the seamlessness of tapping "Approve" on my smartwatch instead of getting out my device, logging into Lastpass authenticator or Google or Auth,  then typing in the codes.  Duo or any 2FA isn't for everyone, but my vote would be to have it at least as an option. 

 

You are constrained on having an active and working internet connection. With TOTP, you only need the seed and synchronized date/time.

Link to comment
17 hours ago, ezhik said:

 

You are constrained on having an active and working internet connection. With TOTP, you only need the seed and synchronized date/time.

Oh, right, I forgot about that.  Sometimes it's hard to remember that your internet can go down. I have a dedicated gigabit synchronous fiber line that hasn't gone down in over a year, I forget that it is uncommon.

Link to comment

Limetech is the best!
I can't say enough for the transparency of this company! Thank You!
I have been running unRAID as a daily driver for over a year now, and it has been GREAT, if it quits working properly because of a security breach or something, well that is okay, i'm sure it would get fixed as a top priority. unRAID isn't an enterprise grade product, though I think it performs better than some, and there aren't thousands of workers behind the scenes. If you want that level of stuff, then you have to deal with constant forced updates and go pay the premium for it. I will back this company for as long as it stands!

  • Thanks 2
Link to comment
On 3/3/2020 at 5:42 PM, Alex.vision said:

Oh, right, I forgot about that.  Sometimes it's hard to remember that your internet can go down. I have a dedicated gigabit synchronous fiber line that hasn't gone down in over a year, I forget that it is uncommon.

Even if your internet is up and running, the world will stop without DNS:

 

https://techcrunch.com/2016/10/21/many-sites-including-twitter-and-spotify-suffering-outage/

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.