Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Critical Security Vulnerabilies Discovered

Featured Replies

Interesting, but then it becomes even more important to have server and the 2F Device synced to the proper time. One tablet I used had clock drift issues and would require time adjustments every other day to keep the 2F systems working.

 

I have not looked into the implementation details of most 2FA systems, do they require internet connections to work or are they more of an algorithm with shared common seed using time as a mutator?

  • Replies 53
  • Views 68.3k
  • Created
  • Last Reply

Please make 2FA an optional feature. My server is not exposed to the Internet so there's really no need for extra security. It would be a massive pain in the backside having to grab my phone just to check if a docker has crashed.

21 hours ago, limetech said:

.Something else I wanted to add, as long as we're talking about security measures in the pipe: we are looking at integrating various 2-Factor solutions directly in Unraid OS, such as google authenticator.

This is a solid feature and I can attest to the importance of it. TOTP can be used with Google Auth, but I would strongly recommend Authy as it allows backing up the seeds and encrypting it. There is also multi-device support.

 

Can we have TOTP for SSH as well? https://github.com/google/google-authenticator-libpam .

 

NOTE: This will obviously have impact on 'not-so-tech-savvy-users', but those who sleep in tinfoil hats, will definitely appreciate it.

Edited by ezhik

+1 for Authy.  I learnt this lesson when I got a new device and had to transfer my Google Auth settings across.  You can't with google Auth!  As an aside, for the not so tech savvy that this appliance seems to be aimed at, having two factor and at least 'highly recommending' it when people insist on exposing unraid to the internet, would be a very good improvement.

16 hours ago, ezhik said:

This is a solid feature and I can attest to the importance of it. TOTP can be used with Google Auth, but I would strongly recommend Authy as it allows backing up the seeds and encrypting it. There is also multi-device support.

 

Can we have TOTP for SSH as well? https://github.com/google/google-authenticator-libpam .

 

NOTE: This will obviously have impact on 'not-so-tech-savvy-users', but those who sleep in tinfoil hats, will definitely appreciate it.

From what I have seen anything that says "Google Auth" you can use Authy.

4 hours ago, Conmyster said:

From what I have seen anything that says "Google Auth" you can use Authy.

Exactly. I use last pass for example, and it has a companion app called authenticator. With this, I use it for anything 2-FA that offers Google authenticator support, and it all syncs to my profile. So when I get a new phone, just install last pass and all my rolling codes come down. I think these are all pretty universal, it's just the QR codes they want.

Edited by cybrnook

@limetech Thank you for your transparency it is very much appreciated! and thank you for evolving unRAID. I 100% back you up in your priority! If I am not mistaken unRAId is not an enterprise system (might be in the future, who knows?), but a home system. I feel we users tend to forget this from time to time, myself included.

 

Bottom line, keep up the good work. Let take the opportunity to mention the polling for new features is a great tool for you to show us users which features you plan on implementing. We users can use it to tell you the priority to implement them.

 

/Alphahelix

On 2/15/2020 at 6:48 PM, Marshalleq said:

+1 for Authy.  I learnt this lesson when I got a new device and had to transfer my Google Auth settings across.  You can't with google Auth!  As an aside, for the not so tech savvy that this appliance seems to be aimed at, having two factor and at least 'highly recommending' it when people insist on exposing unraid to the internet, would be a very good improvement.



Its a pain but you can migrate if you use "Titanium Backup" been doing that method for 3-4 years,

13 hours ago, Stan464 said:



Its a pain but you can migrate if you use "Titanium Backup" been doing that method for 3-4 years,

 

Don't you need to root your phone to do it properly on Android ?

On 2/15/2020 at 11:09 AM, testdasi said:

Please make 2FA an optional feature. My server is not exposed to the Internet so there's really no need for extra security. It would be a massive pain in the backside having to grab my phone just to check if a docker has crashed.

Optional would be ok. I don`t use it.

On 2/14/2020 at 8:51 PM, limetech said:

Something else I wanted to add, as long as we're talking about security measures in the pipe: we are looking at integrating various 2-Factor solutions directly in Unraid OS, such as google authenticator.

 

That would be great ! If possible especially when used from a non-authorized device..

This post is exactly why I trust the unraid team, great job in the transparency !!!!

On 2/20/2020 at 8:55 PM, starbetrayer said:

This post is exactly why I trust the unraid team, great job in the transparency !!!!


Just to be constructive here, the vulnerability was handled responsibly from both parties - those who found it and those who fixed it.

 

I want to make sure the credit is given where it is due.

 

https://en.wikipedia.org/wiki/Responsible_disclosure 

 

Edited by ezhik

I'm glad to hear that the software I just purchased is well maintained.
Thanks for the quick patch and your full and (immediate) disclosure.

Hopefully hardware security keys like the Yubikey will be considered.

As a user of unraid i would like to see when very important updates are needed like this one flash on your main or dashboard page of unraid and can't ignore tell you read the info on the update.  I work most times and dont check the forums often unless i need help with a issue im having  and not having to check for updates yourself,  unraid should show that a update is ready and if it a normal or critacal update.  thats my 2 cents  keep up the good work guys.

The fix common problems plugin handles that, and shortly a new update to CA will also handle the most egregious must-be-seen notifications. 

On 2/28/2020 at 12:42 AM, Squid said:

The fix common problems plugin handles that, and shortly a new update to CA will also handle the most egregious must-be-seen notifications. 

This is how I found out. Push notification from "fix common problems"-error.

 

Thanks!

It may be a bit overkill, but I use Duo on a few servers, it can push a request for login authentication to your device and allow you to approve it.  It also has 2FA revolving codes, but I like the seamlessness of tapping "Approve" on my smartwatch instead of getting out my device, logging into Lastpass authenticator or Google or Auth,  then typing in the codes.  Duo or any 2FA isn't for everyone, but my vote would be to have it at least as an option. 

4 hours ago, Alex.vision said:

It may be a bit overkill, but I use Duo on a few servers, it can push a request for login authentication to your device and allow you to approve it.  It also has 2FA revolving codes, but I like the seamlessness of tapping "Approve" on my smartwatch instead of getting out my device, logging into Lastpass authenticator or Google or Auth,  then typing in the codes.  Duo or any 2FA isn't for everyone, but my vote would be to have it at least as an option. 

 

You are constrained on having an active and working internet connection. With TOTP, you only need the seed and synchronized date/time.

17 hours ago, ezhik said:

 

You are constrained on having an active and working internet connection. With TOTP, you only need the seed and synchronized date/time.

Oh, right, I forgot about that.  Sometimes it's hard to remember that your internet can go down. I have a dedicated gigabit synchronous fiber line that hasn't gone down in over a year, I forget that it is uncommon.

On 2/26/2020 at 9:40 PM, Abe87 said:

Hopefully hardware security keys like the Yubikey will be considered.

I would love to see the yubikey implemented, and to be able to use at least 2 keys (Primary and Backup).

Limetech is the best!
I can't say enough for the transparency of this company! Thank You!
I have been running unRAID as a daily driver for over a year now, and it has been GREAT, if it quits working properly because of a security breach or something, well that is okay, i'm sure it would get fixed as a top priority. unRAID isn't an enterprise grade product, though I think it performs better than some, and there aren't thousands of workers behind the scenes. If you want that level of stuff, then you have to deal with constant forced updates and go pay the premium for it. I will back this company for as long as it stands!

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.