2FA for the admin panel PLEASE!

Hi there,

I must first say, thanks for all the security updates which became available during the latest months! That’s all we could ever ask, but still there are some things which I rather have baked into YH lets focus on the main one here. I know some people might have asked this before, but please creators and devs stop arguing back about this one, and for the sake of the risk of being attacked. I don’t ask you to reinvent the wheel, but only please immediately implement the following;

  • 2-FA implementation on the user login panel
  • 2-FA Implementation on the admin panel
  • G or other reCAPTCHA

How to implement? Well, just add the option to the settings panel, where users can decide for themselves to activate it and maybe force it or add and opt-in kinda function in case of a new YH installation.

Why? We’ll what’s the point of protecting our websites with 2fa and reCAPTCHA, maybe some kick if failed login functions, if the main hosting part is not protected similarly?

Please don’t even hesitate to answer with. You can change ports or disable the API things I already know, sorry if I might sound harsh, I don’t mean to. But protection is a serious manner, which should not be a point of discussion. It’s like sex without a condom. Everybody knows that’s not so smart to do these days, right ;-).

If you agree please vote this one up, never ask for that stuff but YuNo :wink:

3 Likes

Some more context in this thread, you may also upvote there : Strong web authentication / 2FA authentication · Issue #238 · YunoHost/issues · GitHub
But I think there is need for more funding for this to happen, given the technical debt in the project…
Anyway, thanks to all contributors so far !
:slight_smile:

1 Like

The backstory is not important, security is important :wink:

I think nobody is arguing about wether or not we should do it : like everything, at some point, somebody has to volunteer and actually do it, and something like this represents several days (or weeks) of work. There’s higher priorities behind this, such as moving to Bullseye (which was already delayed because we chose to have 4.3 before Bullseye). And then there are other technical points to take care of before implementing 2FA, such as getting rid of the infamous ‘admin’ user and having a proper ‘admins’ group composed of actual yunohost users. All of this is ongoing, it just takes time and we can’t magically snap fingers and have it done.

9 Likes

Of course. People need time, I fully respect that. I’m even willing to volunteer on this one.

Yep, it’s a nice update… With lots of changes, I’m willing to wait, but if we only get a green light. I guess it will make many peeps happier if they know it. Even for those who don’t understand a thing about 2FA or security as a whole, like I stated before these functions which i and some others ask for are vital! And it’s always better to be secure. Instead of being afraid, while attacks occur and there is not much to do. Yes it’s a risk of being online but still. It’s always better to know that you’re more secure thanks to an extra security layer.

Oh My Aleks, please stop! My stomach has been filled enough, with all those sweets. :lollipop: :candy: :cupcake: :chocolate_bar:. I can’t wait to see the update! Food Luck on developing!

Note: excuse me if by a.i. your sentences had been, corrected in the quotes. It happens automatically (kinda lazy me i guess :stuck_out_tongue: )…

Implementing 2FA in Admin Panel and SSOwat landing page is quite pointless at this stage, as any cyber criminals could simply bruteforce passwords and 2fa codes could be MITM attacked.

If you are really that scared of being attacked, set up SSH Keys with a lengthy but disposal password for admin-panel (or just kill yunohost-api) should do it. Or, simply don’t use the internet.

I don’t think anyone argued to implement or not, 2fa doesn’t really deserve that concern in Yunohost, and there are something more important to do, i.e. upgrading to Bullseye.

5 Likes

How do you bruteforce 2fa codes? Technically impossible, they’re valid for 20 / 30 secs, by far not enough time to brute force. 2fa is one of the most important mitigations against phishing and brute force attacks.

2FA would be greatly appreciated but I guess it’s not that useful for self-hosted instances w/ max a few people.
It gets more important as more people use a Yunohost instance, which is what me and my coworkers would like to do (managing an instance w/ a LOT of users). Another great addition to 2FA would be the ability for a user to self-reset their password if they have forgotten it. Has this feature already been discussed, Perhaps?

Whoops did not know that this topic would have setup a little commotion here. But actually it is a good thing that it raises thoughts!

As a matter of fact the security of data is extremely important, don’t forget that were are not on on the 90’s internet anymore.As a matter of fact, can show you a snippet of the log from our security gateway which stops 10.000’s of a attacks each weak, and that is only on te network itself, not even on the YH Server or one of it’s 100’s of websites. I must say YH is quite amazing on full-blown network equipment! Due to its versatile light weight structure, it’s blazing fast!

Now let’s hope that the Wizzard’s will eventually implement these things.

I love the suggestion of @alexutadotlinux5733

Maybe also, how about a datacenter version of YH with more front-end options for users to do themselves, man if I get the opportunity I would even manage such a project with you together @Aleks !

Kinda like direct admin does? But to be honest, I don’t like their system that much, it’s old dusty and even with the new interface a sluggish experience. This is where YH differentiate al-lot!

Thank you for all the responses!

Insert attacks here...

See this is why security is an MUST not an option

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.