[pbs-devel] [RFC backup 0/6] Two factor authentication

Thomas Lamprecht t.lamprecht at proxmox.com
Wed Dec 2 13:27:47 CET 2020


Hi,

thanks for taking a look, some comments regarding your feedback.

On 02.12.20 11:56, Oguz Bektas wrote:
> we talked with wolfgang off-list about some issues, so here are
> some recommendations for the next version:
> 
> 1. increase the length of recovery codes for bruteforce mitigation
> 
> most websites use 12-16 characters for the length of recovery keys.

makes sense

> 
> 2. do not store recovery codes in cleartext (hash them instead, we thought
> hmac-sha256 is fine). the reason being that recovery codes can bypass
> other tfa methods so they shouldn't be visible

make sense, would expect them to be hashed

> 
> 3. don't store all the tfa information in a single json file.
> 

makes no sense to me, any reason you mention below can happen to arbitrary
files, so just adds complexity while not gaining anything.

> current version uses a single /etc/proxmox-backup/tfa.json file
> which holds all the tfa info for all the users. this is a single point
> of failure because:
> - file can be corrupted, causing tfa to break for everyone (no more logins)
> - file could get deleted, disabling/bypassing 2fa for everyone
> - file could get leaked in a backup etc., giving everyone's tfa secrets
> and/or recovery keys to attackers (bypass everything)
> 
> better is to at least create a file for each user:
> /etc/proxmox-backup/tfa/<username>.json or similar
> 
> this way the damage is contained if for example the config breaks
> because of incorrect deserialization etc.

Why would deserialisation be incorrect for one single file but magically
works if multiple files? Makes no sense.

> 
> 4. html/js injection in the description field on gui (fixed on staff
> repo already)
> 

Yeah, as always, Ext.String.htmlEncode is your friend ;)

> 5. notify user if more than X failed tfa attempts (password is already
> compromised at this point, so it's important to notify) and block IP
> for certain amount of time (fail2ban?)

we do not setup fail2ban but any admin can already if wished. Notification
can only work if the user has setup a mail in the first place - but yes, sou

> 
> 5.b also if recovery keys are available, limit amount of TOTP attempts
> for that user

what?





More information about the pbs-devel mailing list