2FA HTTP prerequirement set for 2FA SSH

Question

2FA HTTP prerequirement set for 2FA SSH

todeb opened this issue 5 months ago · comments

Is your feature request related to a problem? Please describe.

There can be situation that user is requred to set 2FA for both http and ssh.
If such user set only 2FA for SSH, then he can start using SSH protocol but HTTP webclient access will not be protected with 2FA.
If password for such user leaks, the attacker could change 2FA for SSH and access to sftp data files.

Describe the solution you'd like

If 2FA for SSH is required and user has both http and ssh protocols enabled. There should be validation that 2FA for HTTP is mandatory and required to set 2FA SSH or there hsould be no option to set 2FA SSH without 2FA HTTP.
Also 2FA for HTTP cannot be disabled if 2FA SSH is enabled.

Describe alternatives you've considered

No response

What are you using SFTPGo for?

Medium business

Additional context

No response

Nicola Murino · Answer 1 · Sun Jan 14 2024 22:28:27 GMT+0800 (China Standard Time)

I think this is already supported. No time/motivation for step by step instructions, sorry. Please check our support policy

todeb · Answer 2 · Mon Jan 15 2024 21:42:41 GMT+0800 (China Standard Time)

@drakkan I do not see such setting that will require this.
You can set just both SSH and HTTP required for user, although he can just setup 2FA for SSH leaving HTTP without 2FA.

So that user will already get access to SFTP via SSH. Not getting access to sftp via HTTP.
Although someone with bad intentions with just having password of that user can update his 2FA secret, read recovery codes etc.. Gaining easily access to SFTP data.

There is currentely no option to block SSH access on the user that did not set 2FA for webclient.

Nicola Murino · Answer 3 · Mon Jan 22 2024 21:17:31 GMT+0800 (China Standard Time)

Hello, maybe I'm missing something, but I cannot reproduce.
If you found a bug feel free to send a PR, this is the normal flow if you decide to use SFTPGo for free, all code is available.
Thank you!

todeb · Answer 4 · Mon Jan 22 2024 23:51:16 GMT+0800 (China Standard Time)

@drakkan I'm not developer so not really I can quickly overview and make changes in code.

Here is reproduce with images:

Set 2fa for user:
On webclient for that user, there is message that he needs configure both:
But he can actually set only one:
And can access to SFTP, but having webclient unprotected with 2FA.

Nicola Murino · Answer 5 · Tue Jan 23 2024 00:16:03 GMT+0800 (China Standard Time)

as said, I cannot replicate (step 3 does not work for me). Please check our support policy, we don't provide free support sorry

todeb · Answer 6 · Tue Jan 23 2024 00:59:44 GMT+0800 (China Standard Time)

I don't understand what you cannot replicate.
On below screen on sftgo webclient 2.5.6, you have multiselect form.
You can select none, any one option, any two options together or all three options together.

If you select just SSH. That is OK that is enabling access to SFTP from functionality point of view.
Although from security point of view not really as that leaves open door to authenticate via HTTP without 2FA.
(which gives access to update 2fa secret, read recovery codes, change password etc.)

It is not support request because I see how it works . This issue should be threated more like security improvement.
So why I reported is as suggestion.

Nicola Murino · Answer 7 · Tue Jan 23 2024 01:11:20 GMT+0800 (China Standard Time)

You are not allowed to select only SSH with the correct configuration. Please stop, you can use SFTPGo for free but we don't offer free support. Thanks for understanding

todeb · Answer 8 · Tue Jan 23 2024 02:00:02 GMT+0800 (China Standard Time)

The screenshots are rather proving that maybe I'm not allowed but I can.
First is telling:
"Two-factor authentication requirements not met, please configure two-factor authentication for the following protocols: HTTP, SSH"
But in same time in 2FA tab I can freely choose just SSH or HTTP or both.

I know that user is require to choose both and selecting just one is not correct configuration, but you can do that.

todeb · Answer 9 · Tue Jan 23 2024 02:05:04 GMT+0800 (China Standard Time)

IMO webclient for user should not allow to choose user which 2FA enable if a requirement is set from admin client for that user.

There should be only click to enable it for everything that is required or nothing. End users prefer simple configs and not overthinking.

Nicola Murino · Answer 10 · Tue Jan 23 2024 02:08:57 GMT+0800 (China Standard Time)

As explained above, if you find an edge case, send a PR or help the project become long-term sustainable and you will get help.

I don't like to ignore users (and as you can see here, you received support and I spent my time checking your report) but please understand that there is no company sponsoring SFTPGo, if all users just ask and return nothing back, the project will become unmaintained and you will find yourself having to switch to another similar software (probably a proprietary one)

todeb · Answer 11 · Tue Jan 23 2024 02:30:45 GMT+0800 (China Standard Time)

I had reconfigured once again following most simple configuration.
User without a groups just with ACL with 2FA selected. Then it is working as you said.

So what is not working is:

create a group that has 2FA configured
Add this group as a secondary group to an user.
Then in webclient for that user the requirement is not enforced to configure both protocols

I know about the limitation of groups but in theory two factor auth protocols are inherited from primary and secondary groups.

todeb · Answer 12 · Mon Jan 29 2024 19:08:59 GMT+0800 (China Standard Time)

so if it is both enforced when set within user scope and it is not when set from group scope. Then i assume it is either a /bug or documentation of the groups should be changed.