From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id D9F35607C1 for ; Wed, 2 Dec 2020 15:06:37 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id C3F261C84B for ; Wed, 2 Dec 2020 15:06:07 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id D55EB1C83E for ; Wed, 2 Dec 2020 15:06:03 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 9A50444C41 for ; Wed, 2 Dec 2020 15:06:03 +0100 (CET) To: Proxmox Backup Server development discussion , Oguz Bektas References: <20201119145608.16866-1-w.bumiller@proxmox.com> <20201202105650.GA7591@gaia.proxmox.com> <4c361a22-5caa-db5e-66b9-046638048fd5@proxmox.com> <20201202123556.GE7591@gaia.proxmox.com> <20201202133511.GI7591@gaia.proxmox.com> From: Thomas Lamprecht Message-ID: <2a631565-3004-b6dc-3805-a270349a7bc0@proxmox.com> Date: Wed, 2 Dec 2020 15:05:42 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:84.0) Gecko/20100101 Thunderbird/84.0 MIME-Version: 1.0 In-Reply-To: <20201202133511.GI7591@gaia.proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL -0.075 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -0.001 Looks like a legit reply (A) RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [protonmail.com] Subject: Re: [pbs-devel] [RFC backup 0/6] Two factor authentication X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2020 14:06:37 -0000 On 02.12.20 14:35, Oguz Bektas wrote: > On Wed, Dec 02, 2020 at 02:07:25PM +0100, Thomas Lamprecht wrote: >> On 02.12.20 13:35, Oguz Bektas wrote: >>> On Wed, Dec 02, 2020 at 01:27:47PM +0100, Thomas Lamprecht wrote: >>>>> 3. don't store all the tfa information in a single json file. >>>>> >>>> >>>> makes no sense to me, any reason you mention below can happen to arb= itrary >>>> files, so just adds complexity while not gaining anything. >>>> >>>>> current version uses a single /etc/proxmox-backup/tfa.json file >>>>> which holds all the tfa info for all the users. this is a single po= int >>>>> of failure because: >>>>> - file can be corrupted, causing tfa to break for everyone (no more= logins) >>>>> - file could get deleted, disabling/bypassing 2fa for everyone >>>>> - file could get leaked in a backup etc., giving everyone's tfa sec= rets >>>>> and/or recovery keys to attackers (bypass everything) >>>>> >>>>> better is to at least create a file for each user: >>>>> /etc/proxmox-backup/tfa/.json or similar >>>>> >>>>> this way the damage is contained if for example the config breaks >>>>> because of incorrect deserialization etc. >>>> >>>> Why would deserialisation be incorrect for one single file but magic= ally >>>> works if multiple files? Makes no sense. >>> >>> of course this can happen on arbitrary files... i don't see why it >>> would add any complexity to use multiple files though (actually makes= it >>> simpler imo). the reasoning behind this was to avoid a single point o= f >>> failure like i explained: >>> >>> multiple files for users -> only that user is affected by broken conf= ig, >>> other users can log in >>> single file for all users -> all users affected if config breaks and >>> nobody can log in >> >> See that almost as anti-feature, it's actually better if such a thing = happens >> that it's broken for all, as then one gets admin attention and can act= ually >> look for the underlying root cause - which at that point is probably m= emory or >> disk corruption/failure - or where does wolfgangs serializer breaks fo= r all in one >> but not for split?? >> >> >>> >>> so the point wasn't to magically fix (potential) incorrect deserializ= ation but to >>> reduce breakage in case something like that happens. >> >> >> like "what" happens? There's no such thing as one serialization is fin= e and the >> other not - if you start assuming that transient error model you canno= t do anything >> at all anymore! >=20 > as i explained already, it's not about if one serialization is fine and= > the other isnt; if we have one big mess of a json file holding all the > secrets of everyone's tfa config, and at any point there's some bug in > the serializer or any other component that interacts with this, then > this can lead to DOS of ALL accounts on the server (or compromise of AL= L > secrets in that file). the model is different than the normal authentic= ation > mechanism with pam/pbs realms, since the 2fa configuration has > (untrusted) user input that gets serialized and added into a root-owned= > file during the setup. letting any user on any realm do this is IMO > bad practice. It's not a mess it's clearly structured. Serde does just a fine job seria= lizing JSON, a simple format to escape, plus we define schemas with validation f= or that exact reason. >=20 > furthermore we could easily add a check during auth to see if the > tfa.json parses to correct json, and if not pop up an error message lik= e > "2FA configuration invalid, please contact administrator" etc. and even= > automatically send an email to root@pam ... That's what serde already does, it errors if not valid JSON, which then e= rros the login (did not looked at it, but would assume that a error there does= not just defuses TFA completely...) ... >=20 >> >> I rather have it corrupt for all files as then the admin needs to fix = it and we >> get notified, as some "magic" bug that only happens if it's a Tuesday = and full moon. >> >> So no I do *not* want to have user.cfg, token.cfg, shadow.json with al= l info in >> one file, and then start to split TFA for every user, because of an er= ror model >> which just assumes whatever one wishes. >> >>>> >>>>> 5. notify user if more than X failed tfa attempts (password is alre= ady >>>>> compromised at this point, so it's important to notify) and block I= P >>>>> for certain amount of time (fail2ban?) >>>> >>>> we do not setup fail2ban but any admin can already if wished. Notifi= cation >>>> can only work if the user has setup a mail in the first place - but = yes, sou >>> yes, but imo 2fa is more sensitive to bruteforcing than regular >>> passwords so it would make sense to limit it by default >> >> why is it more sensitive? I need both, so it's the same? If I get leak= ed shadow >> and tfa, I need to break both, only one has no use - that's the idea o= f TFA... >=20 > it's more sensitive to bruteforcing; because of limited > keyspace, as in it's easier to bruteforce a 6 > digit numerical passcode than a regular passphrase in most > circumstances. if attacker cracks/steals a password and is presented > with a 2fa screen, it should be unlikely for them to bypass/crack that.= > if i get unlimited tries to crack a 6-digit code you'll eventually get > it right. You have about 2 time windows to get through all combinations of 10^6 wit= h a forced response delay of 3 seconds + network latency, so 20 tries max b= efore the time change so much that you need to start again... >=20 > that's why i think attempts should be limited by default and not relian= t > on fail2ban, because there's no use case where anyone tries to enter a > totp code a thousand times for any legitimate reason... (however you > could forget/lose your password easily so it's more acceptable to let > someone keep trying in the regular auth case) but fail2ban can cope with the difference between >3 tries per minute, so= why exactly=20 >>>> >>>>> >>>>> 5.b also if recovery keys are available, limit amount of TOTP attem= pts >>>>> for that user >>>> >>>> what? >>>> >>> >>> if a user sets up TOTP + recovery keys, then it would make sense to l= ock >>> account in case of a lot of auth attempts with TOTP, until recovery k= ey >>> is entered (afaik this is a common mechanism). but maybe just >>> notifying the user is enough as well. >> >> and why do you place more trust onto the fixed recovery keys than anot= her TFA >> option?=20 > the same reason i explained above, this would only kick in when the TOT= P > is disabled because of too many auth failures. if a user has set up > recovery keys then they can be already used instead of TOTP (the option= > is there regardless). so it's not placing more trust on the recovery > keys. It sure is, because you say that recovery keys are still good when u2f is= not anymore, that implies you trusting it more that u2f or other variants. >=20 > the flow could be something like this: > 1. user sets up 2fa, TOTP and recovery keys > 2. attacker login with stolen password > 3. attacker attempts to crack 2fa totp code > 4. fails after 3/5/X attempts, user gets notified and TOTP is disabled > 5. at this point user can only log in with password + recovery code. (w= hich they > could anyway, even if TOTP is present) >=20 >> Which services/programs/websites do that, can you name a few examples?= >=20 > afaik some "secure" email providers like protonmail/tutanota etc. use proton mail seems to use just 8 hex characters as recovery key and I see = nowhere any description for the behaviour you suggest.. https://protonmail.com/support/knowledge-base/two-factor-authentication/ > this kind of mechanism (account password + mailbox is encrypted with > password, and recovery keys in case all else is lost/locked). >=20 > i'm sure there are other examples as well I'm then sure you can list them, for now we're at 0 examples with actual source ;-)