Hi, I was wondering if there has been any interest in adding two factor authentication to the web ui login?
I haven’t seen any post about it, so I figured I’d get a conversation going.
I would love to have it, as I’m a bit hesitant to putting ipfire web ui where it would be accessible to the internet (like running it in an ec2 instance) without some kind of multi factor authentication.
Google Authenticator has a Pam module for it. It’d be nice to also use it for root passwords as well. I don’t know exactly how it would be implemented in a db though, but worth looking into I think.
Anyways, anyone have any thoughts?
As a fellow IPFire user and a member of this community, I appreciate your suggestion and fully approve its benefits.
However, the reality is that our developer team, which is relatively small, currently does not have the resources to introduce new features. Their primary focus at present is on ensuring IPFire’s security and advancing the development of IPFire 3. The latter is a crucial initiative, given its ability to support IPv6 and manage an arbitrary number of zones.
Please note that the Web User Interface is designed to be accessible only via the LAN for security reasons. That being said, IPFire does provide secure remote access options. You can access the Firewall Web Interface securely using either IPSec or OpenVPN, both of which are readily supported by IPFire.
Of course, if you are inclined and able to contribute to the development of this feature, the team would undoubtedly provide as much assistance as they can to support your efforts.
I agree with cfsuco that something like TOTP only makes sense in a public domain, not in a private domain like a firewall. MFA makes sense when a login mask is prone to brute-forcing or social engineering. In my opinion a firewall GUI should never be exposed to the internet.
You can even lock yourself out with TOTP like this thread from another open source firewall shows:
I’m not so sure I agree. There’s always the possibility of insider threats.
Like, say you are running ipfire in a school. There’s usually some kid that wants to break/hack into everything. I think adding totp would be helpful. Yes, you can make firewall rules so that only certain subnets access 444 (which is much easier to do than opnsense running on 443 lol) but it adds to the filtering which adds to the performance.
As far as getting locked out, that’s why you have backups. Reinstall, restore, and make sure you reconfigure the login authentication.
While IPfire doesn’t have any fancy authentication, there might be a benefit.
For Firewall, I think , physical security is much more important than login security…
TOTP, in the case of a frewall , needs solid mantenance. because it couldl actually introduce another surface for an attack. There have been many interceptions and other “workarounds” for TOTP. You will be partially exposing the authentication to the internet because TOTP should be coming from a 2nd- party not the IPFire.
Lot of times a motion sensing / security camera is used for notifications, or maybe a smart lock / alarm. to get a notifications, which would be one of the benefits of TOTP.
I’m not so sure I agree
As said, the reality is that our developer team, which is relatively small, currently does not have the resources to introduce new features.
But I agree it is a good idea for some scenarios.
So we are all happy if you join the developer team and add two factor authentication to the web ui login
If you do not have time to do it or time to learn how to do it for this otherwise wonderful free software, it might not happen in the near future.
Correct. You should not make the web UI publicly accessible. The “default configuration” on AWS does this so that it is easier to set up the system initially, but this should be changed as soon as possible.
The web UI is brute-forcible which generally speaking is not a problem (because virtually everything is BF-able). But with a sufficiently complex password, the barrier can be raised high enough.
I do not see much benefit of TOTP authentication for things like VPNs and the web UI, but I suppose we will add this at some point.
Here are some more thought on TOTP: blog.ipfire.org - OpenVPN OTP/2FA
How much benefit could be for IPFire diffusion the ability to be installed in place that requires TOTP authentications as policy or law request?
I am regularly discussing this topic with our customers from financial business and governments as they have those requirements. That is a blanket requirement and as it does not make any sense to have this rolled out to log into the firewall, this has been acceptable and never been an issue.
Thanks for your opinion. I had some different outputs from a government referrals.
1: TOTP and logging is required for VPN access
2: TOTP and logging is required for access firewall (which can lead to firewall audit and changes)
I can agree with you that TOTP is not the sealant if the appliance is lacking about vulnerability corrections and some more, but it enhances the requirements from two factors (username and password) to three (username, password, known device which release OTP codes).
You don’t agree that is increased complexity and increased challenge for crack? I cannot see how.
Yes, you can still say “OTP provider could be flawed”. The same is possible for every other piece of code in any other software project…
every tool put in place to improve firewall security is certainly welcome
but between having or not having OTP control I must say that I don’t see this need.
I have also supplied systems to very critical structures in Italy where they required OTP control but once they explained it too they realized that it made no sense to have it
With the ability to lock down access to WUI in any number of ways - frankly I do not see how this could ever add to additional performance loss, must be a very poor computer then - I add my voice to the chorus claiming it is not essential.
A firewall should never be directly accessible outside it’s network. Even delimiting the clients that can access inside it’s network is a good and reasonable measure.
Just my 2 cents…