administrator login with 2fa

[António Ramos]

i just activated the two step auth with this 

auth.settings.two_factor_authentication_group = "auth2step"

but now how do i include the administrator user  ?

regards

António

[Clemens]

Try enabling 2FA via the following setting, since this is for all users:

auth.settings.auth_two_factor_enabled = True

Regards
Clemens

[António Ramos]

But that is for everyone, i just want to start with users with admin powers 

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/5fe99103-1d14-4b91-80eb-194402c08453n%40googlegroups.com.

[António Ramos]

in other words, how do i protect the administrator password? it does not have a username , just a password. This is scary :)

[António Ramos]

Anyone can help me ?

[Jim S]

Here is the code I wrote that only enforced 2fa for users outside our local networks.

There is some commented out code there that additionally allowed me to specify users in a group so only that group was force to 2fa

def _two_factor_required(auth_user):
    """
    check whether we need to enforce MFA on this login

   We enforce MFA only on logins external to our network.

    Returns
    -------
    bool - enforce MFA
        - True means this login requires MFA
        - False means we will not enforce MFA for this login
    """
    import ipaddress

    return False  #  temp use to disable mfa

    if len(request.args) > 0 and request.args[0] == "login":
        if auth_user.mfa_override and datetime.datetime.now() <= auth_user.mfa_override:
            #  no mfa required if the user override is set   - we added a field in auth_user to allow us to override if a user was having trouble or lost their phone or something
            return False

        qlf_networks = [
            "9.9.9.9/22",
            "9.9.9.0/24",
            "9.9.9.101/24",
        ]

        ip_list = []
        for range in qlf_networks:
            ip_list.extend(ipaddress.IPv4Network(unicode(range)))

        if ipaddress.IPv4Address(unicode(request.client)) in ip_list:
            #  if the client address is in the local address list, then do NOT require MFA so set to False
            return_value = False

        #  build the MFA Required group members
        # if return_value:
        #     print(datetime.datetime.now())
        #     ag = db(db.auth_group.role == "MFA Required (web2py)").select().first()
        #     if not ag:
        #         ag = db.auth_group.insert("MFA Required (web2py)")
        #     for ou in db(
        #         (db.auth_user.active == True)
        #         | (
        #             (db.auth_user.mfa_override == None)
        #             & (db.auth_user.mfa_override <= datetime.datetime.now())
        #         )
        #     ).select():
        #         db.auth_membership.update_or_insert(user_id=ou.id, group_id=ag)
        #
        #     #  clear out any members that are currently exempt from MFA
        #     if ag:
        #         for exempt_user in db(
        #             (db.auth_user.mfa_override >= datetime.datetime.now())
        #             & (db.auth_user.active == True)
        #         ).select():
        #             db(
        #                 (db.auth_membership.group_id == ag.id)
        #                 & (db.auth_membership.user_id == exempt_user.id)
        #             ).delete()
        #     db.commit()
        #
        #     print(datetime.datetime.now())
        #
        #     #  set to False to force web2py to check the two_factor_authentication  group
        #     return_value = False

That code is in db.py

Then....

auth.settings.auth_two_factor_enabled = lambda user: _two_factor_required(user)
auth.messages.two_factor_comment = "QLF MFA - you have been sent a code"
auth.settings.two_factor_methods = [
    lambda user, auth_two_factor: _send_sms(user, auth_two_factor)
]

My _send_sms code built and sms and sent it via Twilio or RingCentral

I wrote this code, but then we ended up not implementing.  The web2py code is going away for us.  All the same concepts work in py4web (nudge wink wink)

-Jim

[António Ramos]

Hello Jim 

this line of code 

auth.settings.auth_two_factor_enabled = True

does not protect the administrator password. Only created users.

That is my question, how to force administrator to use 2fa ?

regards

António

To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/f92a15ab-45f6-41ae-b285-6b717abd3d7fn%40googlegroups.com.

[Jim S]

What does 'administrator password' mean to you?

I'm not sure what you're referring to

-Jim

[António Ramos]

this admin

https://mysite.com/admin

To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/c8187486-ebdd-4f18-a4d6-b9a45381fad9n%40googlegroups.com.

[Jim S]

So, are you trying to protect the 'admin' application with 2fa?

If so, can you add the 2fa code to the admin app?

I haven't tried this before

[Clemens]

Sorry for not answering any earlier - too much work. Well, in my application (which is in production) I've solved the problem as follows: I've written a controller fully under my control (including 2FA and groups) with just the administration functions I need (users, groups and a rights system on the business objects of my application). On all productive instances (compiled) I've just moved the controllers of appadmin (controllers.appadmin.* ) as well as the admin app to a hidden folder - if needed I can move them back.

That's how it works for me. If your interested in this solution, just say "sounds interesting to me ;-)" and we can have a further conversation on the details.

@Jim: Good to see, that your still in. My plan is to move in 2024 to py4web and have more contact to the community again. web2py is getting more and more a lonely path ;-)

Regards from Germany
Clemens

[António Ramos]

yes i tried it on the admin app and it just does not work.

:)

To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/4d5dc6cd-66c9-42d7-ab5d-78f089987d65n%40googlegroups.com.

[Clemens]

Removing the admin app as well as the appadmin controllers should kill all options of administration. Move these to two to a folder away from web2py. And then you can still call https://.../admin/site or https://.../appadmin?

[Jim S]

I'm just curious

Why do you need access to the admin/appadmin apps in a production environment?

I've never used them there.  I use in development, but never production

-Jim

[Clemens]

I don't and I that's why I (re)move these to a hidden folder on system level :-) What I need is to give customers the option to add new users by themselves. For that I've written a small controller under the control of 2FA and so on.

Regards
Clemens

[Jim S]

If I try to go to admin/appadmin web2py returns:

Admin is disabled because insecure channel

Isn't that just the default behavior?

-Jim

[Jim S]

And to second your comment, I too have a controller method that allows users with the proper access, the ability to add additional users.

The only other reason I would want to access admin is to look at error messages/tickets.  But, I have some method in place to read the error messages and forward them to me in an email.

-Jim

[Clemens]

Well, having a method reporting problems is great. My solution is primarily pragmatic: In case move the controllers in and analyse otherwise having them out of access.

After migrating to py4web I will think of such error mailing controller, sounds interesting.