2FA with connected Cloudron servers - Best practice

uwcrbc

Hi again,

So I guess this post is just for a quick validation / reference for others in the same situation, since I ran the scenarios and I am pretty sure I have my answers.

In case of 2 Cloudron servers connecting user directories, the docs tells us:

The Cloudron connector is the only one that supports 2FA. If the user has 2FA setup in the Cloudron LDAP Server, then 2FA is required to login

So in practice, in the setup:

• Cloudron Server A (CSA) is the one owning the user directory. CSA has 2FA enabled / requires users to set up 2FA.
• Cloudron Server B (CSB) user directory is connected with CSA.

I presume CSB should not have the "require users to set up 2FA." box ticked since:

• Option 1 - If the box on CSB is not ticked, User 1 from CSA logs fine on CSB using username/password/2FA token
• Option 2 - If the box on CSB is ticked, User 1 from CSA is prompted for the creation /registration of an extra 2FA token upon logging on CSB, making this a second 2FA token for user 1 (but only valid on CSB)

so probably Option 1 is the preferred/standard setup / best practice in this situation.
However it leaves a scenario where local users of CSB are not being forced to register for 2FA (while users synced from CSA are fine and need to use their 2FA token from CSA to log into CSB)

Is this correct? does this correspond to best practice? or am I missing something?

Many thanks in advance for the pointers

girish

@uwcrbc thanks for the report. There is indeed an issue with mandatory 2FA+local users.

girish

This is fixed now with https://git.cloudron.io/cloudron/box/-/commit/d34b102e523fd67b52c4d7433ab1dec06d522409

uwcrbc

Thank you @girish - I'll test with v8 and report back thereafter in case of need.