Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Feature Requests
  3. 2FA for all LDAP apps

2FA for all LDAP apps

Scheduled Pinned Locked Moved Solved Feature Requests
2fa
47 Posts 12 Posters 9.6k Views 11 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • marcusquinnM Offline
      marcusquinnM Offline
      marcusquinn
      wrote on last edited by girish
      #1

      The absence of 2FA on the LDAP login Apps makes me nervous for GDPR and typical security needs nowadays.

      I don't know that anyone's ever had a break-in yet, and fail2ban is a good start but expectations for 2FA are increasing.

      I wonder if a global solution would be for all Cloudron packaged apps to use a Cloudron login screen with 2FA instead of the app's native logins?

      Realising this is development overhead in packaging, open to discussion and alternative suggestions. Hoping this idea is more evolution than revolution.

      The more we use any data-silo, the potentially more valuable or attractive it becomes for unscrupulous targeting.

      Thoughts?

      Web Design https://www.evergreen.je
      Development https://brandlight.org
      Life https://marcusquinn.com

      mehdiM 1 Reply Last reply
      5
      • marcusquinnM Offline
        marcusquinnM Offline
        marcusquinn
        wrote on last edited by marcusquinn
        #2

        To add weight to my own argument, and product differentiation for Cloudron:

        Many of these FOSS apps are funded from their own hosted/enterprise/supported offering. Sort of meaning Cloudron is benefiting from the apps development and maintenance but also competing for that revenue.

        This sort of global enhancement, just like the consolidation of LDAP/email/backups/DNS admin etc is more of a genuine value-addition.

        So, making the LDAP apps logins at-least use a Cloudron LDAP login page would be an extension of that concept and further distinguish from the app devs own hosted options.

        Web Design https://www.evergreen.je
        Development https://brandlight.org
        Life https://marcusquinn.com

        1 Reply Last reply
        0
        • marcusquinnM marcusquinn

          The absence of 2FA on the LDAP login Apps makes me nervous for GDPR and typical security needs nowadays.

          I don't know that anyone's ever had a break-in yet, and fail2ban is a good start but expectations for 2FA are increasing.

          I wonder if a global solution would be for all Cloudron packaged apps to use a Cloudron login screen with 2FA instead of the app's native logins?

          Realising this is development overhead in packaging, open to discussion and alternative suggestions. Hoping this idea is more evolution than revolution.

          The more we use any data-silo, the potentially more valuable or attractive it becomes for unscrupulous targeting.

          Thoughts?

          mehdiM Offline
          mehdiM Offline
          mehdi
          App Dev
          wrote on last edited by
          #3

          @marcusquinn said in 2FA for all LDAP apps:

          I wonder if a global solution would be for all Cloudron packaged apps to use a Cloudron login screen with 2FA instead of the app's native logins?

          This idea would definitely break a lot of stuff, at least for any app which is not strictly limited to a web front-end only. Off the top of my head : nextcloud's desktop apps, anything git, mobile/TV apps for Jellyfin/Emby ...

          The cleanest way to support 2FA would be to go back to OAuth login, instead of only LDAP. Then, it would be normal to have a Cloudron-controlled page to log in. The problem is that many apps don't support it, and don't really want to.

          The other way clean to do it is to support it at the app level, like Gitlab. Again, many apps don't support it, but I think it would be easier to convince app developers to support it.

          The "ugly" way would be to customize the password-verification process for apps, so that in the normal login screen of the app the user can type something like PASSWORD;OTP or something. Bonus: no support from the apps themselves required, only on the platform level. Problem: educating users is gonna be hard. And it's not really neat ^^

          marcusquinnM 1 Reply Last reply
          3
          • mehdiM mehdi

            @marcusquinn said in 2FA for all LDAP apps:

            I wonder if a global solution would be for all Cloudron packaged apps to use a Cloudron login screen with 2FA instead of the app's native logins?

            This idea would definitely break a lot of stuff, at least for any app which is not strictly limited to a web front-end only. Off the top of my head : nextcloud's desktop apps, anything git, mobile/TV apps for Jellyfin/Emby ...

            The cleanest way to support 2FA would be to go back to OAuth login, instead of only LDAP. Then, it would be normal to have a Cloudron-controlled page to log in. The problem is that many apps don't support it, and don't really want to.

            The other way clean to do it is to support it at the app level, like Gitlab. Again, many apps don't support it, but I think it would be easier to convince app developers to support it.

            The "ugly" way would be to customize the password-verification process for apps, so that in the normal login screen of the app the user can type something like PASSWORD;OTP or something. Bonus: no support from the apps themselves required, only on the platform level. Problem: educating users is gonna be hard. And it's not really neat ^^

            marcusquinnM Offline
            marcusquinnM Offline
            marcusquinn
            wrote on last edited by marcusquinn
            #4

            What @medhi says ☝ you explain it much better 🙂

            My main concern apps are Nextcloud, Webmail apps, Mautic, CRM apps, Project Management apps.

            Obviously things like Privatebin etc don't need.

            I think a solution that was an option for the most sensitive apps would be more desirable than holding out for a solution that covered all of them.

            Think of it is as a "2FA supported" or "SSO supported" tag on the apps or something.

            In practice, I think the combo of decent firewall settings and using a password manager still give 99%+ security.

            It's just that last box to tick, as much as I hate 2FA for user-friendlyness, with my business head, achieving GDPR/PCI/HIPAA compliance standards in this area is both valuable and I don't think is an expectation that will go away.

            I'd hope we're all here because we work with data that is important to us and those we work with, and we choose these platforms to keep that safe.

            Web Design https://www.evergreen.je
            Development https://brandlight.org
            Life https://marcusquinn.com

            1 Reply Last reply
            0
            • nebulonN Away
              nebulonN Away
              nebulon
              Staff
              wrote on last edited by
              #5

              As @mehdi mentioned, the root issue is that a good solution needs to have support by the app itself. This either means the app, including all related mobile/desktop clients, need to support this OR they would have a proper OAuth implementation, which also is supported again by those mobile/desktop clients.

              The reality is simply that OAuth often is only supported for signup or in a very specific flavor, if at all. We have been there already, in fact we started out with OAuth instead of LDAP. Unfortunately this didn't work out as we wanted it.

              The other option really depends on the app authors implementing that.

              I think the best way to bring this issue further is to go into the app communities, which currently lack this feature and raise awareness or even better try to help them implement it.

              1 Reply Last reply
              2
              • mehdiM Offline
                mehdiM Offline
                mehdi
                App Dev
                wrote on last edited by
                #6

                Yeah, I think the best way forward is to list which apps are important for you, and start a campaign to lobby for 2FA support in them ^^

                Most big apps already do (Gitlab, NextCloud, ...). The rest should be possible to convince, as it's considered an important security feature nowadays

                1 Reply Last reply
                2
                • girishG Do not disturb
                  girishG Do not disturb
                  girish
                  Staff
                  wrote on last edited by
                  #7

                  This was brought up by @nj in https://forum.cloudron.io/topic/2433/the-real-sso-with as well. I am open to @mehdi 's idea of password;totp but the UX worries me since you have to communicate this to all your users and they will also need to know which apps support this format and which don't.

                  mehdiM 1 Reply Last reply
                  4
                  • girishG girish

                    This was brought up by @nj in https://forum.cloudron.io/topic/2433/the-real-sso-with as well. I am open to @mehdi 's idea of password;totp but the UX worries me since you have to communicate this to all your users and they will also need to know which apps support this format and which don't.

                    mehdiM Offline
                    mehdiM Offline
                    mehdi
                    App Dev
                    wrote on last edited by
                    #8

                    @girish Yeah, the UX would not be great...

                    I guess it would be acceptable to allow admins to enable it on a per-app basis, with lots of warnings that they should warn their users. Some people may need it for compliance reason.

                    I actually used a system that worked like this once. It's weird at first but you get used to it pretty quickly

                    1 Reply Last reply
                    1
                    • marcusquinnM Offline
                      marcusquinnM Offline
                      marcusquinn
                      wrote on last edited by marcusquinn
                      #9

                      OK, I see what you're all saying, and I'm a fan of simple solutions, so I think there's lots of good reasoning here. Save your time and let's put the thread on ice. I'll think about it app by app instead as some should already have the option and I'd not looked into that until exploring the global solution discussion.

                      Another thought for anyone else following this thread, and it's something I might do. Not 100% secure but might be safer:

                      1. Issue Bitwarden login credentials, and enforce 2FA there.
                      2. Issue all other credentials (with or without 2FA as appropriate) through Bitwarden, using shared credentials with the password hidden feature.

                      I know the hidden password isn't completely secure from javascript spying - but it would help protect against user phishing as a vector as the users wouldn't know their own non-2FA credentials to be able to enter them in any other URL or place than Bitwarden will submit them to as the URL from the credentials shared.

                      It's a teeny bit more setup admin that makes Bitwarden installation and login essential to being able to login to other apps - but Bitwarden can have 2FA enforced.

                      It doesn't protect from brute-forcing but either the DNS proxy (Cloudflare etc) or the server firewall should make that inefficient and uneconomical without a large IP pool.

                      Noting some on here have medical clients, hopefully this helps.

                      It might also help with that usability question on remembering if the login username is a username or an email address.

                      Web Design https://www.evergreen.je
                      Development https://brandlight.org
                      Life https://marcusquinn.com

                      1 Reply Last reply
                      2
                      • marcusquinnM Offline
                        marcusquinnM Offline
                        marcusquinn
                        wrote on last edited by
                        #10

                        The above solution could be a Cloudron Feature too if the Bitwarden API were able to receive and update the Cloudron user's LDAP credentials and share them with their main Cloudron email account with a selected Bitwarden instance.

                        https://bitwarden.com/help/api/

                        Maybe the kind of thing @lonk would enjoy making a 200 comment thread on 😂

                        Web Design https://www.evergreen.je
                        Development https://brandlight.org
                        Life https://marcusquinn.com

                        LonkleL 1 Reply Last reply
                        3
                        • robiR Offline
                          robiR Offline
                          robi
                          wrote on last edited by
                          #11

                          or we wait and see what happens with Oauth3 and CapTP 😏

                          Conscious tech

                          marcusquinnM 1 Reply Last reply
                          1
                          • robiR robi

                            or we wait and see what happens with Oauth3 and CapTP 😏

                            marcusquinnM Offline
                            marcusquinnM Offline
                            marcusquinn
                            wrote on last edited by
                            #12

                            @robi waiting is never a luxury in my business I'm afraid.

                            We have 20+ staff working our help-desk every day, and they do receive constant phishing attempts, currently all their systems are protected with 2FA systems and a password manager policy for entering credentials in any logins.

                            The cost of one systems breach could be tens to hundreds of thousands or total business failure, in addition to annual PCI Compliance audits, so the luxury of waiting for security isn't an option when the numbers and risk isn't an option for us at least.

                            The password manager and good password practice workaround, coupled with a good firewall setup is adequate, it's just something that doesn't happen without a personal or business policy to make that so, hence thinking through options so that the Cloudron apps could have that policy by design.

                            So, I'm not saying the apps are insecure, just that social engineering and personal computer security are more vulnerable without 2FA. Nothing's perfect but we can still keep the odds in our favour with at least a policy and awareness.

                            Web Design https://www.evergreen.je
                            Development https://brandlight.org
                            Life https://marcusquinn.com

                            1 Reply Last reply
                            2
                            • robiR Offline
                              robiR Offline
                              robi
                              wrote on last edited by
                              #13

                              I hear you, not the spirit of my comment. 🙂

                              I've been impressed lately with the WP WAF plugins like WP Cerber that do a good job to notice, escalate and block nefarious IPs probing to get in.

                              Cloudron could benefit from something similar at the system level.

                              fail2ban is ok, but could use a dashboard and configurator as an Cloudron App.

                              Conscious tech

                              1 Reply Last reply
                              2
                              • marcusquinnM marcusquinn

                                The above solution could be a Cloudron Feature too if the Bitwarden API were able to receive and update the Cloudron user's LDAP credentials and share them with their main Cloudron email account with a selected Bitwarden instance.

                                https://bitwarden.com/help/api/

                                Maybe the kind of thing @lonk would enjoy making a 200 comment thread on 😂

                                LonkleL Offline
                                LonkleL Offline
                                Lonkle
                                wrote on last edited by Lonkle
                                #14

                                @marcusquinn Haha, the only reason for that one million comment thread was because I constantly needed to reference back. I've actually got box down pretty well. And, hey, now a random live blog of me doing 1000 things wrong, and finally getting 1002nd attempt right exists in the world! I'll always get to go back and say "hey, that was my first attempt at learning docker, and cloudron." ☺️

                                What are the benefits of this Bitwarden connection with Cloudron?

                                marcusquinnM 1 Reply Last reply
                                3
                                • LonkleL Lonkle

                                  @marcusquinn Haha, the only reason for that one million comment thread was because I constantly needed to reference back. I've actually got box down pretty well. And, hey, now a random live blog of me doing 1000 things wrong, and finally getting 1002nd attempt right exists in the world! I'll always get to go back and say "hey, that was my first attempt at learning docker, and cloudron." ☺️

                                  What are the benefits of this Bitwarden connection with Cloudron?

                                  marcusquinnM Offline
                                  marcusquinnM Offline
                                  marcusquinn
                                  wrote on last edited by marcusquinn
                                  #15

                                  @Lonk Based on my policy suggestion above, assuming Bitwarden is installed and 2FA enforced:

                                  Current flow:

                                  1. Create a Cloudron User.
                                  2. Create a Bitwarden User.
                                  3. Create an Organisation called Users.
                                  4. Create a Collection for each User, including just that User, with Hide Password and Read Only enabled settings.
                                  5. Create a Bitwarden Login record containing said User Cloudron LDAP Login credentials.
                                  6. Share said record with said User Collection.
                                  7. Add all URLs to all allowed Cloudron Apps to said record.
                                  8. User can now only login to those Cloudron Apps using the Bitwarden extension and can't see or know their Cloudron LDAP password as it is hidden and read-only..

                                  Proposed flow:

                                  1. Have a setting for each App that selects an available Bitwarden instance.
                                  2. Complete the above steps from Cloudron to Bitwarden API.
                                  3. Relax.

                                  Web Design https://www.evergreen.je
                                  Development https://brandlight.org
                                  Life https://marcusquinn.com

                                  1 Reply Last reply
                                  3
                                  • LonkleL Offline
                                    LonkleL Offline
                                    Lonkle
                                    wrote on last edited by
                                    #16

                                    Let me mull this over and look into Bitwarden and I'll get back to you. 🤔

                                    1 Reply Last reply
                                    1
                                    • mehdiM Offline
                                      mehdiM Offline
                                      mehdi
                                      App Dev
                                      wrote on last edited by
                                      #17

                                      Honestly, I do not like this idea.

                                      It would be great to have it in an external script or something. But integrated into the Cloudron platform ? ... It seems too much of a hack, in my opinion.

                                      fbartelsF 1 Reply Last reply
                                      3
                                      • mehdiM mehdi

                                        Honestly, I do not like this idea.

                                        It would be great to have it in an external script or something. But integrated into the Cloudron platform ? ... It seems too much of a hack, in my opinion.

                                        fbartelsF Offline
                                        fbartelsF Offline
                                        fbartels
                                        App Dev
                                        wrote on last edited by fbartels
                                        #18

                                        I agree with @mehdi. That workflow also comes with the downside that while the actual owner of the account does not know his/her own password, you (as the admin) actually now it yourself.

                                        Rather enforce secure passwords and rotate them regularly (in addition to encouraging users to use password managers).

                                        mehdiM 1 Reply Last reply
                                        0
                                        • fbartelsF fbartels

                                          I agree with @mehdi. That workflow also comes with the downside that while the actual owner of the account does not know his/her own password, you (as the admin) actually now it yourself.

                                          Rather enforce secure passwords and rotate them regularly (in addition to encouraging users to use password managers).

                                          mehdiM Offline
                                          mehdiM Offline
                                          mehdi
                                          App Dev
                                          wrote on last edited by
                                          #19

                                          @fbartels said in 2FA for all LDAP apps:

                                          and rotate them regularly

                                          (Forcing password rotation when there has been no indication of compromise has actually been proven experimentally to lower security, rather than enhance it : if encourages users to chose simpler passwords, because they're gonna have to remember more passwords)

                                          girishG 1 Reply Last reply
                                          5
                                          • mehdiM mehdi

                                            @fbartels said in 2FA for all LDAP apps:

                                            and rotate them regularly

                                            (Forcing password rotation when there has been no indication of compromise has actually been proven experimentally to lower security, rather than enhance it : if encourages users to chose simpler passwords, because they're gonna have to remember more passwords)

                                            girishG Do not disturb
                                            girishG Do not disturb
                                            girish
                                            Staff
                                            wrote on last edited by
                                            #20

                                            @mehdi said in 2FA for all LDAP apps:

                                            Forcing password rotation when there has been no indication of compromise has actually been proven experimentally to lower security

                                            This seems to be one of those counter-intuitive ideas. I had no idea it actually lowers security.

                                            LonkleL 1 Reply Last reply
                                            3
                                            Reply
                                            • Reply as topic
                                            Log in to reply
                                            • Oldest to Newest
                                            • Newest to Oldest
                                            • Most Votes


                                              • Login

                                              • Don't have an account? Register

                                              • Login or register to search.
                                              • First post
                                                Last post
                                              0
                                              • Categories
                                              • Recent
                                              • Tags
                                              • Popular
                                              • Bookmarks
                                              • Search