Re: 2FA for admin user
Hi Jimmy, Here is the document related to 2FA having all related details how to enable and disable 2FA. http://docs.cloudstack.apache.org/en/latest/adminguide/accounts.html#using-two-factor-authentication-for-users If you are an user and if you have logged in, then go to right top >> click on user profile >> In the action icons you can see the action to enable or disable 2FA If you are an admin and want to disable to disable 2FA for other users, you can go to the Accounts >> specific user >> In the action icons you can see the action to disable 2FA for that user. In the above document there is a note mentioning the way to disable using “user” table in the database, please check if it can help. Regards, Harikrishna From: Jimmy Huybrechts Date: Thursday, 14 March 2024 at 4:18 PM To: users@cloudstack.apache.org Subject: 2FA for admin user Hi, I want to enable 2FA for admin user as well for security, but in case for some reason this stops working, gets lost or whatever the reason may be. Is there a way we can remove it so you can login again? We have physical access to the servers of course. -- Jimmy
2FA for admin user
Hi, I want to enable 2FA for admin user as well for security, but in case for some reason this stops working, gets lost or whatever the reason may be. Is there a way we can remove it so you can login again? We have physical access to the servers of course. -- Jimmy
Re: Cloudstack user logins with 2FA and Google Authenticator
Hi Harikrishna Thanks for info. We will wait for 4.18 release then. David Larsen -Opprinnelig melding- Fra: Harikrishna Patnala Sendt: fredag 18. november 2022 08:36 Til: users@cloudstack.apache.org Emne: Re: Cloudstack user logins with 2FA and Google Authenticator Hi David, 2FA framework and plugin is under development and planning to make it in 4.18 release. It is not available in 4.17.1. You can find some details about the feature here at https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fdisplay%2FCLOUDSTACK%2F2FA%2BFramework%2Band%2BPlugins&data=05%7C01%7CDavid.Larsen%40adcom.no%7Ccb18761196144380500408dac937a803%7C1dd023eed2894f208926463c9b991b5f%7C0%7C0%7C638043538125138827%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nVI3%2F%2F6oJRDSsOV1e7OPMWE2KEZNpxMvWZRkXbekQU8%3D&reserved=0 Regards, Harikrishna From: David Larsen Date: Thursday, 17 November 2022 at 8:19 PM To: users@cloudstack.apache.org Subject: Cloudstack user logins with 2FA and Google Authenticator Hi We are currently working on how to integrate Cloudstack (4.17.1.0) logins with Google and Google authenticator. Is there any “this is how you do it” documents out there for Cloudstack. I found some info related to it , but no luck yet… ☹ I saw the “2FA Framework and Plugins” document from the 4.17 design documents by Rohit. Is this plugin deployed in 4.17.1.0? Do we have to use SAML2 to make this work? And if so, how? Any help pointing me in the right direction will help us a lot. Best regards David Larsen
Re: Cloudstack user logins with 2FA and Google Authenticator
Hi David, 2FA framework and plugin is under development and planning to make it in 4.18 release. It is not available in 4.17.1. You can find some details about the feature here at https://cwiki.apache.org/confluence/display/CLOUDSTACK/2FA+Framework+and+Plugins Regards, Harikrishna From: David Larsen Date: Thursday, 17 November 2022 at 8:19 PM To: users@cloudstack.apache.org Subject: Cloudstack user logins with 2FA and Google Authenticator Hi We are currently working on how to integrate Cloudstack (4.17.1.0) logins with Google and Google authenticator. Is there any “this is how you do it” documents out there for Cloudstack. I found some info related to it , but no luck yet… ☹ I saw the “2FA Framework and Plugins” document from the 4.17 design documents by Rohit. Is this plugin deployed in 4.17.1.0? Do we have to use SAML2 to make this work? And if so, how? Any help pointing me in the right direction will help us a lot. Best regards David Larsen
Cloudstack user logins with 2FA and Google Authenticator
Hi We are currently working on how to integrate Cloudstack (4.17.1.0) logins with Google and Google authenticator. Is there any “this is how you do it” documents out there for Cloudstack. I found some info related to it , but no luck yet… ☹ I saw the “2FA Framework and Plugins” document from the 4.17 design documents by Rohit. Is this plugin deployed in 4.17.1.0? Do we have to use SAML2 to make this work? And if so, how? Any help pointing me in the right direction will help us a lot. Best regards David Larsen
Re: [DISCUSS] 2FA framework and plugins for CloudStack
Great, thanks for the feedback Chris. I think in the first iteration the default plugin that will be shipped will be TOPT (time-based OTP) based such as what a lot of people use with Google authenticator, authy etc. Instead of a "static pin" plugin, maybe we can also do a dynamic email based OTP 2FA plugin too. Regards. From: vas...@gmx.de Sent: Monday, November 29, 2021 17:14 To: users@cloudstack.apache.org Subject: Re: [DISCUSS] 2FA framework and plugins for CloudStack Hi Rohit, this sounds awesome and for me it is a absolute +1, as in my organization this is a major concern with cloudstack atm. Regarding the puprosed " general-purpose 2FA plugins": I would suggest to exchange the PIN - option against another type of factor, as as far i am aware a user genarated PIN would also "count" as a "knowledge" factor. Maybe one could use the already implemented functions for generating ssh-keypairs to create kind of a "token" which a user needs to present on login (simply saining generate an dedicated key-pair for login purposes to the web-ui / cmk). The admins then could choose on how to provide the token for the users or where to store them. Instead of using "ssh-keys" maybe a certificate / pki approach would also be usefull, as many of using organizations have already some kind of PKI environment running. So Admins could deploy a root-cert for the domain and provide user-certs for authentification / validation. Looking forward to this excitement feature! Regards, Chris Am Mo., 29. Nov. 2021 um 11:49 Uhr schrieb Rohit Yadav < rohit.ya...@shapeblue.com>: > All, > > During CCC21 hackathon, I explored the feasibility of a 2FA framework and > a TOTP (time-based OTP) plugin that can be used with Google Authenticator, > MS Authenticator, Authy etc. > > I've used ideas of TOTP based 2FA PoC to put together a design doc for > discussion: > > https://cwiki.apache.org/confluence/display/CLOUDSTACK/2FA+Framework+and+Plugins > > Kindly review and share your feedback. Thanks. > > > Regards. > > > >
Re: [DISCUSS] 2FA framework and plugins for CloudStack
Hi Rohit, this sounds awesome and for me it is a absolute +1, as in my organization this is a major concern with cloudstack atm. Regarding the puprosed " general-purpose 2FA plugins": I would suggest to exchange the PIN - option against another type of factor, as as far i am aware a user genarated PIN would also "count" as a "knowledge" factor. Maybe one could use the already implemented functions for generating ssh-keypairs to create kind of a "token" which a user needs to present on login (simply saining generate an dedicated key-pair for login purposes to the web-ui / cmk). The admins then could choose on how to provide the token for the users or where to store them. Instead of using "ssh-keys" maybe a certificate / pki approach would also be usefull, as many of using organizations have already some kind of PKI environment running. So Admins could deploy a root-cert for the domain and provide user-certs for authentification / validation. Looking forward to this excitement feature! Regards, Chris Am Mo., 29. Nov. 2021 um 11:49 Uhr schrieb Rohit Yadav < rohit.ya...@shapeblue.com>: > All, > > During CCC21 hackathon, I explored the feasibility of a 2FA framework and > a TOTP (time-based OTP) plugin that can be used with Google Authenticator, > MS Authenticator, Authy etc. > > I've used ideas of TOTP based 2FA PoC to put together a design doc for > discussion: > > https://cwiki.apache.org/confluence/display/CLOUDSTACK/2FA+Framework+and+Plugins > > Kindly review and share your feedback. Thanks. > > > Regards. > > > >
[DISCUSS] 2FA framework and plugins for CloudStack
All, During CCC21 hackathon, I explored the feasibility of a 2FA framework and a TOTP (time-based OTP) plugin that can be used with Google Authenticator, MS Authenticator, Authy etc. I've used ideas of TOTP based 2FA PoC to put together a design doc for discussion: https://cwiki.apache.org/confluence/display/CLOUDSTACK/2FA+Framework+and+Plugins Kindly review and share your feedback. Thanks. Regards.
Re: 2FA
Hi Rakesh, We have a user authentication/login framework that you can extend to do 2FA. Something like (throwing ideas at you): * Implement separate API to do 2FA (general purpose) and implement 2FA plugin-framework (plugins can be sms, captcha, google authenticator) * In UI - the 2FA are called to show/pass a challenge (for example, sms code, google auth code etc) that users inputs in a field * When user enters credentials and 2FA code and submits, the login API piggybacks the new 2FA code as a parameter which is handled by the backend auth framework in a generic way, passed to 2FA framework to check (which calls a check() method by the configured 2FA plugin) - on pass it does not do anything, on fail it throws an exception and invalidates the login If you want to do something really quick as Simon suggests, you can enable SAML based single-sign-on and enable 2FA on the SAML IDP. Regards. From: David Jumani Sent: Wednesday, August 11, 2021 09:49 To: users ; dev Subject: Re: 2FA Hi Rakesh, MFA is generally done via an IAM rather than on a per-application basis. As Simon had mentioned, CloudStack does support SAML / LDAP so, in a general / corporate use case, the MFA would go there. So I do not think adding support for 2FA will add any significant benefit That being said, I'll be happy to review any PR that's raised From: Simon Weller Sent: Wednesday, August 11, 2021 12:31 AM To: users ; dev Subject: Re: 2FA Rakesh, ACS does support SAML2 and in order to deploy 2FA/MFA, you could integrate it with an Identity and Access Management System such as Keycloak (https://www.keycloak.org/). -Si From: Rakesh Venkatesh http://www.rakeshv@gmail.com<http://www.rakeshv@gmail.com<http://www.rakeshv@gmail.com>>> Sent: Tuesday, August 10, 2021 4:34 AM To: users ; dev Subject: 2FA Hello Has anyone thought about 2FA or about how to implement it in cloudstack? Looks like this will be good addition to enhance the security. I have some idea about implementing in the backend but dont have much idea on how to display the QR code in ui or other functionalities which is needed for frontend part. -- Thanks and regards Rakesh
Re: 2FA
Hi Rakesh, MFA is generally done via an IAM rather than on a per-application basis. As Simon had mentioned, CloudStack does support SAML / LDAP so, in a general / corporate use case, the MFA would go there. So I do not think adding support for 2FA will add any significant benefit That being said, I'll be happy to review any PR that's raised From: Simon Weller Sent: Wednesday, August 11, 2021 12:31 AM To: users ; dev Subject: Re: 2FA Rakesh, ACS does support SAML2 and in order to deploy 2FA/MFA, you could integrate it with an Identity and Access Management System such as Keycloak (https://www.keycloak.org/). -Si From: Rakesh Venkatesh http://www.rakeshv@gmail.com>> Sent: Tuesday, August 10, 2021 4:34 AM To: users ; dev Subject: 2FA Hello Has anyone thought about 2FA or about how to implement it in cloudstack? Looks like this will be good addition to enhance the security. I have some idea about implementing in the backend but dont have much idea on how to display the QR code in ui or other functionalities which is needed for frontend part. -- Thanks and regards Rakesh
Re: 2FA
Rakesh, ACS does support SAML2 and in order to deploy 2FA/MFA, you could integrate it with an Identity and Access Management System such as Keycloak (https://www.keycloak.org/). -Si From: Rakesh Venkatesh Sent: Tuesday, August 10, 2021 4:34 AM To: users ; dev Subject: 2FA Hello Has anyone thought about 2FA or about how to implement it in cloudstack? Looks like this will be good addition to enhance the security. I have some idea about implementing in the backend but dont have much idea on how to display the QR code in ui or other functionalities which is needed for frontend part. -- Thanks and regards Rakesh
2FA
Hello Has anyone thought about 2FA or about how to implement it in cloudstack? Looks like this will be good addition to enhance the security. I have some idea about implementing in the backend but dont have much idea on how to display the QR code in ui or other functionalities which is needed for frontend part. -- Thanks and regards Rakesh
Re: Google Authenticator 2fa in ACS?
Same here, but if are ok with google managing your users data, I think it is ok to use it directly. The interesting part of Keycloak is that it support both SAML and OpenId Connect at the same time. On Tue, Nov 13, 2018 at 4:12 PM Rene Moser wrote: > We use keycloak [1] as a SSO solutions (including 2FA) as a identidy and > access management. > > It supports SAML, so any applicaion with SAML including CloudStack can > be connected. > > [1] https://www.keycloak.org/about.html > > On 11/13/18 6:56 PM, Matheus Fontes wrote: > > Hi, > > Is there anyway to implement Google Authenticator (or other free > solution) as 2-step verification on ACS? > > > > thanks > > Matheus Fontes > > > -- Rafael Weingärtner
Re: Google Authenticator 2fa in ACS?
We use keycloak [1] as a SSO solutions (including 2FA) as a identidy and access management. It supports SAML, so any applicaion with SAML including CloudStack can be connected. [1] https://www.keycloak.org/about.html On 11/13/18 6:56 PM, Matheus Fontes wrote: > Hi, > Is there anyway to implement Google Authenticator (or other free solution) as > 2-step verification on ACS? > > thanks > Matheus Fontes >
Re: Google Authenticator 2fa in ACS?
yes, I think google supports SAML (identity federation protocol that is supported by ACS). Therefore, you can integrate ACS with Google IdP. On Tue, Nov 13, 2018 at 3:57 PM Matheus Fontes wrote: > Hi, > Is there anyway to implement Google Authenticator (or other free solution) > as 2-step verification on ACS? > > thanks > Matheus Fontes -- Rafael Weingärtner
Google Authenticator 2fa in ACS?
Hi, Is there anyway to implement Google Authenticator (or other free solution) as 2-step verification on ACS? thanks Matheus Fontes