Re: 2FA for admin user

2024-03-17 Thread Harikrishna Patnala
Hi Jimmy,

Here is the document related to 2FA having all related details how to enable 
and disable 2FA.

http://docs.cloudstack.apache.org/en/latest/adminguide/accounts.html#using-two-factor-authentication-for-users

If you are an user and if you have logged in, then go to right top >> click on 
user profile >> In the action icons you can see the action to enable or disable 
2FA

If you are an admin and want to disable to disable 2FA for other users, you can 
go to the Accounts >> specific user >> In the action icons you can see the 
action to disable 2FA for that user.

In the above document there is a note mentioning the way to disable using 
“user” table in the database, please check if it can help.

Regards,
Harikrishna


From: Jimmy Huybrechts 
Date: Thursday, 14 March 2024 at 4:18 PM
To: users@cloudstack.apache.org 
Subject: 2FA for admin user
Hi,

I want to enable 2FA for admin user as well for security, but in case for some 
reason this stops working, gets lost or whatever the reason may be. Is there a 
way we can remove it so you can login again?
We have physical access to the servers of course.

--
Jimmy

 



2FA for admin user

2024-03-14 Thread Jimmy Huybrechts
Hi,

I want to enable 2FA for admin user as well for security, but in case for some 
reason this stops working, gets lost or whatever the reason may be. Is there a 
way we can remove it so you can login again?
We have physical access to the servers of course.

--
Jimmy


Re: Cloudstack user logins with 2FA and Google Authenticator

2022-11-18 Thread David Larsen
Hi Harikrishna

Thanks for info. 
We will wait for 4.18 release then.

David Larsen 


-Opprinnelig melding-
Fra: Harikrishna Patnala  
Sendt: fredag 18. november 2022 08:36
Til: users@cloudstack.apache.org
Emne: Re: Cloudstack user logins with 2FA and Google Authenticator

Hi David,

2FA framework and plugin is under development and planning to make it in 4.18 
release. It is not available in 4.17.1.
You can find some details about the feature here at 
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fdisplay%2FCLOUDSTACK%2F2FA%2BFramework%2Band%2BPlugins&data=05%7C01%7CDavid.Larsen%40adcom.no%7Ccb18761196144380500408dac937a803%7C1dd023eed2894f208926463c9b991b5f%7C0%7C0%7C638043538125138827%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nVI3%2F%2F6oJRDSsOV1e7OPMWE2KEZNpxMvWZRkXbekQU8%3D&reserved=0

Regards,
Harikrishna

From: David Larsen 
Date: Thursday, 17 November 2022 at 8:19 PM
To: users@cloudstack.apache.org 
Subject: Cloudstack user logins with 2FA and Google Authenticator

Hi

We are currently working on how to integrate Cloudstack (4.17.1.0) logins with 
Google and Google  authenticator.
Is there any “this is how you do it” documents out there for Cloudstack. I 
found some info related to it , but no luck yet… ☹

I saw the “2FA Framework and Plugins” document from the 4.17 design documents 
by Rohit. Is this plugin deployed in 4.17.1.0?

Do we have to use SAML2 to make this work?
And if so, how?


Any help pointing me in the right direction will help us a lot.


Best regards
David Larsen

 



Re: Cloudstack user logins with 2FA and Google Authenticator

2022-11-17 Thread Harikrishna Patnala
Hi David,

2FA framework and plugin is under development and planning to make it in 4.18 
release. It is not available in 4.17.1.
You can find some details about the feature here at 
https://cwiki.apache.org/confluence/display/CLOUDSTACK/2FA+Framework+and+Plugins

Regards,
Harikrishna

From: David Larsen 
Date: Thursday, 17 November 2022 at 8:19 PM
To: users@cloudstack.apache.org 
Subject: Cloudstack user logins with 2FA and Google Authenticator

Hi

We are currently working on how to integrate Cloudstack (4.17.1.0) logins with 
Google and Google  authenticator.
Is there any “this is how you do it” documents out there for Cloudstack. I 
found some info related to it , but no luck yet… ☹

I saw the “2FA Framework and Plugins” document from the 4.17 design documents 
by Rohit. Is this plugin deployed in 4.17.1.0?

Do we have to use SAML2 to make this work?
And if so, how?


Any help pointing me in the right direction will help us a lot.


Best regards
David Larsen

 



Cloudstack user logins with 2FA and Google Authenticator

2022-11-17 Thread David Larsen

Hi

We are currently working on how to integrate Cloudstack (4.17.1.0) logins with 
Google and Google  authenticator.
Is there any “this is how you do it” documents out there for Cloudstack. I 
found some info related to it , but no luck yet… ☹

I saw the “2FA Framework and Plugins” document from the 4.17 design documents 
by Rohit. Is this plugin deployed in 4.17.1.0?

Do we have to use SAML2 to make this work?
And if so, how?


Any help pointing me in the right direction will help us a lot.


Best regards
David Larsen


Re: [DISCUSS] 2FA framework and plugins for CloudStack

2021-12-02 Thread Rohit Yadav
Great, thanks for the feedback Chris. I think in the first iteration the 
default plugin that will be shipped will be TOPT (time-based OTP) based such as 
what a lot of people use with Google authenticator, authy etc. Instead of a 
"static pin" plugin, maybe we can also do a dynamic email based OTP 2FA plugin 
too.


Regards.


From: vas...@gmx.de 
Sent: Monday, November 29, 2021 17:14
To: users@cloudstack.apache.org 
Subject: Re: [DISCUSS] 2FA framework and plugins for CloudStack

Hi Rohit,

this sounds awesome and for me it is a absolute +1, as in my organization
this is a major concern with cloudstack atm.

Regarding the puprosed " general-purpose 2FA plugins":
I would suggest to exchange the PIN - option against another type of
factor, as as far i am aware a user genarated PIN would also "count" as a
"knowledge" factor.
Maybe one could use the already implemented functions for generating
ssh-keypairs to create kind of a "token" which a user needs to present on
login (simply saining generate an dedicated key-pair for login purposes to
the web-ui / cmk).
The admins then could choose on how to provide the token for the users  or
where to store them.
Instead of using "ssh-keys" maybe a certificate / pki approach would also
be usefull, as many of using organizations have already some kind of PKI
environment running. So Admins could deploy a root-cert for the domain and
provide user-certs for authentification / validation.

Looking forward to this excitement feature!
Regards,

Chris

Am Mo., 29. Nov. 2021 um 11:49 Uhr schrieb Rohit Yadav <
rohit.ya...@shapeblue.com>:

> All,
>
> During CCC21 hackathon, I explored the feasibility of a 2FA framework and
> a TOTP (time-based OTP) plugin that can be used with Google Authenticator,
> MS Authenticator, Authy etc.
>
> I've used ideas of TOTP based 2FA PoC to put together a design doc for
> discussion:
>
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/2FA+Framework+and+Plugins
>
> Kindly review and share your feedback. Thanks.
>
>
> Regards.
>
>
>
>

 



Re: [DISCUSS] 2FA framework and plugins for CloudStack

2021-11-29 Thread vas...@gmx.de
Hi Rohit,

this sounds awesome and for me it is a absolute +1, as in my organization
this is a major concern with cloudstack atm.

Regarding the puprosed " general-purpose 2FA plugins":
I would suggest to exchange the PIN - option against another type of
factor, as as far i am aware a user genarated PIN would also "count" as a
"knowledge" factor.
Maybe one could use the already implemented functions for generating
ssh-keypairs to create kind of a "token" which a user needs to present on
login (simply saining generate an dedicated key-pair for login purposes to
the web-ui / cmk).
The admins then could choose on how to provide the token for the users  or
where to store them.
Instead of using "ssh-keys" maybe a certificate / pki approach would also
be usefull, as many of using organizations have already some kind of PKI
environment running. So Admins could deploy a root-cert for the domain and
provide user-certs for authentification / validation.

Looking forward to this excitement feature!
Regards,

Chris

Am Mo., 29. Nov. 2021 um 11:49 Uhr schrieb Rohit Yadav <
rohit.ya...@shapeblue.com>:

> All,
>
> During CCC21 hackathon, I explored the feasibility of a 2FA framework and
> a TOTP (time-based OTP) plugin that can be used with Google Authenticator,
> MS Authenticator, Authy etc.
>
> I've used ideas of TOTP based 2FA PoC to put together a design doc for
> discussion:
>
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/2FA+Framework+and+Plugins
>
> Kindly review and share your feedback. Thanks.
>
>
> Regards.
>
>
>
>


[DISCUSS] 2FA framework and plugins for CloudStack

2021-11-29 Thread Rohit Yadav
All,

During CCC21 hackathon, I explored the feasibility of a 2FA framework and a 
TOTP (time-based OTP) plugin that can be used with Google Authenticator, MS 
Authenticator, Authy etc.

I've used ideas of TOTP based 2FA PoC to put together a design doc for 
discussion:
https://cwiki.apache.org/confluence/display/CLOUDSTACK/2FA+Framework+and+Plugins

Kindly review and share your feedback. Thanks.


Regards.

 



Re: 2FA

2021-08-11 Thread Rohit Yadav
Hi Rakesh,

We have a user authentication/login framework that you can extend to do 2FA. 
Something like (throwing ideas at you):

  *   Implement separate API to do 2FA (general purpose) and implement 2FA 
plugin-framework (plugins can be sms, captcha, google authenticator)
  *   In UI - the 2FA are called to show/pass a challenge (for example, sms 
code, google auth code etc) that users inputs in a field
  *   When user enters credentials and 2FA code and submits, the login API 
piggybacks the new 2FA code as a parameter which is handled by the backend auth 
framework in a generic way, passed to 2FA framework to check (which calls a 
check() method by the configured 2FA plugin) - on pass it does not do anything, 
on fail it throws an exception and invalidates the login

If you want to do something really quick as Simon suggests, you can enable SAML 
based single-sign-on and enable 2FA on the SAML IDP.

Regards.


From: David Jumani 
Sent: Wednesday, August 11, 2021 09:49
To: users ; dev 
Subject: Re: 2FA

Hi Rakesh,

MFA is generally done via an IAM rather than on a per-application basis. As 
Simon had mentioned, CloudStack does support SAML / LDAP so, in a general / 
corporate use case, the MFA would go there. So I do not think adding support 
for 2FA will add any significant benefit
That being said, I'll be happy to review any PR that's raised

From: Simon Weller 
Sent: Wednesday, August 11, 2021 12:31 AM
To: users ; dev 
Subject: Re: 2FA

Rakesh,

ACS does support SAML2 and in order to deploy 2FA/MFA, you could integrate it 
with an Identity and Access Management System such as Keycloak 
(https://www.keycloak.org/).

-Si


From: Rakesh Venkatesh 
http://www.rakeshv@gmail.com<http://www.rakeshv@gmail.com<http://www.rakeshv@gmail.com>>>
Sent: Tuesday, August 10, 2021 4:34 AM
To: users ; dev 
Subject: 2FA

Hello

Has anyone thought about 2FA or about how to implement it in cloudstack?
Looks like this will be good addition to enhance the security. I have some
idea about implementing in the backend but dont have much idea on how to
display the QR code in ui or other functionalities which is needed for
frontend part.

--
Thanks and regards
Rakesh




 



Re: 2FA

2021-08-10 Thread David Jumani
Hi Rakesh,

MFA is generally done via an IAM rather than on a per-application basis. As 
Simon had mentioned, CloudStack does support SAML / LDAP so, in a general / 
corporate use case, the MFA would go there. So I do not think adding support 
for 2FA will add any significant benefit
That being said, I'll be happy to review any PR that's raised

From: Simon Weller 
Sent: Wednesday, August 11, 2021 12:31 AM
To: users ; dev 
Subject: Re: 2FA

Rakesh,

ACS does support SAML2 and in order to deploy 2FA/MFA, you could integrate it 
with an Identity and Access Management System such as Keycloak 
(https://www.keycloak.org/).

-Si


From: Rakesh Venkatesh 
http://www.rakeshv@gmail.com>>
Sent: Tuesday, August 10, 2021 4:34 AM
To: users ; dev 
Subject: 2FA

Hello

Has anyone thought about 2FA or about how to implement it in cloudstack?
Looks like this will be good addition to enhance the security. I have some
idea about implementing in the backend but dont have much idea on how to
display the QR code in ui or other functionalities which is needed for
frontend part.

--
Thanks and regards
Rakesh

 



Re: 2FA

2021-08-10 Thread Simon Weller
Rakesh,

ACS does support SAML2 and in order to deploy 2FA/MFA, you could integrate it 
with an Identity and Access Management System such as Keycloak 
(https://www.keycloak.org/).

-Si


From: Rakesh Venkatesh 
Sent: Tuesday, August 10, 2021 4:34 AM
To: users ; dev 
Subject: 2FA

Hello

Has anyone thought about 2FA or about how to implement it in cloudstack?
Looks like this will be good addition to enhance the security. I have some
idea about implementing in the backend but dont have much idea on how to
display the QR code in ui or other functionalities which is needed for
frontend part.

--
Thanks and regards
Rakesh


2FA

2021-08-10 Thread Rakesh Venkatesh
Hello

Has anyone thought about 2FA or about how to implement it in cloudstack?
Looks like this will be good addition to enhance the security. I have some
idea about implementing in the backend but dont have much idea on how to
display the QR code in ui or other functionalities which is needed for
frontend part.

-- 
Thanks and regards
Rakesh


Re: Google Authenticator 2fa in ACS?

2018-11-13 Thread Rafael Weingärtner
Same here, but if are ok with google managing your users data, I think it
is ok to use it directly.
The interesting part of Keycloak is that it support both SAML and OpenId
Connect at the same time.

On Tue, Nov 13, 2018 at 4:12 PM Rene Moser  wrote:

> We use keycloak [1] as a SSO solutions (including 2FA) as a identidy and
> access management.
>
> It supports SAML, so any applicaion with SAML including CloudStack can
> be connected.
>
> [1] https://www.keycloak.org/about.html
>
> On 11/13/18 6:56 PM, Matheus Fontes wrote:
> > Hi,
> > Is there anyway to implement Google Authenticator (or other free
> solution) as 2-step verification on ACS?
> >
> > thanks
> > Matheus Fontes
> >
>


-- 
Rafael Weingärtner


Re: Google Authenticator 2fa in ACS?

2018-11-13 Thread Rene Moser
We use keycloak [1] as a SSO solutions (including 2FA) as a identidy and
access management.

It supports SAML, so any applicaion with SAML including CloudStack can
be connected.

[1] https://www.keycloak.org/about.html

On 11/13/18 6:56 PM, Matheus Fontes wrote:
> Hi,
> Is there anyway to implement Google Authenticator (or other free solution) as 
> 2-step verification on ACS?
> 
> thanks
> Matheus Fontes
> 


Re: Google Authenticator 2fa in ACS?

2018-11-13 Thread Rafael Weingärtner
yes, I think google supports SAML (identity federation protocol that is
supported by ACS). Therefore, you can integrate ACS with Google IdP.

On Tue, Nov 13, 2018 at 3:57 PM Matheus Fontes  wrote:

> Hi,
> Is there anyway to implement Google Authenticator (or other free solution)
> as 2-step verification on ACS?
>
> thanks
> Matheus Fontes



-- 
Rafael Weingärtner


Google Authenticator 2fa in ACS?

2018-11-13 Thread Matheus Fontes
Hi,
Is there anyway to implement Google Authenticator (or other free solution) as 
2-step verification on ACS?

thanks
Matheus Fontes