Hello community - hello proxox-team!
I'm currently playing around with the two factor implementation of Proxmox (also in the latest version as of today: 6.2-9).
In my opinion 2fa is a must-have if there is a possibility that someone you don't know could be able to access the web-gui.
As an it-security student I am somewhat familiar with some basic exploits and ways to "work around" authentications.
The way Proxmox VE has implemented 2fa login is (not code-checked, just my thought as a gui-user):
1) User inputs username and password
2) PVE checks if correct
2.1) Response type1: PW incorrect; go back to bullet point 1)
2.2) Response type2: pw correct... go to to bullet point 3)
3) User inputs 2fa
4) PVE checks if correct
This way the user gets instant the response if the password is correct and with that one could brute force the password.
When an attacker has successfully brute-forced the password, he can brute force the 2fa-code.
A typical OTP code consists of a sequence of one out of a million possible numbers. This means theoretically an attacker must brute-force 500.000 codes in 30 seconds to gain access. (Which is realistic - and even if not, he can try it again in the next 30sec time-slot)
I would highly recommend to refactor the implementation of the 2fa login. (Please do it - I would love to use it)
One possible way could be:
1. User inputs username and password
2. PVE sends a prompt "Input 2fa-code: _____"
3. User inputs 2fa-code
4. PVE sends "Sorry, authentication failed" (without any detailed info if the user exists, the password is incorrect or the 2fa-code is incorrect)
Just my two cents - Please consider this as feedback and not as a complaint.
Best wishes
Flo
I'm currently playing around with the two factor implementation of Proxmox (also in the latest version as of today: 6.2-9).
In my opinion 2fa is a must-have if there is a possibility that someone you don't know could be able to access the web-gui.
As an it-security student I am somewhat familiar with some basic exploits and ways to "work around" authentications.
The way Proxmox VE has implemented 2fa login is (not code-checked, just my thought as a gui-user):
1) User inputs username and password
2) PVE checks if correct
2.1) Response type1: PW incorrect; go back to bullet point 1)
2.2) Response type2: pw correct... go to to bullet point 3)
3) User inputs 2fa
4) PVE checks if correct
This way the user gets instant the response if the password is correct and with that one could brute force the password.
When an attacker has successfully brute-forced the password, he can brute force the 2fa-code.
A typical OTP code consists of a sequence of one out of a million possible numbers. This means theoretically an attacker must brute-force 500.000 codes in 30 seconds to gain access. (Which is realistic - and even if not, he can try it again in the next 30sec time-slot)
I would highly recommend to refactor the implementation of the 2fa login. (Please do it - I would love to use it)
One possible way could be:
1. User inputs username and password
2. PVE sends a prompt "Input 2fa-code: _____"
3. User inputs 2fa-code
4. PVE sends "Sorry, authentication failed" (without any detailed info if the user exists, the password is incorrect or the 2fa-code is incorrect)
Just my two cents - Please consider this as feedback and not as a complaint.
Best wishes
Flo
