2FA prompt does not show up when wrong password is entered

D

ddscentral

New Member
Jun 17, 2024
14
3
3
Eastern Europe
I have 2FA configured on my PVE and PBS machines.
This issue exists in both PVE and PBS. I've recently noticed that when I accidentally entered the wrong password (typo), I did not get a 2FA prompt, just an error message.
Is this a bug or is this done on purpose ? If this is done on purpose, this is a bad design choice which weakens the second factor by revealing the fact that a correct password was entered. Second factor prompt should be shown at all times, regardless if the password is correct. Ideally, both password and 2FA should be validated together, not separately.
 
this is how almost all TFA systems are implemented.. otherwise you'd have to leak TFA details (like that TFA is configured, which kind, and depending on the setup, even more!) to unauthenticated users..
 
Understood. I guess my mindset is a little different in this regard.
If you say leaking 2FA is bad then why PVE leaks the fact that 2FA is configured in the login screen to anyone who connects (with the "+ oath" prefix) ?
This is an issue in my opinion.
PBS does not have such issue.
 
Last edited:
there's a difference between telling that a certain login method requires TFA, or leaking details about the TFA config (like length of OTP, registered webauthn devices, types of TFA configured all down to the level of a particular user). but yes, IMHO we could/should potentially also drop that small bit of information there ;)
 
In case of Webauthn, this is indeed true. If only TOTP was available, then I guess it wouldn't matter so much, but there are other methods available, where leaking 2FA information would not be good. Didn't think about this.
The main reason I asked this question the 2FA implementation on my old server. There's a PAM module installed which asks for both password and the TOTP code before logging you in. This initially seemed to me like the correct way to implement two-factor, because this way you do not reveal which of the information is incorrect when login fails.

Just curious, why PBS and PVE have 2FA implemented differently ? AFAIK PVE only supports all-or-nothing (either all users need to use 2FA or none) while PBS 2FA is per-user configurable.
 
Last edited:
ddscentral said:
The main reason I asked this question the 2FA implementation on my old server. There's a PAM module installed which asks for both password and the TOTP code before logging you in. This initially seemed to me like the correct way to implement two-factor, because this way you do not reveal which of the information is incorrect when login fails.
Click to expand...

there's also PAM implementations where you have to append the TOTP code to the password ;) but yeah, PAM is quite old, and some parts are not as flexible as modern solutions would allow.

ddscentral said:
Just curious, why PBS and PVE have 2FA implemented differently ? AFAIK PVE only supports all-or-nothing (either all users need to use 2FA or none) while PBS 2FA is per-user configurable.
Click to expand...

well, they are two different implementations under the hood, although some code is shared. but PVE also allows setting up TFA per user, not just realm-wide.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back