Support Two-Factor Authentication with Duo

Given that Rancher admin cant really be easily fronted by a VPN and is therefore mostly public, it would be great to support 2 factor authentification to make that public interface more secure.

DUO has a pretty simple web integration: https://www.duosecurity.com/docs/duoweb

Thanks

This should have been posted and should be moved into the Rancher forum. Sorry about that.

Moved; 2-factor is a fine idea but it would need to be something that works offline like TOTP (i.e. Google Authenticator).

Hi Vincent,

Not sure I understand what you mean by offline ? Do you mean standlone ? or hardware token ?

DUO is capable of many auth methods including physical tokens

https://www.duosecurity.com/product/methods

It’s a fairly simple and quick integration that instantly brings a lot of security.

TOTP might be another solution but it looks like it’s not something that can be rolled out in 10mns… In the end, I would simply let the end user choose which platform / solution they want to use to do the 2 factor auth. Just like they can choose DB / Github / Ldap for authentication.

Standalone, without an Internet connection on the client and/or the server. There are people using Rancher on air-gapped networks and we wouldn’t want to add unnecessary internet dependencies.

I didn’t look at duo in detail but the first 2 steps were sign up and create API keys.

But if this is an air-gapped network then the admin UI is not publicly accessible so it’s very much less of an issue and definitely a very particular niche segment and not what i am trying to raise as a concern here. I would imagine that the vast majority of your userbase are deploying rancher on public clouds or bare metals which end up having that admin UI in the open.

The appeal of DUO is you can secure it with 2 factor authentification in literally 10mns and is totally free for up to 10 users.

I agree that the option for two factor auth would be a nice feature to have (but I woudn’t use it), but a private only UI endpoint is hardly niche, and I can’t imagine how the majority of rancher deployments are done. Besides, you can lock down access to your hosts/ports on public clouds too…

Or the kind of people concerned enough to cut off Internet access are exactly the ones that would actually care enough to use two-factor.

I don’t know without asking them, but since local implementations exist I see no reason for us to use a 3rd party Internet webservice. That uses a different method than GitHub’s two-factor that interested users probably also have on. And now that you mention it, especially one that requires a paid account after 10 people. That is a giant paperwork barrier to usage for any reasonable sized company.

We use Two-factor here – Yubikeys and Google Auth (TOTP), both of which can be calculated offline. However we have them behind a RADIUS server for convenience, and normally lock things using Shibboleth.

The way that apps such as SecretServer handle twofactor is to first do the standard auth method (LDAP), and then (depending on configuration) subsequently make a Radius call for the twofactor. Indeed, RADIUS auth support would be a good option to add to Rancher, and it shouldn’t be all that hard (though you’d still need LDAP for groups).

If Rancher supported Shibboleth authentication - or Two-factor using a remote RADIUS server - then this would be a win for us, as we’re moving towards two-factor for admin tasks.