Feature Request: Duo MFA

[CornHead764]

Been using Mesh Central for a few years now, and have been using the built in 2fa for a long time. It works great, but I recently discovered there is a free tier for Duo to use their app based mfa, so you can use a push notification as the mfa method for free. I would love to see mesh central integrate duo as a 2fa method. Any of the paid tiers could use duo as a saml provider to integrate with mesh central that way, however those of us on the free tier don't seem to have an option for integration with mesh central :(

Below is a link to their web sdk and OIDC api documentation

https://duo.com/docs/duoweb
https://duo.com/docs/oauthapi

[Ylianst]

Interesting. I always figured Google or Microsoft would offer a free push notification 2FA to help the Internet since FireBase Cloud Notifications are free. I will take a look at this, if they have a NodeJS SDK, that would be perfect. The MeshCentral 2FA login screen is not currently "live" (websocket), so I would have to do some work to change that. This said, it would be cool to tap ok on a mobile device for 2FA.

[CornHead764]

A quick google search yielded the below GitHub repository, which appears to be supported by duo directly. Hopefully this is relatively easy to implement.

https://github.com/duosecurity/duo_nodejs

[Ylianst]

Your fast. Yes, this is exactly what I need and being supported by Duo is excellent. It's also on NPM here, so exactly perfect. I will give this a try.

[VINISHVV]

Wow, good feature .. I am awaiting for the same in MC.

[eldadh]

Cant wait for this feature,
Would be a great addition to a greate piece of sofware.

[CornHead764]

Any update on this? Just curious

[VINISHVV]

@CornHead764 - Duo MFA is not implemented, But same functionality enabled in Meshcentral Mobile app.

Please refer #2495

[CornHead764]

@CornHead764 - Duo MFA is not implemented, But same functionality enabled in Meshcentral Mobile app.

Please refer #2495

Looks like no dice for us iOS users :(

Oh well, I'll keep waiting :)

[m4zl]

I am also waiting full of interest for the Duo MFA. We would like to use it aswell.

Any updates on this @Ylianst maybe?

[fredclown]

Also would love top see Duo support.

[Ylianst]

I looked at Duo MFA support a long time ago and it's a paid service. If I remember correctly, I could get a free account and support a few users, but beyond this, you needed to pay a monthly fee so I focused on free 2FA solutions instead. I don't have much time these days since I am focused on starting up in a different job, but if someone has a pull request for Duo, I will certainly accept it.

[si458]

is this still required?
the is a passportjs module we could try using https://github.com/basharal/passport-duo
also they offer 1-10 users FREE which might help us get started but its only MFA access, no passwordless or SSO

[Br0kenSilos]

Just adding my two cents here.. I don't know how much work it would be to add it to MC as I am not a dev but, I use DUO (personal) for other things and would love to have the option in MeshCentral. Right now I use a YubiKey for my MFA into MC, but DUO would be a nice to have for when I do not have the yubikeys handy. We also use DUO for MFA at work too so I can only guess that this would be nice to have for larger companies using DUO as well.

[si458]

i will have a look when i get chance!
the is a possability that the module passport-duo wont work because it used iframes
which from googling duo no longer support!

[si458]

ok the passport-duo doesnt work anymore so we need a new way to implement their v4 sdk now

we would need to add another button after u login and get asked for 2fa, which u click to be diverted to duo to do 2fa

but also we need to create a panel in ur 'my user' page to create/add ur account to the duo servers and then keep a record of this

its similar to how we would do say the SMS, but it means more fields in the database that would need adding

so its very complex and not simple

[si458]

Ok so i have done some testing and I just need some input on the matter

When u setup duo u need an id, secret and servername, u get these from duo in applications

Should we setup a single duo credentials which the whole server would use? (So a single person/company would pay for each of there users that use duo)

Or do we do it like bitwarden where each user has there own credentials etc? Then the fee/burden is on the end user/staff member?

Also when the staff member logs in, do we redirect to duo automatically OR do we have a button like we do with messaging/sms which the user clicks then we divert to duo for auth?

Also we need to assign a username to duo, I was going to use the useridentifier for uniqueness as using the username isn't really unique
And we can't use the email address because multiple users can have the same email address

[Br0kenSilos]

Well I can only speak for my own use case and that may or may not best suit others. I use MC at home to support family, friends, and a few clients. For stuff like this I have a personal DUO account since it is only me using it. So for me personally it makes sense to do it like Bitwarden does.

OTH, at work, we have a paid DUO account and all employees are using the company DUO account. While we are not currently using MC at work, I am trying to slowly sell the idea of it. In that case, option one would be better.

So I guess it really depends on how others see it. I feel like I could make it work for me either way.

[si458]

@Br0kenSilos ok thank u for ur input, i will think on it,
ive started to implement it like ur works method,
where work has a main account/control but each user has a duo account under them,
which would be like $3/$6/$9 a month depending on their plan,
so currently each meshcentral user that enables the option in the My User panel will be charged a fee, like the pic below

thankfully, duo offers 10 users free! which is what im using to test!

[Br0kenSilos]

Yep. That makes sense to me. I too use the free 10 user account at home and then use work's larger corporate account for work things. The nice thing is that the DUO phone app allows multiple accounts (work and personal) on it so it all stays together.
Thanks for all the work you do!!

[si458]

@Br0kenSilos I tested here and it's the same thing which is nice!
Only thing I spotted was I couldn't use the same mobile number on multiple accounts but I think that's a duo limitation not something I'm doing wrong haha

Only final question,
Do I display a button underneath the token box like we do for messaging/email/sms which takes us to duo,
Or
Do i just automatically divert the user to duo?

I would say a button u click to use duo because u can still setup additional 2fa like email or sms or messaging as well as duo and they will need the token message box

Also if i got really fancy I can even integrate the raw api from duo and then let the user enter the code that's displayed in the app directly into the token box and let it do the authentication but they would prefer I used the still redirect method instead

[Br0kenSilos]

Oh man.. Well again.. For me personally.. I would display a button / icon along with whatever other 2FA methods might be enabled. In my case, I typically use my Yubikey. But if I am mobile on my laptop, DUO would be my next best choice. Also, thats cool you can use the token box. NORMALLY, I use DUO push notifications that I approve on the phone instead of keying in the code. But thats more of a personal preference.

[si458]

@Br0kenSilos thank you
I think i will do the button.
It is the best option because as u explained u can use other 2fa methods too rather than forcing duo upon somebody all the time!

[si458]

sample teasers ive been working on all day hehe

  "domains": {
    "": {
      "passwordRequirements": {
        "duo2factor": {
          "apihostname": "api-xxxxxx.duosecurity.com",
          "integrationkey": "DIQxxxxxxxxxxxxxxxxx",
          "secretkey": "vkg2Cxxxxxxxxxxxxxxxxxxxxxxxxx"
        }
      }
    }

[Br0kenSilos]

HAH! I am loving it man. Great work for sure. I'm going to buy you a beer (or two).

[si458]

ta-da! #6609
need to get @Ylianst just to verify the security side of things and no expliots but all works here no issues!

[Br0kenSilos]

Heck yah! Can't wait.

[si458]

IF you wanted to test

1. stop meshcentral
2. BACKUP YOUR SETUP/VM/SERVER/ETC!!!!!!!!!!!
3. npm install Ylianst/MeshCentral#duo-mobile <- remember NO TRANSLATIONS ONLY ENGLISH!
4. set credentials like above from duo (you must create the application as web sdk)
5. start meshcentral
6. try letting a user enable it!

[si458]

ok so @Ylianst likes the integration but wasnt happy with the process of registering/activating the user with duo
so while we have merged the commit, he is going to redo the stage to activate it for a duo
as currently, you have to tick a box, then logout and login then click duo to create/activate duo which isnt ideal!
and i have no idea why i didnt think about it!

[Br0kenSilos]

Ah yes. That makes sense. No worries on my end. I have been so busy I haven't been able to update my system in a few weeks. Day job blues..

[si458]

this has now been implemented! 1.1.37 👍

[Br0kenSilos]

SWEET!! Thanks for getting that done guys.
🍻 🍻🍻🍻

[j0hu]

Hi, it could be so nice...

I am using the official MeshCenter container, v1.1.38, from DockerHub. The MeshCenter container is fronted by a proxy -> Traefik (v3.3.3), which handles the SSL connection and reliably serves >30 other containers.

I have set up the DUO2 integration as described in the documentation (created a DUO Free account & WEB SDK app, added configuration entries and keys to config.json -> see below).

After that, I can select the DUO method in the user account security settings and complete the guided setup in the browser – so far, so good.

But here’s the issue: in the final step (and on every repetition), I get the message "Internal Server Error" in the browser, see screenshot:

Restarting the MeshCentral container unfortunately does not change the behavior. Additionally, no icon for the DUO 2FA method is displayed at user login form.

In the Bash of the Docker container, I see the following message parallel to the error in the browser. Both appear every time I complete the last step: confirming the DUO setup/ the authentication request via the DUO app on my smartphone:

meshcentral  | ERR: ReferenceError: direct is not defined
meshcentral  |     at /opt/meshcentral/meshcentral/webserver.js:7052:75
meshcentral  |     at obj.authenticate (/opt/meshcentral/meshcentral/webserver.js:429:108)
meshcentral  |     at /opt/meshcentral/meshcentral/webserver.js:6969:33
meshcentral  |     at Layer.handle [as handle_request] (/opt/meshcentral/meshcentral/node_modules/express/lib/router/layer.js:95:5)
meshcentral  |     at next (/opt/meshcentral/meshcentral/node_modules/express/lib/router/route.js:149:13)
meshcentral  |     at Route.dispatch (/opt/meshcentral/meshcentral/node_modules/express/lib/router/route.js:119:3)
meshcentral  |     at Layer.handle [as handle_request] (/opt/meshcentral/meshcentral/node_modules/express/lib/router/layer.js:95:5)
meshcentral  |     at /opt/meshcentral/meshcentral/node_modules/express/lib/router/index.js:284:15
meshcentral  |     at Function.process_params (/opt/meshcentral/meshcentral/node_modules/express/lib/router/index.js:346:12)
meshcentral  |     at next (/opt/meshcentral/meshcentral/node_modules/express/lib/router/index.js:280:10)

For completeness, here is the container startup—everything looks fine from my perspective:

[+] Running 1/2
 ✔ Network meshcentral_default  Created                                                                                                                                                                                           0.1s
 ⠋ Container meshcentral        Created                                                                                                                                                                                           0.1s
Attaching to meshcentral
meshcentral  | Installing modules [ '@duosecurity/duo_universal' ]
meshcentral  | MeshCentral HTTP redirection server running on port 80.
meshcentral  | MeshCentral v1.1.38, Hybrid (LAN + WAN) mode, Production mode.
meshcentral  | MeshCentral Intel(R) AMT server running on mesh.example.com:4433.
meshcentral  | MeshCentral HTTP server running on port 443.
meshcentral  | SMTP mail server 192.168.1.25 working as expected.
meshcentral  | Loaded web certificate from "https://mesh.example.com:443/", host: "mesh.example.com"
meshcentral  |   SHA384 cert hash: ****
meshcentral  |   SHA384 key hash: ****

Also the following module was already loaded at container start:

Installing modules [ '@duosecurity/duo_universal' ]

Here is my config.json (sensitive data has been replaced by me):

{
  "$schema": "https://raw.githubusercontent.com/Ylianst/MeshCentral/master/meshcentral-config-schema.json",
  "__comment__": "This is a sample configuration file, all values and sections that start with underscore (_) are ignored. Edit a section and remove the _ in front of the name. Refer to the user's guide for details.",
  "settings": {
    "cert": "mesh.example.com",
    "sessionKey": "****",
    "port": 443,
    "redirPort": 80,
    "allowFraming": false,
    "webRTC": true,
    "selfUpdate": false,
    "browserPong": 30,
    "agentPong": 25,
    "_tlsOffload": "127.0.0.1,::1",
"tlsOffload": true,
    "watchDog": {
      "interval": 100,
      "timeout": 400
    },
    "_crowdsec": {
      "url": "http://localhost:8080/",
      "apiKey": "BOUNCER_API_KEY"
    },
    "_plugins": { "enabled": true }
  },
  "domains": {
    "": {
      "title": "Home",
      "title2": "portal",
      "minify": true,
      "newAccounts": false,
      "certUrl": "https://mesh.example.com:443",
      "passwordRequirements": {
        "min": 8,
        "max": 128,
        "upper": 1,
        "lower": 1,
        "numeric": 1,
        "nonalpha": 1,
        "reset": 90,
        "force2factor": true,
        "_skip2factor": "127.0.0.1,192.168.2.0/24",
        "oldPasswordBan": 5,
        "banCommonPasswords": false,
        "twoFactorTimeout": 300,
        "duo2factor": true
      },
      "duo2factor": {
        "integrationkey": "****",
        "secretkey": "****",
        "apihostname": "api-****.com"
      }
    }
  },
  "_letsencrypt": {
    "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before trying Let's Encrypt.",
    "email": "[email protected]",
    "names": "myserver.com,customer1.myserver.com",
    "skipChallengeVerification": false,
    "production": false,
    "zerossl": {
      "kid": "a1b2c3d4e5",
      "hmacKey": "a1b2c3d4e5"
    }
  },
  "smtp": {
    "host": "192.168.1.25",
    "port": 25,
    "from": "[email protected]",
    "__tls__": "When 'tls' is set to true, TLS is used immidiatly when connecting. For SMTP servers that use TLSSTART, set this to 'false' and TLS will still be used.",
    "tls": false,
    "___tlscertcheck__": "When set to false, the TLS certificate of the SMTP server is not checked.",
    "_tlscertcheck": false,
    "__tlsstrict__": "When set to true, TLS cypher setup is more limited, SSLv2 and SSLv3 are not allowed.",
    "_tlsstrict": true,
    "_emailDelaySeconds": 300
  },
  "messaging": {
    "_telegram": {
      "apiid": 0,
      "apihash": "xxxxxxxxxxxxxxxxxxxxxxxxxxxx",
      "session": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
      "useWSS": "false",
      "connectionRetries": 60
    },
  }
}

Does anyone have an idea?

[si458]

@j0hu ok so ur error you are getting is because for some reason when duo returns you to meshcentral
meshcentral rechecks your login details against the DB (for security)
and for some reason the user/pass has become invalid/changed, so the session isnt being stored correctly whcih seems odd?

in fact you have also catched a bug as it should redirect you back to the main login page,
but im guessing direct isnt set somewhere, so i will try take a look at whats going on?

as for Installing modules [ '@duosecurity/duo_universal' ] dont panic about it, basically every time u create a docker container, you have no modules, so it has to install the modules again,
the way to avoid this is simple stop the container and start it rather then UP/DOWN it (if that makes sense?)

the is also a tiny bug with the modules where anything using @ might try to install the module a 2nd time round?
havent been able to work out WHY it does this yet?

[si458]

@j0hu the fix is here for you - c6da201
you should actually NEVER hit this step to begin with,
you only hit this step IF you returned from duo AND it cant reauthenticate your user!
this ONLY happens if your session or cookie has changed from when you first logged in
so this COULD happen with like loadbalancing or reverseproxys which dont use sticky cookie sessions

[j0hu]

@si458 Thanks a lot for the fix. Unfortunately, logging in with DUO2 still isn't working smoothly.

When I confirm the "Manage Duo Authentication" window in the user settings by clicking "OK", a DUO2 window briefly appears (the one with the green circle), as expected. After that, I am now automatically redirected back to the "Devices" page in MeshCentral (before the fix, I got an Internal Server Error—as I previously reported). So, this is already an improvement.

But I would have expected that after logging out and login again, the 2FA method via DUO2 would be available alongside the options to authenticate via email token or token entry via my authentication app?! However, the DUO2 method no longer appears in the login dialog (before the fix, it was still displayed).

When I checked the Cisco DUO2 Admin Portal, I can see the successful logins for my account, which match the ones I confirmed with "OK" in the Manage Duo Authentication window. Another potentially relevant detail: The first time I used DUO2, I selected the option to remember my device in the DUO2 dialog (not at the login dialog of meshcentral).

Is there a setting I may have overlooked in the configuration? Or could there be a local DUO2 configuration or DUO2 cache that needs to be reset?

[si458]

@j0hu HUH? ive just removed my duo authentication to test, and now i seem the same thing as you?
WTF? we havent changed anything?
unless duo have changed something maybe?

please can you open a new issue so we dont make this issue/thread longer!

just fill out the bug report with all the info, including screenshots u have and what you tried etc,
i will investigate it ASAP for you!

[si458]

@j0hu ive fixed the issue for you! 1f83b79
4 hours well spent 👍
turns out when u are returning from duo from being added, the is no user/pass to verify your user again
also when u logged in and used duo, it wouldnt log in u correctly because of sessions 🤦