Community discussions

MikroTik App
 
theextremist
just joined
Topic Author
Posts: 7
Joined: Wed Jan 12, 2022 1:59 pm

Mikrotik 2 Factor authentication

Wed Mar 22, 2023 10:28 am

Hello, I wannt to authenticate winbox or ssh with second factor. The problem is with password, which mikrotik sends this mschapv2, so its hasched. Authenticator cannot recognize it and I get blank pass field. Is there any option to change mschapv2 to pap for example or whatever .
What's about dot1x, there is a few options eap methods. Can I authorize by this way ?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 1:11 pm

Want to change a secure method to an insecure method to add another insecure layer?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 1:12 pm

 
theextremist
just joined
Topic Author
Posts: 7
Joined: Wed Jan 12, 2022 1:59 pm

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 3:16 pm

Want to change a secure method to an insecure method to add another insecure layer?
What If someone get a password ? Even if it's hashed in mikrotik system. What is secure in this kind of method ?
Thanks
 
marsbeetle
newbie
Posts: 38
Joined: Sun Feb 19, 2023 9:57 am

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 3:25 pm

A possible(untried) alternative for 2FA with SSH is to configure a container with Google's libpam and SSH which could act as a sort of "jumpbox" for access to the router. Appropriate firewall rules would prevent direct access.
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 9:06 pm

You can try with this in container https://hub.docker.com/r/neochrome/bastion, but this is only for ssh, not winbox.
Last edited by optio on Wed Mar 22, 2023 9:14 pm, edited 1 time in total.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 9:13 pm

Learn something new:
I didn't know that was possible. That's a little cleaner than adding a container. And theoretically cover all methods of router access.
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 9:30 pm

Long shot but... if you are familiar with web development and building docker images you can create web wrapper for Webfig with 2fa to run in container. Some example: https://seantodd.co.uk/blog/putting-2fa-on-everything/
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 9:42 pm

That's a little cleaner than adding a container. And theoretically cover all methods of router access.
True, not quite easy setup, still easier than writing webfig wrapper :)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 10:00 pm

The second factor can be simply the SSH cert, the MAC of the device used for try the access, the IP binded to the profile etc. etc. etc.

*** BEGIN FIRST HYPOTHETICAL ENVIRONMENT ***
Open WinBox,
select the device fomr Managed / Neighbors / Romon list,
example: "MySecuredRouter KNHT6ICJOMQG63TFEBSXQYLNOBWGKLROFY======"
simply click on that device copy the full name on Note: field.

Advanced solution) The dedicated program, on memory, read that value and on internal database read the key binded to that device and using the code calc the right OTP password
and after enter the security password, paste the generated OTP password directly on winbox.

Standard solution) paste what appear on name on the dedicated OTP password generator, that require password for be used, use that value as OTP password.

Simply click on connect... done...

The password is changed automatically internally from routerboard using internal algorythm every X minutes,
and obviously the program know that algorythm and can generate the right password.

This method is not usable on roaming, if one do not have own hardware for remote access.
*** END FIRST HYPOTHETICAL ENVIRONMENT ***


*** BEGIN SECOND HYPOTHETICAL ENVIRONMENT ***
Try to acces to routerboard with specific username and password cause the routerboard (if is online) to connect to remote site to retrieve the password to set on another username.
The user at this point use another username with the password specified on another site.

For access the routerboard user must know both login credentials and also the credentials of remote site, and also what is the remote site....

This method is usable also on guest devices for remote access.
*** END SECOND HYPOTHETICAL ENVIRONMENT ***



*** BEGIN THIRD HYPOTHETICAL ENVIRONMENT ***
Connect to one remote webpage, with a PIN or username/password the site store the caller IP.
The routerboard accept the username/password entered only if the call is coming from the same IP and if alredy are inserted PIN / password on the remote site on the last 1 or 2 minutes.

Obviously the remote site do not have any hint on what is the purpose of this hidden webpage...

This method is usable also on guest devices for remote access.
*** END THIRD HYPOTHETICAL ENVIRONMENT ***
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 10:09 pm

Serious question, I'm not kidding:
Aside from preventing that if someone gets the exact right credentials, on the first try they can log into the router,

what is two-factor authentication for?
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 10:15 pm

Serious question, I'm not kidding:
Aside from preventing that if someone gets the exact right credentials, on the first try they can log into the router,

what is two-factor authentication for?
Preventing authentication even if password is compromised - which should not be placed aside.
Btw. you are missing some hypothesis using sms codes and setting dynamic passwords combining them (if OP owns MT device with GSM/LTE modem) :)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 10:20 pm

Preventing authentication even if password is compromised.
I'd like, if possible, to get answers that don't involve what I've already ruled out: username and password being stolen (no matter how or why)

Btw. you are missing some hypothesis using sms codes and setting dynamic passwords combining them (if OP owns MT device with GSM/LTE modem) :)
Just because not all devices have SIMs.
But yeah, just send an SMS from autorized number to that device which set the password specified in the SMS and the problem is already solved...
(and on SMS must be also present the SMS commands password)
If already is set and the script is already present, just send one SMS to RouterBOARD like:
:cmd Vq70980q script chgpass mynesSPERScurPXEAWRD
Last edited by rextended on Wed Mar 22, 2023 10:29 pm, edited 2 times in total.
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 10:28 pm

Preventing authentication even if password is compromised.
I'd like, if possible, to get answers that don't involve what I've already ruled out: username and password being stolen (no matter how or why)
Ruled out, but it is concern imho.
Just because not all devices have SIMs.
But yeah, just send an SMS to that device which set the password specified in the SMS and the problem is already solved...
(and on SMS must be also present the SMS commands password)
I'm using sms commands for enabling/disabling VPN access, quite useful and I think safer than port knocking. Ah yes... hypothesis to use port knocking to trigger sending 2fa code to email :)
Last edited by optio on Wed Mar 22, 2023 10:30 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 10:30 pm

Or for paranoid encode also the password on SMS :lol: :lol: :lol: :lol: the script chgpass decode it and apply the correct password.
:cmd Vq70980q script chgpass KNHT6ICJOMQG63TFEBSXQYLNOBWGKLROFY======
Since the encoding can be arbitrary and not necessarly baseXX, is strong enough for detect failed try.

Encoding the password on that way allow the user to use also special characters not allowed on GSM7 alphabet...
viewtopic.php?p=411358#p411358
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 10:38 pm

Or for paranoid encode also the password on SMS :lol: :lol: :lol: :lol: the script chgpass decode it and apply the correct password.
:cmd Vq70980q script chgpass KNHT6ICJOMQG63TFEBSXQYLNOBWGKLROFY======
Since the encoding can be arbitrary and not necessarly baseXX, is strong enough for detect failed try.

Encoding the password on that way allow the user to use also special characters not allowed on GSM7 alphabet...
viewtopic.php?p=411358#p411358
Why not just simple:
:cmd Vq70980q 2fa-script
- 2fa-script can generate random code and send back to same number from which sms command is sent. Code can be appended into some predefined password <password><code> for login user.

Edit: and add on login event for such user to reset password into some arbitrary. Also some scheduler script needs to be involved to timeout code and also reset password to handle code timeout :)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 10:42 pm

Script must not store passwords...
At least the first part of the password should be plain text in the script, and an "export" or accidentally unencrypted backup might reveal that part...
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 10:53 pm

Script must not store passwords...
At least the first part of the password should be plain text in the script, and an "export" or accidentally unencrypted backup might reveal that part...
If is not careful when creating backups, yes, but for example, I'm using web api for refreshing IP on some dyndns service, there is no alternative other than store raw api credentials (user/pass) into script afaik, that's why my backups are always encrypted.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 10:57 pm

Actually I have the main network on The Dude, rigth click and open with winbox launch one program that ask for PIN.
If PIN is correct*** decode the passed username and password from The Dude and use it as parameters to launch Winbox.
(obviously on the RouterBOARDs winbox is authorized only or from local management ether port or only from specific remote IPs)

On this way if for some reason my PC is stolen, is useless, because also the read-only monitoring functions on The Dude accept only some IPs...

*** the PIN is part of the decode, is not memorized inside the program, wrong PIN cause winbox to fail authentication, not program error, because do not know what is the right PIN...

Obviously keylogger & co. bring the question to another level...
For do that someone must come to my office, break all the door locks till my office, hack my PC, and remove all the trace of the passage...
Last edited by rextended on Wed Mar 22, 2023 11:04 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 11:03 pm

I'm using web api for refreshing IP on some dyndns service, there is no alternative other than store raw api credentials (user/pass) into script afaik, that's why my backups are always encrypted.
Why you do not use the MAC of one or more ethernet interface as seed for encrypt the password?
If the script is runned on same device can restore the right password to send for dyndns...
If the export/unencrypted backup is stolen, is useless, because on export or backup are stored only manually changed MAC...
and the script on new device can not generate again correct username or password...
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 11:03 pm

Actually I have the main network on The Dude, rigth click and open with winbox launch one program that ask for PIN.
If PIN is correct*** decode the passed username and password from The Dude and use it as parameters to launch Winbox.
(obviously on the RouterBOARDs winbox is authorized only or from local management ether port or only from specific remote IPs)

On this way if for some reason my PC is stolen, is useless, because also the read-only monitoring functions on The Dude accept only some IPs...

*** the PIN is part of the decode, is not memorized inside the program, wrong PIN cause winbox to fail authentication, not program error, because do not know what is the right PIN...

Obviously keylogger & co. bring the question to another level...
For do that someone must come to my office, break the port lock, hack my PC, and remove all the trace of the passage...
Or you can just be kidnapped and forced to log in and nothing helps (maybe suicide capsule with poison in tooth?) :)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 11:06 pm

Or you can just be kidnapped and forced to log in and nothing helps (maybe suicide capsule with poison in tooth?) :)
I'd give him the emergency PIN, which if entered still allows decoding and access, but also call the police without notification... :lol: :lol: :lol: :lol:
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 11:11 pm

Or you can just be kidnapped and forced to log in and nothing helps (maybe suicide capsule with poison in tooth?) :)
I'd give him the emergency PIN, which if entered still allows decoding and access, but also call the police without notification... :lol: :lol: :lol: :lol:
I think now OP has quite enough solutions how to implement 2fa or dynamic credentials...
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 11:21 pm

I'm using web api for refreshing IP on some dyndns service, there is no alternative other than store raw api credentials (user/pass) into script afaik, that's why my backups are always encrypted.
Why you do not use the MAC of one or more ethernet interface as seed for encrypt the password?
If the script is runned on same device can restore the right password to send for dyndns...
If the export/unencrypted backup is stolen, is useless, because on export or backup are stored only manually changed MAC...
and the script on new device can not generate again correct username or password...
I missed this one... true, it can be done like that, by using some value(s) unique to router, since it is for my home router and only I have access to it I did not bother, but good idea.

Edit: ROS feature request comes to my mind: Secure Storage - something like Mac Keychain password storage, can be some key-value storage unlocked with logged in user or running script user. Not exportable if not show-sensitive.
Last edited by optio on Wed Mar 22, 2023 11:46 pm, edited 2 times in total.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 11:39 pm

What If someone get a password ? Even if it's hashed in mikrotik system. What is secure in this kind of method ?

I mean this does sound like TOTP 2FA, which is pretty standard these days (quoting from bottom of the link):
In winbox or the web interface type your password and append the 6 digit OTP in your authenticator to the end of the password. Make sure the OTP you enter is within the 30 second windows or you will fail authentication.

So curious at what you're looking for?
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 11:40 pm

Serious question,
I'm not kidding
:
Aside from preventing that if someone gets the exact right credentials, on the first try they can log into the router,

what is two-factor authentication for?
.

If we were talking about hardware 2FA token devices (e.g. RSA SecureID), it was a check that physical held something. Since semi-temper resitance and cannot backup/copy them, so if lost/missing you really are screwed – that adds a quite a bit of a layer from 2FA. When your just switch to another app like Google Authenticator (or Authy or whatever TOTP-enabled app) on the same device that may have your password saved in the keychain/browser... I'm not sure that add the same level of security...so not all 2FA isn't the same. Does user-manager add something with TOTP... sure. How much, harder to quantify.
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 11:55 pm

Serious question,
I'm not kidding
:
Aside from preventing that if someone gets the exact right credentials, on the first try they can log into the router,

what is two-factor authentication for?
.

If we were talking about hardware 2FA token devices (e.g. RSA SecureID), it was a check that physical held something. Since semi-temper resitance and cannot backup/copy them, so if lost/missing you really are screwed – that adds a quite a bit of a layer from 2FA. When your just switch to another app like Google Authenticator (or Authy or whatever TOTP-enabled app) on the same device that may have your password saved in the keychain/browser... I'm not sure that add the same level of security...so not all 2FA isn't the same. Does user-manager add something with TOTP... sure. How much, harder to quantify.
For various factor combination term is MFA if multiple factors are involved, 2FA is part of MFA scope
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mikrotik 2 Factor authentication

Wed Mar 22, 2023 11:56 pm

@Amm0
Excuse me, but I was sincerely asking about another practical use, except the above, not about the technology to use,
because I can't think of anything else...

@optio
please do not quote all or go out one mess :?:
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Mikrotik 2 Factor authentication

Thu Mar 23, 2023 12:04 am

I'm old, but your right MFA is the modern term. But I'm surprise they even have 2 on Mikrotik.

Also, I suppose if one drank the Cloudflare cool-aid, you could run the various ports through their app firewall. Cloudflare lets you apply various "MFA" in front of it. But I'm waiting for the ATP to try that approach ;).
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Mikrotik 2 Factor authentication

Thu Mar 23, 2023 12:26 am

@Amm0
Excuse me, but I was sincerely asking about another practical use, except the above, not about the technology to use,
because I can't think of anything else...
If you ignore the "dumb admin" case, sure complete unneeded. But not everyone is smart. ;)

I have seen something like this, not with Mikrotik, but same use case I'd imagine. AcmeCorp buys router from MT-Consultant. They don't want the MT-Consultant to be able to login remotely without AcmeCorp's authorization – e.g. it is their router, but have install/support contract. Consultant enables the RADIUS login when provisioning the router, AcmeCorp is given the TOTP key and has Google Authenticator once the router is deployed in production. If remote access is later required, the AcmeCorp needs to provide MT-Consultant the TOTP key from an app to allow access. AcmeCorp does not have know a thing about RouterOS. MT-Consultant knows the password but they need the 6 digit code from the AcmeCorp for maintenance. Could MT-Consultant put a backdoor in, sure...but AcmeCorp may also perform security audit using a different consultant that may catch that.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Mikrotik 2 Factor authentication

Thu Mar 23, 2023 3:52 am

can be some key-value storage unlocked with logged in user or running script user. Not exportable if not show-sensitive.
I've used PPP secret to store apikeys. Not great but works to avoid them being in an export without show-sensitive. See:
viewtopic.php?t=183527&hilit=secret

But totally agree better support for persisting secure (and "insecure") data from scripting be useful.
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 999
Joined: Fri Jun 26, 2020 4:37 pm

Re: Mikrotik 2 Factor authentication

Thu Mar 23, 2023 8:02 am

Hello, I wannt to authenticate winbox or ssh with second factor. The problem is with password, which mikrotik sends this mschapv2, so its hasched. Authenticator cannot recognize it and I get blank pass field. Is there any option to change mschapv2 to pap for example or whatever .
What's about dot1x, there is a few options eap methods. Can I authorize by this way ?
What dumb request is this? Tell me how, how tf do you 2FA on Juniper or Cisco?

Who is online

Users browsing this forum: emunt6, Florian, stef70 and 79 guests