2-Factor Authentication (2FA)

[rbjtech 4218]

9 hours ago, toddaniels said:

First time poster sticking my nose into this thread

Though I don't see MFA as a cure-all for emby's security woes (however minor they may be), I also have some concerns around exposing emby's web server directly on the net. My solution was to deploy what I call emby satellites for my daughters to connect to my emby server.

Raspberry pi using an ssh tunnel to allow their local network devices to connect to my emby. Secure (based on ssh keys), keeps my emby server safely behind my firewall, fast (ssh tunneling works well even on a pi 3b+). Also saves me the trouble of having to maintain servers for each of their homes. They both use Rokus.

I'm experimenting with putting emby theater on a pi 4 and using the same tunnel to connect it to my house. Works well on a LAN, but some playback issues across the internet -- I'll get them figured out. FWIW, I also tunnel emby across an ipsec vpn (pfsense) to my beach house and play content directly from there to my smartcast/chromecast devices.

tod

 

A nice solution - effectively a VPN to your emby server - presumably you are just whitelisting the 'remote/VPN' traffic and blocking everything else.

If you have fixed end points, then I'm not convinced this tunnelling is strictly necessary vs a HTTPS connection (they are both encrypted and can both be firewalled) - but the VPN is going to also encrypt the entire channel of course, not just the content.  For a portable solution, then yes, the VPN is the ultimate connection I agree. 

If you feel inclined, then maybe post a 'how to' guide for the more advanced network user who wants to connect remote clients but doesn't want to open up their server to the open internet.

[toddaniels 7]

1 hour ago, rbjtech said:

A nice solution - effectively a VPN to your emby server - presumably you are just whitelisting the 'remote/VPN' traffic and blocking everything else.

If you have fixed end points, then I'm not convinced this tunnelling is strictly necessary vs a HTTPS connection (they are both encrypted and can both be firewalled) - but the VPN is going to also encrypt the entire channel of course, not just the content.  For a portable solution, then yes, the VPN is the ultimate connection I agree. 

If you feel inclined, then maybe post a 'how to' guide for the more advanced network user who wants to connect remote clients but doesn't want to open up their server to the open internet.

Yes. The only inbound port open to my home network is tcp/22 (pfsense firewall). My home server endpoint is not technically fixed (though it does tend to stay at the same address for months to years before changing) so I check it every 10 minutes and update accordingly using the godaddy API only when it changes. I posted a how-to for that piece on Instructables a few years ago, https://www.instructables.com/Quick-and-Dirty-Dynamic-DNS-Using-GoDaddy/.

My concern is less of traffic hijacking or snooping and more of exploits targeted at the emby web server itself. Admittedly, I don't know if emby (linux) leverages an existing http/s server or if the guys rolled their own. Either way, however, I'm highly comfortable exposing openssh to the world if it is secured with ssh keys (absolutely no passwords!!) because it is tested every single day by millions of servers all over the world. The fact that my traffic is encrypted is just a bonus.

I'll put together a quick guide and post. I even made an emby listener that will respond to emby request broadcasts (iPhone app, et al.) to save the user the trouble of having to know/type the ip address of the local endpoint. Some of this is still in development, but the concept works and has been rock solid for roku. Also included a reverse tunnel so I can maintain the satellite when needed without having to config the remote router to allow inbound ssh -- makes for super secure maintenance.

To bring this back around to the original post, MFA is really targeted at securing the data from weak passwords, not protecting against exploits. IMHO, exploits are a much MUCH bigger threat than someone guessing a password and using an otherwise legitimate channel to grab my content.

[Painkiller8818 203]

1 hour ago, toddaniels said:

The only inbound port open to my home network is tcp/22 (pfsense firewall)

but having SSH open isn't a good idea don't you think? Most attacks happens on that port.

[toddaniels 7]

13 minutes ago, Painkiller8818 said:

but having SSH open isn't a good idea don't you think? Most attacks happens on that port.

You're right, most attacks do happen on 22 along with 80 and 443 (and 3389 too). But attacks on 22 are limited to dictionary and brute force. To my knowledge, there are no exploits for 22 and if there were, they get patched almost immediately (citation needed!). My ssh server will not accept a password, only a key. For most attackers, this means the port closes as soon as they open it. If you're super-paranoid, you can further secure ssh by limiting which inbound ip addresses can connect or by moving it to another port (personally, I don't think this does anything because a port scanner will identify it in seconds). But at a minimum, enforce keys only with no passwords.

80 and 443, on the other hand, have been exploited continually by attacking weakness in the underlying software. I remember when you couldn't put a Windows IIS server directly on the internet because it would be exploited in hours -- sometimes minutes. The attackers would exploit code problems (buffer/memory overflows) that would give them access to the server (and back in day, server sometimes ran with more privileges than it needed). So, my concern is that by exposing the emby web server, you expose any potential code weaknesses.

Back to the original topic, if my choices are expose 8290 and/or 8096 (emby web server) with whatever code weaknesses may exist versus exposing 22 with key security and tunneling traffic, I'll roll the dice with ssh any day. And MFA, while awesome for protecting data, is not useful for protecting against underlying weaknesses/exploits.

[metsuke 27]

9 hours ago, toddaniels said:

To bring this back around to the original post, MFA is really targeted at securing the data from weak passwords, not protecting against exploits. IMHO, exploits are a much MUCH bigger threat than someone guessing a password and using an otherwise legitimate channel to grab my content.

Although MFA does protect against weak passwords, it doesn't matter how great your password is if you have used it in another compromised site. Passwords are simply insufficient all around no matter the complexity.

It is not generally about the content either, but gaining access to the network. Often for most networks the line between WAN and LAN is the greatest point of defense, but if someone is able to get in past that point, then they can get to other more important resources.

[FlatScreen 15]

I can see this feature request is open since 2018. Any progress on this so far?

[embyzone 3]

Plex just got breached and all their users have to update passwords and logout from all devices

Could we please get 2FA to our admin accounts?

Please!

 

[chef 3745]

On 2/19/2022 at 6:37 AM, toddaniels said:

Yes. The only inbound port open to my home network is tcp/22 (pfsense firewall). My home server endpoint is not technically fixed (though it does tend to stay at the same address for months to years before changing) so I check it every 10 minutes and update accordingly using the godaddy API only when it changes. I posted a how-to for that piece on Instructables a few years ago, https://www.instructables.com/Quick-and-Dirty-Dynamic-DNS-Using-GoDaddy/.

My concern is less of traffic hijacking or snooping and more of exploits targeted at the emby web server itself. Admittedly, I don't know if emby (linux) leverages an existing http/s server or if the guys rolled their own. Either way, however, I'm highly comfortable exposing openssh to the world if it is secured with ssh keys (absolutely no passwords!!) because it is tested every single day by millions of servers all over the world. The fact that my traffic is encrypted is just a bonus.

I'll put together a quick guide and post. I even made an emby listener that will respond to emby request broadcasts (iPhone app, et al.) to save the user the trouble of having to know/type the ip address of the local endpoint. Some of this is still in development, but the concept works and has been rock solid for roku. Also included a reverse tunnel so I can maintain the satellite when needed without having to config the remote router to allow inbound ssh -- makes for super secure maintenance.

To bring this back around to the original post, MFA is really targeted at securing the data from weak passwords, not protecting against exploits. IMHO, exploits are a much MUCH bigger threat than someone guessing a password and using an otherwise legitimate channel to grab my content.

Cool, this is close to what I do on my setup to handle my Ddns. I also check every ten minutes and update my GoDaddy account using their API accordingly.

I also wrote a plugin a while ago that blocks an IP, for 30 seconds, after so many failed login attempts with emby. Sort of a 'fail-2-ban-wannabe' just for emby.

Edited August 25, 2022 by chef

[FlatScreen 15]

3 hours ago, embyzone said:

Plex just got breached and all their users have to update passwords and logout from all devices

Could we please get 2FA to our admin accounts?

Please!

 

@LukeSh*t just got real. Requesting Emby devs to please speed up 2FA implementation.

Edited August 25, 2022 by HSEmbyBox

[ebr 14898]

4 hours ago, embyzone said:

Plex just got breached and all their users have to update passwords and logout from all devices

Could we please get 2FA to our admin accounts?

Please!

 

Hi.  I don't feel their situation has much bearing on this request as we do not have a central repository of all Emby users like the other guys.  YOU control your users.  Any 2FA to your own server instance would only serve to protect those users on your server.

We do have optional Emby Connect but that is completely optional and easily managed by you.

Now, this request is still valid but the exposure for our system is nothing like it is for theirs.

[embyzone 3]

43 minutes ago, ebr said:

Hi.  I don't feel their situation has much bearing on this request as we do not have a central repository of all Emby users like the other guys.  YOU control your users.  Any 2FA to your own server instance would only serve to protect those users on your server.

We do have optional Emby Connect but that is completely optional and easily managed by you.

Now, this request is still valid but the exposure for our system is nothing like it is for theirs.

My Nextcloud server is only managed by me, so is allot of other hosted web servers who all have 2FA….

No it not the same but security or lack of security is common to all IT solutions and always worth taking into seriously consideration

[ebr 14898]

And, just as another point of information - the other guys already have 2FA but that did not stop this attack apparently.

This is still a good request.  I just don't think it is any kind of "Holy Grail" to any real exposure here since Emby users are spread out among all different Emby instances, rather than a central repository.

[embyzone 3]

I don’t think I have written anything about a holy grail? I really think your reading it wrong?  

Actually your argument actually strengthen the request for 2FA for Emby since it would be so much better than the Plex 2FA - since Emby is locally managed And doesn’t have any central managed user DB

[chef 3745]

Is it just admin/manager logins to the dashboard that warrants 2fa?

Or is the expectation any client accessing media on the server?

Or maybe it's user with delete rights to media items?

If it's just accessing the dashboard from admin accounts through a browser... you could write a redirect in a JavaScript file that monitors authentication events for admin users through the API... Maybe...

Then redirect them to a page with a text input, while on the backend sending a token to an email address (or cell phone txt message) with a four digit code, which is also saved to a configuration.

If the text input pin matches the configuration (and the credentials are authentic), redirect the page again to the dashboard, otherwise send 404, or 500 responses to the browser. 

Or even blacklist the IP.

Maybe some kind of mutation observer in the JavaScript file that stops the initial button click on the sign in page (which authenticates) and handles the redirect...

But...an ApiClient can't really be created without authentication... So that is a thing...

I'm just spit-ballin' ideas, and it doesn't mean much. 

 

The server login has some good backend authentication logic, and for personal servers, I can't really see hacker groups targeting you as an individual.

Plex had all their user base 'hackable', and they are a big media service.

I dont think individual media servers have much to worry about... Famous last words maybe...

Edited August 25, 2022 by chef

[adrianwi 237]

I host the following services from my home server:

Service	2FA
Nextcloud	Yes
emby	No
Bitwarden	Yes
WordPress	Yes
Onlyoffice	Yes
Calibre	No
Limesurvey	Yes
Mattermost	Yes
MediaWiki	Yes
Home Assistant	Yes

This is long overdue on emby and really should be a priority now.

[ertagon2 44]

4 hours ago, adrianwi said:

I host the following services from my home server:

Service	2FA
Nextcloud	Yes
emby	No
Bitwarden	Yes
WordPress	Yes
Onlyoffice	Yes
Calibre	No
Limesurvey	Yes
Mattermost	Yes
MediaWiki	Yes
Home Assistant	Yes

This is long overdue on emby and really should be a priority now.

Hey this is quite useful, I might set up some of these as well.
NextCloud is long overdue for me.

No music streaming tho?

[adrianwi 237]

I tend to use Plex for that, although I do have an Airsonic service running which I missed!  That doesn't have 2FA, so it appears to be a 'media' server trend  

[TDriver 32]

I agree and would be very happy about 2FA.

[Dreakon13 131]

Just for conversation sake, since I'm interested in this feature (if it were to happen someday) but am not knowledgeable on it in this context only using it for more non-self hosted, cloud based services... would each user on my Emby server have their own 2FA, or would it be specifically for Emby Connect or something?  Would I be able to have it that some users require it and some users don't (ie. a user with administrative/management access does, a regular user doesn't)?  If so... would that be the appropriate way to use it, or would leaving regular user accounts alone be a security risk?

I don't mind 2FA for my own administrative login, but I wouldn't want to subject my family to installing authentication apps on their smartphones.  It's hard enough to get them in without that lol.

Edited September 8, 2022 by Dreakon13

[Painkiller8818 203]

51 minutes ago, Dreakon13 said:

Just for conversation sake, since I'm interested in this feature (if it were to happen someday) but am not knowledgeable on it in this context only using it for more non-self hosted, cloud based services... would each user on my Emby server have their own 2FA, or would it be specifically for Emby Connect or something?  Would I be able to have it that some users require it and some users don't (ie. a user with administrative/management access does, a regular user doesn't)?  If so... would that be the appropriate way to use it, or would leaving regular user accounts alone be a security risk?

I don't mind 2FA for my own administrative login, but I wouldn't want to subject my family to installing authentication apps on their smartphones.  It's hard enough to get them in without that lol.

MFA is as for every Service user based so every user can decide to enable or disable it, we just want to have an option to enable it for specific accounts.

[FlatScreen 15]

Is there any estimate or ETA to this feature or are we just gonna debate on the pros and cons of it?
(this topic is open for discussion since January 2018)

[Przemek 54]

Hello @cayars I want to use 2FA for me and my users. It works that, anyone who once login to Emby from device will be no longer ask to put credentials and 2FA codes. (I share emby with family members and I want to force on them to start using 2FA because they add passwords like `1234pass`

I'm learning now how to add 2FA with selfhosted Authentik server for my apps. It's great solution and it has Jellyfin integration. If that is Emby fork it should be easy to add also Emby to that project I think.

Can You just read about that and tell how it looks in Your opinion:

https://goauthentik.io/integrations/services/jellyfin/

[Luke 36992]

2 minutes ago, Przemek said:

Hello @cayars I want to use 2FA for me and my users. It works that, anyone who once login to Emby from device will be no longer ask to put credentials and 2FA codes. (I share emby with family members and I want to force on them to start using 2FA because they add passwords like `1234pass`

I'm learning now how to add 2FA with selfhosted Authentik server for my apps. It's great solution and it has Jellyfin integration. If that is Emby fork it should be easy to add also Emby to that project I think.

Can You just read about that and tell how it looks in Your opinion:

https://goauthentik.io/integrations/services/jellyfin/

You might be able to do the same with our LDAP plugin.

[Carlo 4329]

6 hours ago, Przemek said:

Can You just read about that and tell how it looks in Your opinion:

https://goauthentik.io/integrations/services/jellyfin/

It really can't work the way normal 2FA should work because it has no integration with any Emby Clients or Emby Server for that matter.  Because of that you could potentially get some really screwy error message on clients when a client can't login on change a password.

If you set Emby Server (for each user) to not allow password changes then that eliminates one part of the problem.  Almost all sources of user administration that support LDAP will allow the Admin to configure password properties which can enforce 8 or greater characters, use of a number, special system and a capital letter.  Typically, when using LDAP user information  another system on the network is used to manage this.  On Windows platforms for example this is usually done via Windows Active Directory used to manage the company's forests and domains.

If you are going to provide several different apps to your users (ie NextCloud, database access, File or Storage, Emby, etc) then hooking all these apps up via LDAP makes sense.

[Meeko 34]

I agree for 2FA. Pleeeeease