Jump to content

2-Factor Authentication (2FA)


xorinzor

Recommended Posts

9 hours ago, toddaniels said:

First time poster sticking my nose into this thread :)

Though I don't see MFA as a cure-all for emby's security woes (however minor they may be), I also have some concerns around exposing emby's web server directly on the net. My solution was to deploy what I call emby satellites for my daughters to connect to my emby server.

Raspberry pi using an ssh tunnel to allow their local network devices to connect to my emby. Secure (based on ssh keys), keeps my emby server safely behind my firewall, fast (ssh tunneling works well even on a pi 3b+). Also saves me the trouble of having to maintain servers for each of their homes. They both use Rokus.

I'm experimenting with putting emby theater on a pi 4 and using the same tunnel to connect it to my house. Works well on a LAN, but some playback issues across the internet -- I'll get them figured out. FWIW, I also tunnel emby across an ipsec vpn (pfsense) to my beach house and play content directly from there to my smartcast/chromecast devices.

tod

 

A nice solution - effectively a VPN to your emby server - presumably you are just whitelisting the 'remote/VPN' traffic and blocking everything else. :)

If you have fixed end points, then I'm not convinced this tunnelling is strictly necessary vs a HTTPS connection (they are both encrypted and can both be firewalled) - but the VPN is going to also encrypt the entire channel of course, not just the content.  For a portable solution, then yes, the VPN is the ultimate connection I agree. 👍

If you feel inclined, then maybe post a 'how to' guide for the more advanced network user who wants to connect remote clients but doesn't want to open up their server to the open internet.

Link to comment
Share on other sites

toddaniels
1 hour ago, rbjtech said:

A nice solution - effectively a VPN to your emby server - presumably you are just whitelisting the 'remote/VPN' traffic and blocking everything else. :)

If you have fixed end points, then I'm not convinced this tunnelling is strictly necessary vs a HTTPS connection (they are both encrypted and can both be firewalled) - but the VPN is going to also encrypt the entire channel of course, not just the content.  For a portable solution, then yes, the VPN is the ultimate connection I agree. 👍

If you feel inclined, then maybe post a 'how to' guide for the more advanced network user who wants to connect remote clients but doesn't want to open up their server to the open internet.

Yes. The only inbound port open to my home network is tcp/22 (pfsense firewall). My home server endpoint is not technically fixed (though it does tend to stay at the same address for months to years before changing) so I check it every 10 minutes and update accordingly using the godaddy API only when it changes. I posted a how-to for that piece on Instructables a few years ago, https://www.instructables.com/Quick-and-Dirty-Dynamic-DNS-Using-GoDaddy/.

My concern is less of traffic hijacking or snooping and more of exploits targeted at the emby web server itself. Admittedly, I don't know if emby (linux) leverages an existing http/s server or if the guys rolled their own. Either way, however, I'm highly comfortable exposing openssh to the world if it is secured with ssh keys (absolutely no passwords!!) because it is tested every single day by millions of servers all over the world. The fact that my traffic is encrypted is just a bonus.

I'll put together a quick guide and post. I even made an emby listener that will respond to emby request broadcasts (iPhone app, et al.) to save the user the trouble of having to know/type the ip address of the local endpoint. Some of this is still in development, but the concept works and has been rock solid for roku. Also included a reverse tunnel so I can maintain the satellite when needed without having to config the remote router to allow inbound ssh -- makes for super secure maintenance.

To bring this back around to the original post, MFA is really targeted at securing the data from weak passwords, not protecting against exploits. IMHO, exploits are a much MUCH bigger threat than someone guessing a password and using an otherwise legitimate channel to grab my content.

  • Like 2
Link to comment
Share on other sites

Painkiller8818
1 hour ago, toddaniels said:

The only inbound port open to my home network is tcp/22 (pfsense firewall)

but having SSH open isn't a good idea don't you think? Most attacks happens on that port.

Link to comment
Share on other sites

toddaniels
13 minutes ago, Painkiller8818 said:

but having SSH open isn't a good idea don't you think? Most attacks happens on that port.

You're right, most attacks do happen on 22 along with 80 and 443 (and 3389 too). But attacks on 22 are limited to dictionary and brute force. To my knowledge, there are no exploits for 22 and if there were, they get patched almost immediately (citation needed!). My ssh server will not accept a password, only a key. For most attackers, this means the port closes as soon as they open it. If you're super-paranoid, you can further secure ssh by limiting which inbound ip addresses can connect or by moving it to another port (personally, I don't think this does anything because a port scanner will identify it in seconds). But at a minimum, enforce keys only with no passwords.

80 and 443, on the other hand, have been exploited continually by attacking weakness in the underlying software. I remember when you couldn't put a Windows IIS server directly on the internet because it would be exploited in hours -- sometimes minutes. The attackers would exploit code problems (buffer/memory overflows) that would give them access to the server (and back in day, server sometimes ran with more privileges than it needed). So, my concern is that by exposing the emby web server, you expose any potential code weaknesses.

Back to the original topic, if my choices are expose 8290 and/or 8096 (emby web server) with whatever code weaknesses may exist versus exposing 22 with key security and tunneling traffic, I'll roll the dice with ssh any day. And MFA, while awesome for protecting data, is not useful for protecting against underlying weaknesses/exploits.

  • Like 2
Link to comment
Share on other sites

9 hours ago, toddaniels said:

To bring this back around to the original post, MFA is really targeted at securing the data from weak passwords, not protecting against exploits. IMHO, exploits are a much MUCH bigger threat than someone guessing a password and using an otherwise legitimate channel to grab my content.

Although MFA does protect against weak passwords, it doesn't matter how great your password is if you have used it in another compromised site. Passwords are simply insufficient all around no matter the complexity.

It is not generally about the content either, but gaining access to the network. Often for most networks the line between WAN and LAN is the greatest point of defense, but if someone is able to get in past that point, then they can get to other more important resources.

Link to comment
Share on other sites

  • 6 months later...
HSEmbyBox

I can see this feature request is open since 2018. Any progress on this so far?

Link to comment
Share on other sites

embyzone

Plex just got breached and all their users have to update passwords and logout from all devices

Could we please get 2FA to our admin accounts?

Please! 😉

 

Link to comment
Share on other sites

On 2/19/2022 at 6:37 AM, toddaniels said:

Yes. The only inbound port open to my home network is tcp/22 (pfsense firewall). My home server endpoint is not technically fixed (though it does tend to stay at the same address for months to years before changing) so I check it every 10 minutes and update accordingly using the godaddy API only when it changes. I posted a how-to for that piece on Instructables a few years ago, https://www.instructables.com/Quick-and-Dirty-Dynamic-DNS-Using-GoDaddy/.

My concern is less of traffic hijacking or snooping and more of exploits targeted at the emby web server itself. Admittedly, I don't know if emby (linux) leverages an existing http/s server or if the guys rolled their own. Either way, however, I'm highly comfortable exposing openssh to the world if it is secured with ssh keys (absolutely no passwords!!) because it is tested every single day by millions of servers all over the world. The fact that my traffic is encrypted is just a bonus.

I'll put together a quick guide and post. I even made an emby listener that will respond to emby request broadcasts (iPhone app, et al.) to save the user the trouble of having to know/type the ip address of the local endpoint. Some of this is still in development, but the concept works and has been rock solid for roku. Also included a reverse tunnel so I can maintain the satellite when needed without having to config the remote router to allow inbound ssh -- makes for super secure maintenance.

To bring this back around to the original post, MFA is really targeted at securing the data from weak passwords, not protecting against exploits. IMHO, exploits are a much MUCH bigger threat than someone guessing a password and using an otherwise legitimate channel to grab my content.

Cool, this is close to what I do on my setup to handle my Ddns. I also check every ten minutes and update my GoDaddy account using their API accordingly.

I also wrote a plugin a while ago that blocks an IP, for 30 seconds, after so many failed login attempts with emby. Sort of a 'fail-2-ban-wannabe' just for emby. 😁

Edited by chef
Link to comment
Share on other sites

HSEmbyBox
3 hours ago, embyzone said:

Plex just got breached and all their users have to update passwords and logout from all devices

Could we please get 2FA to our admin accounts?

Please! 😉

 

@LukeSh*t just got real. Requesting Emby devs to please speed up 2FA implementation.

Edited by HSEmbyBox
  • Haha 1
Link to comment
Share on other sites

4 hours ago, embyzone said:

Plex just got breached and all their users have to update passwords and logout from all devices

Could we please get 2FA to our admin accounts?

Please! 😉

 

Hi.  I don't feel their situation has much bearing on this request as we do not have a central repository of all Emby users like the other guys.  YOU control your users.  Any 2FA to your own server instance would only serve to protect those users on your server.

We do have optional Emby Connect but that is completely optional and easily managed by you.

Now, this request is still valid but the exposure for our system is nothing like it is for theirs.

  • Agree 4
Link to comment
Share on other sites

embyzone
43 minutes ago, ebr said:

Hi.  I don't feel their situation has much bearing on this request as we do not have a central repository of all Emby users like the other guys.  YOU control your users.  Any 2FA to your own server instance would only serve to protect those users on your server.

We do have optional Emby Connect but that is completely optional and easily managed by you.

Now, this request is still valid but the exposure for our system is nothing like it is for theirs.

My Nextcloud server is only managed by me, so is allot of other hosted web servers who all have 2FA….

No it not the same but security or lack of security is common to all IT solutions and always worth taking into seriously consideration

Link to comment
Share on other sites

And, just as another point of information - the other guys already have 2FA but that did not stop this attack apparently.

This is still a good request.  I just don't think it is any kind of "Holy Grail" to any real exposure here since Emby users are spread out among all different Emby instances, rather than a central repository.

  • Like 2
  • Agree 1
Link to comment
Share on other sites

embyzone

I don’t think I have written anything about a holy grail? I really think your reading it wrong?  

Actually your argument actually strengthen the request for 2FA for Emby since it would be so much better than the Plex 2FA - since Emby is locally managed And doesn’t have any central managed user DB

  • Agree 1
Link to comment
Share on other sites

Is it just admin/manager logins to the dashboard that warrants 2fa?

Or is the expectation any client accessing media on the server?

Or maybe it's user with delete rights to media items?

If it's just accessing the dashboard from admin accounts through a browser... you could write a redirect in a JavaScript file that monitors authentication events for admin users through the API... Maybe... 🤔

Then redirect them to a page with a text input, while on the backend sending a token to an email address (or cell phone txt message) with a four digit code, which is also saved to a configuration.

If the text input pin matches the configuration (and the credentials are authentic), redirect the page again to the dashboard, otherwise send 404, or 500 responses to the browser. 

Or even blacklist the IP.

Maybe some kind of mutation observer in the JavaScript file that stops the initial button click on the sign in page (which authenticates) and handles the redirect...

But...an ApiClient can't really be created without authentication... So that is a thing...

I'm just spit-ballin' ideas, and it doesn't mean much. 

 

The server login has some good backend authentication logic, and for personal servers, I can't really see hacker groups targeting you as an individual.

Plex had all their user base 'hackable', and they are a big media service.

I dont think individual media servers have much to worry about... Famous last words maybe...

Edited by chef
Link to comment
Share on other sites

adrianwi

I host the following services from my home server:

Service 2FA
Nextcloud Yes
emby No
Bitwarden Yes
WordPress Yes
Onlyoffice Yes
Calibre No
Limesurvey Yes
Mattermost Yes
MediaWiki Yes
Home Assistant Yes
   

This is long overdue on emby and really should be a priority now.

  • Agree 1
  • Thanks 1
Link to comment
Share on other sites

ertagon2
4 hours ago, adrianwi said:

I host the following services from my home server:

Service 2FA
Nextcloud Yes
emby No
Bitwarden Yes
WordPress Yes
Onlyoffice Yes
Calibre No
Limesurvey Yes
Mattermost Yes
MediaWiki Yes
Home Assistant Yes
   

This is long overdue on emby and really should be a priority now.

Hey this is quite useful, I might set up some of these as well.
NextCloud is long overdue for me.

No music streaming tho?

Link to comment
Share on other sites

adrianwi

I tend to use Plex for that, although I do have an Airsonic service running which I missed!  That doesn't have 2FA, so it appears to be a 'media' server trend 😃 

Link to comment
Share on other sites

  • 2 weeks later...
Dreakon13

Just for conversation sake, since I'm interested in this feature (if it were to happen someday) but am not knowledgeable on it in this context only using it for more non-self hosted, cloud based services... would each user on my Emby server have their own 2FA, or would it be specifically for Emby Connect or something?  Would I be able to have it that some users require it and some users don't (ie. a user with administrative/management access does, a regular user doesn't)?  If so... would that be the appropriate way to use it, or would leaving regular user accounts alone be a security risk?

I don't mind 2FA for my own administrative login, but I wouldn't want to subject my family to installing authentication apps on their smartphones.  It's hard enough to get them in without that lol.

Edited by Dreakon13
  • Like 1
Link to comment
Share on other sites

Painkiller8818
51 minutes ago, Dreakon13 said:

Just for conversation sake, since I'm interested in this feature (if it were to happen someday) but am not knowledgeable on it in this context only using it for more non-self hosted, cloud based services... would each user on my Emby server have their own 2FA, or would it be specifically for Emby Connect or something?  Would I be able to have it that some users require it and some users don't (ie. a user with administrative/management access does, a regular user doesn't)?  If so... would that be the appropriate way to use it, or would leaving regular user accounts alone be a security risk?

I don't mind 2FA for my own administrative login, but I wouldn't want to subject my family to installing authentication apps on their smartphones.  It's hard enough to get them in without that lol.

MFA is as for every Service user based so every user can decide to enable or disable it, we just want to have an option to enable it for specific accounts.

  • Like 1
Link to comment
Share on other sites

  • 2 weeks later...

Is there any estimate or ETA to this feature or are we just gonna debate on the pros and cons of it?
(this topic is open for discussion since January 2018)

  • Agree 1
Link to comment
Share on other sites

  • 1 month later...

Hello @cayars I want to use 2FA for me and my users. It works that, anyone who once login to Emby from device will be no longer ask to put credentials and 2FA codes. (I share emby with family members and I want to force on them to start using 2FA because they add passwords like `1234pass` :)

I'm learning now how to add 2FA with selfhosted Authentik server for my apps. It's great solution and it has Jellyfin integration. If that is Emby fork it should be easy to add also Emby to that project I think.

Can You just read about that and tell how it looks in Your opinion:

https://goauthentik.io/integrations/services/jellyfin/

Link to comment
Share on other sites

2 minutes ago, Przemek said:

Hello @cayars I want to use 2FA for me and my users. It works that, anyone who once login to Emby from device will be no longer ask to put credentials and 2FA codes. (I share emby with family members and I want to force on them to start using 2FA because they add passwords like `1234pass` :)

I'm learning now how to add 2FA with selfhosted Authentik server for my apps. It's great solution and it has Jellyfin integration. If that is Emby fork it should be easy to add also Emby to that project I think.

Can You just read about that and tell how it looks in Your opinion:

https://goauthentik.io/integrations/services/jellyfin/

You might be able to do the same with our LDAP plugin.

Link to comment
Share on other sites

6 hours ago, Przemek said:

Can You just read about that and tell how it looks in Your opinion:

https://goauthentik.io/integrations/services/jellyfin/

It really can't work the way normal 2FA should work because it has no integration with any Emby Clients or Emby Server for that matter.  Because of that you could potentially get some really screwy error message on clients when a client can't login on change a password.

If you set Emby Server (for each user) to not allow password changes then that eliminates one part of the problem.  Almost all sources of user administration that support LDAP will allow the Admin to configure password properties which can enforce 8 or greater characters, use of a number, special system and a capital letter.  Typically, when using LDAP user information  another system on the network is used to manage this.  On Windows platforms for example this is usually done via Windows Active Directory used to manage the company's forests and domains.

If you are going to provide several different apps to your users (ie NextCloud, database access, File or Storage, Emby, etc) then hooking all these apps up via LDAP makes sense.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...