Closed D4V3M0NK closed 4 years ago
Ylianst
commented
4 years ago MeshCentral Router (The Windows application) should support 2FA except for FIDO2 USB keys. It should prompt for the login token when needed.
MeshCmd (The command line tool) supports it, but you have to add "--token 123456".
Let me know if that is what you see, and what you setup is. Thanks.
D4V3M0NK
commented
4 years ago @Ylianst, if I'm using an actionfile, should the token be added into the actionfile as an additional field (1), or appended to the meshcmd as a parameter (2)?
remoteServer.txt:
{
"action": "route",
"localPort": 6001,
...
"token": 123456,
"serverUrl": "wss://mc2.example.org:443/meshrelay.ashx"
}and then initiated with the token included in the actionfile:
meshcmd --actionfile remoteServer.txt
remoteServer.txt:
{
"action": "route",
"localPort": 6001,
...
"serverUrl": "wss://mc2.example.org:443/meshrelay.ashx"
}but then initiated with the additional parameter on the command line:
meshcmd --actionfile remoteServer.txt --token 123456
D4V3M0NK
commented
4 years ago I'm not sure this is working as expected, at least in the Linux version of the router. I've tried multiple times (using both options above) and I never connect to my test server. As soon as I disable MFA in MC2, everything pops right back up again as expected.
D4V3M0NK
commented
4 years ago What's interesting (to me at least): I'm checking my remote device for an HTTP connection and my browser just waits for a response. As soon as I terminate my router process locally (that sets up the mapping) the browser immediately returns a "refused to connect" error ... so it appears that something is working...?
When I check on MC2, events are posted to the device - although I'm pretty sure these are the connections when I disable MFA, when enabled nothing appears to get posted.
Both my workstation and the remote device are running Linux, if that helps.
MC2 0.5.52 (and meshcmd from the same server)
D4V3M0NK
commented
4 years ago Hmmm ... so, all of a sudden things are working. I think it's because when I'm enabling/disabling MFA on MC2, I wasn't logging out. When that happens, things work. So all in all, I'm going to close this and I'll re-open if I need to.
Sorry for the monologue ... working alone in an office today and sometimes it's helpful to put things down on (digital) paper and share with others...
D4V3M0NK
commented
4 years ago ... and for those who are interested, I'm using Option 2 (as above) as it makes little sense having the token embedded into the file, considering it's going to change every 30 - 60 seconds.
It would appear that when the MC2 server has 2FA enabled, you're unable to use the MeshCentral Router as (I would imagine) authentication fails because there's no setting within the
meshaction.txtfile for the 2FA token (it appears this functionality is included in Mesh Control).Can I respectfully request a similar ability for MCR please?