[Question] How to use two factor authentication (2FA) like Google Authenticator with Conan?

[Aalmann]

Hi @memsharded and @lasote ,

I have a question concerning 2FA with conan. Especially in enterprise environments a 2 factor authentication is often used to secure the access to various applications (like JIRA, Artifactory, etc.). I didn't find any information about 2FA@conan.

Are there any experiences with Google Authenticator or similar applications (Microsoft Authenticator, FreeOTP, Keepass/KeyOTP, etc.) and how to use them with conan? If not, is there any feature planned?

Thanks in advance. Best Aalmann

[uilianries]

Hi @Aalmann!

Conan supports custom authentications: https://docs.conan.io/en/latest/uploading_packages/running_your_server.html#authentication

I've created a plugin for LDAP (as example): https://github.com/uilianries/conan-ldap-authentication

To implement a plugin for OAuth I think won't be complicated, based on my past work using google-auth-oauthlib. It uses requests-oauthlib to authenticate, so your plugin could check the token generated by the OAuth server.

According Artifactory's docs it has support for OAuth, but I don't know about 2FA.

[memsharded]

I am not sure if I understand the question. Are you talking about the conan_server? Because you comment you already have 2FA in Artifactory.

If anything, it would be similar to Github: https://help.github.com/articles/accessing-github-using-two-factor-authentication/#using-two-factor-authentication-with-the-command-line

Artifactory already has user tokens, I think they might be used as password from the client side too, but need to check.

[Aalmann]

No not conan_server (and I think I didn't wrote it :smile:).

Our setup is:

• Server side: Artifactory as binary server with user/password authentication (Atlassian Crowd directory integration) + "Timebased One Time Password" (e.g. Google Auth)
• Conan client installed via pip on user machine plus Google Authenticator as auth-token generator

So the question is: How to configure Conan client for using that setup.

[lasote]

I have no idea about it. But with Artifactory tokens, you can use the token like a password and Artifactory will accept it. So if with google auth code you can then get a token or something similar you might be able to use it.

[uilianries]

I think is not so simple, for Google 2FA you will need to create a Google Dev account and a new application there to provide a QR code to be used with Google Authenticator, and of course, Artifactory token will not work, bacause the token is based on Google side.

This feature should be developed by Artifatory team, where they could provide a QR Code on web interface to be added on Google Authenticator app. So the temporary token provided by the app should be used for Conan authentication. However, in my experience, performing 2FA authentication over CI jobs could cause headache for days.

But the question is, why do you need this? 2FA is really good for distributed applications that you can access around the world, like gmail, github, ... but Conan is a client and usually runs only in your company.

[uilianries]

Conan client installed via pip on user machine plus Google Authenticator as auth-token generator

Again, you will to create a plugin with all Google stuff. Fortunately, Google has a good python API and a big community to help. You will need to execute some steps in your plugin:

• The google authenticator will need a token distributed by server side, usually as QR Code, to be used as seed. So the first step is receive this token and store in somewhere. This could be solved at first time that you run conan user, the client should check if your authenticator is configured.
• When running conan user you will need to add your user and password, but as google authenticator generates temporary tokens, your plugin needs to check if your connection has expired (but you could set to keep connected as well) and reconnect if needed.
• You will need to check the provider's documentation to understand its API. I saw few providers supporting 2FA by REST, usually I've used Soup to parse the page and send the temporary token.

[Aalmann]

@lasote So the workflow would be: Login via Browser to handle user/password and Google Auth, grab the Artifactory token and use it as password? Isn't each session (conan and browser) different and so a problem for (re-)using the token at command line?

@uilianries Why we need this: VPN connections and everything is only available in corporate networks/infrastructure was "yesterday" (... sound weird 😃 ...). Today the most of the/our collaboration services (JIRA, Confluence, Bitbucket, Artifactory, etc.) are available via internet, to provide a better partner and team integration. But to better secure the access a second factor is required. Currently this 2FA setup in combination with Artifactory is in planning/testing phase and I don't know the concrete implementation. But I want to be prepared and I want to be able to rise the hand if there is an issue with conan and the 2FA setup. But what do you mean with create a "plugin"? I don't know any plugin mechanism in conan client (but in server). The only "extension points" I know are hooks and python requires and only hooks may be useful for that (pre_download, pre_upload).

[lasote]

@lasote So the workflow would be: Login via Browser to handle user/password and Google Auth, grab the Artifactory token and use it as password? Isn't each session (conan and browser) different and so a problem for (re-)using the token at command line?

I don't know if it makes sense. I would need an example of a client tool using Google Auth to login against a server. But eventually (irrespective of the authentication process with the server) you could get a token, so I thought that maybe it would be Artifactory responsibility to generate an access token for Conan. Once the token is created it will be valid until it expires, but from my perspective, it has nothing to do anymore with Google Auth. But again, I have no idea about this.

[uilianries]

I almost forgot about VPN case, now your case is more clear. When I said about "plugin" actually it means docs.conan.io/en/latest/uploading_packages/running_your_server.html#authentication It works like an extension, as you commented.

[Aalmann]

@uilianries But this is only available for conan_server and we don't use it. We use Artifactory.

@lasote Sadly I can't provide you such an example.

[mariaolivero-RL]

We're in the same boat. Have artifactory (ec2 instance in AWS), don't want vpn, need 2fa. Is that even possible?

[uilianries]

Artifactory provides OAuth authentication: https://www.jfrog.com/confluence/display/RTF/OAuth+Integration

I know it's not same thing, but at least you can integrate to other services like Google. The problem that I see using 2FA is providing an extra box to show a token.

[memsharded]

This has been closed by https://github.com/conan-io/conan/pull/16942, which adds users plugins for custom auth (conan won't provide the specific auth as built-in, just the plugin to allow users to provide their own).

It will be in next Conan 2.8, thanks for the feedback!