search

home-assistant / core

:house_with_garden: Open source home automation that puts local control and privacy first.
https://www.home-assistant.io
Apache License 2.0
71.14k stars 29.81k forks source link

Synology DSM Integration fails to setup - 2fa authentication required #124105

Open Daniel-dev22 opened 3 weeks ago

Daniel-dev22 commented 3 weeks ago

The problem

The Synology DSM integration fails to setup a new integration entry with Failed to set up: reason: Two-step authentication required for account: homeassistant

It was thought that this would fix it however it didn't unfortunately for me. https://github.com/home-assistant/core/issues/110848#issuecomment-2286382116

I have tried restarting ha, and also checked the Synology logs and saw that all attempts were successful by the homeassistant user.

Synology information Model: DS220+ Software version: DSM 7.2.1-69057 Update 5

Synology logs

Info
Connection
08/17/2024 05:45:51 am
homeassistant
User [homeassistant] from [192.168.15.1] has successfully passed the first authentication of 2FA via [password]
Info
Connection
08/17/2024 05:45:49 am
homeassistant
User [homeassistant] from [192.168.15.1] signed in to [DSM] successfully via [password].
Info
Connection
08/17/2024 05:45:46 am
homeassistant
User [homeassistant] from [192.168.15.1] has successfully passed the first authentication of 2FA via [password]
Info
Connection
08/17/2024 05:45:01 am
homeassistant
User [homeassistant] from [192.168.15.1] has successfully passed the first authentication of 2FA via [password]

Attached is the logs from Synology integration and synology_dsm library. synology 2fa logs.txt

What version of Home Assistant Core has the issue?

2024.8.2

What was the last working version of Home Assistant Core?

No response

What type of installation are you running?

Home Assistant Container

Integration causing the issue

synology_dsm

Link to integration documentation on our website

No response

Diagnostics information

No response

Example YAML snippet

No response

Anything in the logs that might be useful for us?

Logs were posted above.

Additional information

No response

home-assistant[bot] commented 3 weeks ago

Hey there @hacf-fr, @quentame, @mib1185, mind taking a look at this issue as it has been labeled with an integration (synology_dsm) you are listed as a code owner for? Thanks!

Code owner commands Code owners of `synology_dsm` can trigger bot actions by commenting: - `@home-assistant close` Closes the issue. - `@home-assistant rename Awesome new title` Renames the issue. - `@home-assistant reopen` Reopen the issue. - `@home-assistant unassign synology_dsm` Removes the current integration label and assignees on the issue, add the integration domain after the command. - `@home-assistant add-label needs-more-information` Add a label (needs-more-information, problem in dependency, problem in custom component) to the issue. - `@home-assistant remove-label needs-more-information` Remove a label (needs-more-information, problem in dependency, problem in custom component) on the issue.

(message by CodeOwnersMention)

synology_dsm documentation synology_dsm source (message by IssueLinks)

mib1185 commented 3 weeks ago

after analyzing the logs, I think the Adaptive Multi-Factor Authentication (Adaptive MFA) kicks in :thinking: Please check if you've adaptive MFA enabled, if yes disable it and test again, thx

Daniel-dev22 commented 3 weeks ago

after analyzing the logs, I think the Adaptive Multi-Factor Authentication (Adaptive MFA) kicks in :thinking: Please check if you've adaptive MFA enabled, if yes disable it and test again, thx

Interesting I never thought of that.

I just disabled it but it still fails to setup a new integration.

mib1185 commented 3 weeks ago

mehhh :confused: the login process is as follows:

  1. when adding the nas to HA, first trying to login with username and password
  2. if 2fa is enabled, we will get a {'error': {'code': 403, 'errors': {'token': '***', 'types': [{'type': 'otp'}]}}, 'success': False} back from the nas
  3. now we ask for the OTP and try to login again with user+password and the OTP
  4. when successful, we get back the device_id and store it in HA (similar to "remember device" checkbox on login screen)
  5. if everything success, we are done with setting up the Synology DSM integration in HA
  6. now we are starting the Synology DSM integration in HA
  7. we try to login with username, password and provide the device_id, which should identify HA as known/remembered device, those skip 2fa and accept user+password as login

in your case the last step fails, since your NAS again returns with {'error': {'code': 403, 'errors': {'token': '***', 'types': [{'type': 'otp'}]}}, 'success': False}, which means you NAS does not trust the device_id anymore or the source ip 192.168.15.1

is 192.168.15.1 the IP of your HA instance?

Daniel-dev22 commented 3 weeks ago

mehhh :confused: the login process is as follows:

  1. when adding the nas to HA, first trying to login with username and password
  2. if 2fa is enabled, we will get a {'error': {'code': 403, 'errors': {'token': '***', 'types': [{'type': 'otp'}]}}, 'success': False} back from the nas
  3. now we ask for the OTP and try to login again with user+password and the OTP
  4. when successful, we get back the device_id and store it in HA (similar to "remember device" checkbox on login screen)
  5. if everything success, we are done with setting up the Synology DSM integration in HA
  6. now we are starting the Synology DSM integration in HA
  7. we try to login with username, password and provide the device_id, which should identify HA as known/remembered device, those skip 2fa and accept user+password as login

in your case the last step fails, since your NAS again returns with {'error': {'code': 403, 'errors': {'token': '***', 'types': [{'type': 'otp'}]}}, 'success': False}, which means you NAS does not trust the device_id anymore or the source ip 192.168.15.1

is 192.168.15.1 the IP of your HA instance?

I was checking the logs of trusted devices and ips and I didn't see anything as blocked.

I'm using traefik on DSM so all traffic goes through traefik which it's docker bridge network gateway IP is 192.168.15.1 Because traefik is using the host gateway to talk to dsm that's why it's showing up as the source being the bridge gateway ip.

What I can do is turn the traefik access log on and get additional insights potentially into the requests being made to Synology/from home assistant and replies.

Explaining the workflow was helpful as now I can try to do more digging to see where this is falling apart.

This setup worked before with traefik with the same nas at some point it stopped after an update or restart not sure so I deleted the integration thinking it would help to re-add but it didn't.

Interestingly it also doesn't work even if I have home assistant go direct to Synology IP and bypass traefik. So that's why I never went down the troubleshooting hole on the traefik side. I made sure not to check verify cert and I got the same 2fa error going direct to Synologyip:5001

mib1185 commented 3 weeks ago

I'm using traefik on DSM so all traffic goes through traefik which it's docker bridge network gateway IP is 192.168.15.1 Because traefik is using the host gateway to talk to dsm that's why it's showing up as the source being the bridge gateway ip.

this sounds to be an advanced network configuration, which not only touches layer 3/4, but also up to layer 6 :thinking: did you add 192.168.15.1 to the list of trusted proxies_) in the nas?

Interestingly it also doesn't work even if I have home assistant go direct to Synology IP and bypass traefik.

did you delete the integration in HA first, so the stored device_id gets removed from HA?

I made sure not to check verify cert and I got the same 2fa error going direct to Synologyip:5001

please provide new debug logs with this scenario (direct connection between HA and the nas)

Daniel-dev22 commented 3 weeks ago

I'm using traefik on DSM so all traffic goes through traefik which it's docker bridge network gateway IP is 192.168.15.1 Because traefik is using the host gateway to talk to dsm that's why it's showing up as the source being the bridge gateway ip.

this sounds to be an advanced network configuration, which not only touches layer 3/4, but also up to layer 6 🤔 did you add 192.168.15.1 to the list of trusted proxies_) in the nas?

Interestingly it also doesn't work even if I have home assistant go direct to Synology IP and bypass traefik.

did you delete the integration in HA first, so the stored device_id gets removed from HA?

I made sure not to check verify cert and I got the same 2fa error going direct to Synologyip:5001

please provide new debug logs with this scenario (direct connection between HA and the nas)

It is in the list of trusted proxies and yes I deleted the Ha integration completely.

Here's the logs of direct to Synology from home assistant.

Info
Connection
08/17/2024 09:40:44 am
homeassistant
User [homeassistant] from [192.168.4.62] has successfully passed the first authentication of 2FA via [password]
Info
Connection
08/17/2024 09:40:42 am
homeassistant
User [homeassistant] from [192.168.4.62] signed in to [DSM] successfully via [password].
Info
Connection
08/17/2024 09:40:40 am
homeassistant
User [homeassistant] from [192.168.4.62] has successfully passed the first authentication of 2FA via [password]
Info
Connection
08/17/2024 09:40:10 am
homeassistant
User [homeassistant] from [192.168.4.62] has successfully passed the first authentication of 2FA via [password]
Info
Connection
08/17/2024 09:40:08 am
homeassistant
User [homeassistant] from [192.168.4.62] signed in to [DSM] successfully via [password].
Info
Connection
08/17/2024 09:40:05 am
homeassistant
User [homeassistant] from [192.168.4.62] has successfully passed the first authentication of 2FA via [password]

Log file from ha Synology 2fa log direct ip.txt

mib1185 commented 3 weeks ago

The log of the nas says, login succesful :

Info
Connection
08/17/2024 09:40:10 am
homeassistant
User [homeassistant] from [192.168.4.62] has successfully passed the first authentication of 2FA via [password]

but the nas response with "otp needed"

2024-08-17 09:40:09.894 DEBUG (MainThread) [synology_dsm.synology_dsm] API: SYNO.API.Auth
2024-08-17 09:40:09.894 DEBUG (MainThread) [synology_dsm.synology_dsm] Request Method: GET
2024-08-17 09:40:10.243 DEBUG (MainThread) [synology_dsm.synology_dsm] Request url: https://192.168.4.197:5001/webapi/entry.cgi?account=*********&passwd=*********&enable_device_token=yes&device_name=ubuntu&device_id=*********&api=SYNO.API.Auth&version=7&method=login
2024-08-17 09:40:10.243 DEBUG (MainThread) [synology_dsm.synology_dsm] Response status_code: 200
2024-08-17 09:40:10.243 DEBUG (MainThread) [synology_dsm.synology_dsm] Response headers: {'Date': 'Sat, 17 Aug 2024 13:40:10 GMT', 'Content-Type': 'application/json; charset="UTF-8"', 'Transfer-Encoding': 'chunked', 'Connection': 'keep-alive', 'Keep-Alive': 'timeout=20', 'Vary': 'Accept-Encoding', 'X-Content-Type-Options': 'nosniff', 'X-XSS-Protection': '1; mode=block', 'Cache-Control': 'max-age=0, no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Encoding': 'gzip'}
2024-08-17 09:40:10.245 DEBUG (MainThread) [synology_dsm.synology_dsm] Successful returned data
2024-08-17 09:40:10.245 DEBUG (MainThread) [synology_dsm.synology_dsm] RESPONSE: {'error': {'code': 403, 'errors': {'token': '*****', 'types': [{'type': 'otp'}]}}, 'success': False}

i don't have any explanation for this and for now i'm on the track, that there is something wrong with the nas itself. But i'm not a Synology support engineer, so i don't know how to analyse this deeper on the nas

This setup worked before with traefik with the same nas at some point it stopped after an update or restart not sure so I deleted the integration thinking it would help to re-add but it didn't.

maybe an update of the nas or some component of it causes this issue or any other 3rd party installed app on the nas. You can try to install another HA instance with an older version and check if the issue is still there. But as long as we do not know, what was the last working HA core version, i'm unable to check for differences in the code. As far as I can say for now, the code in HA works as expected, but the nas seems to not trust the device_id

Daniel-dev22 commented 3 weeks ago

Thank you for the quick responses. I'm going to keep digging and potentially open a Synology ticket. I do recall in previous issues with Synology people had the same 2fa error and unfortunately their solution that worked for them was disabling 2fa for the user which isn't ideal so I will keep digging and post any updates here.

Thanks again!

mib1185 commented 3 weeks ago

i've removed the needs-more-information tag, so this issue keeps open longer and added the "problem in device" to mark it properly for now

Daniel-dev22 commented 3 weeks ago

i've removed the needs-more-information tag, so this issue keeps open longer and added the "problem in device" to mark it properly for now

@mib1185

I'm wondering if it's not Synology that's the issue here.

I used this command I saw used in a previous 2fa Synology issue in this repo and it was successful. Logs on Synology looked the same with the way it logs successful login. So this works but not the integration? What does the integration do that's different?

curl 'https://synology.domain.com/webapi/entry.cgi?api=SYNO.API.Auth&version=7&method=login&account=homeassistant&passwd=<password>&otp_code=<otp>&enable_device_token=yes&device_name=postman&format=sid'
{"data":{"account":"homeassistant","device_id":"hMEGQkK2ewXVqTTYsVRiJybrqcIxOHHrhQnupxvRFunzCj9aMJusSVSm01CHZvlY0gBOgGMVXYBF0DN8RDkZ5A","ik_message":"","is_portal_port":false,"sid":"s13AHMIcChWHH4GAahKOx2J4xk-KlMP1NSil-6S_BzIdepaXc5gCNuQuiu__zXppZzi8MYrgDHQ_fOXO-VtFl0","synotoken":"--------"},"success":true}
mib1185 commented 3 weeks ago

with curl 'https://synology.domain.com/webapi/entry.cgi?api=SYNO.API.Auth&version=7&method=login&account=homeassistant&passwd=<password>&otp_code=<otp>&enable_device_token=yes&device_name=postman&format=sid' you're using the OTP to pass the 2fa, which would mean to enter an valid OTP each time you restart HA or the Synology integration - to avoid this, we use the returned device_id (same as you would check the "remember device" on login via UI) so the nas will remeber HA as a trusted device and with providing the deive_id during login (eq. restart HA) the 2fa is fulfilled

Daniel-dev22 commented 3 weeks ago

with curl 'https://synology.domain.com/webapi/entry.cgi?api=SYNO.API.Auth&version=7&method=login&account=homeassistant&passwd=<password>&otp_code=<otp>&enable_device_token=yes&device_name=postman&format=sid' you're using the OTP to pass the 2fa, which would mean to enter an valid OTP each time you restart HA or the Synology integration - to avoid this, we use the returned device_id (same as you would check the "remember device" on login via UI) so the nas will remeber HA as a trusted device and with providing the deive_id during login (eq. restart HA) the 2fa is fulfilled

I think all the API calls are in the debug logs? I'll try to call them 1 by 1 and see if I get anything different compared to ha.

Daniel-dev22 commented 3 weeks ago

I realized this was the issue all along.

On the security page.

Allow users on web browsers to skip 2-factor authentication by trusting devices

Once I enabled that it worked. Could be good to note for the next time someone runs into this lol.

mib1185 commented 3 weeks ago

Where did you find this option? Maybe we can add a note to our docs and point to some official synology documentation 🤔

Daniel-dev22 commented 3 weeks ago

Where did you find this option? Maybe we can add a note to our docs and point to some official synology documentation 🤔

The option is here.

control panel -> security and under login settings right above trusted proxies.

mib1185 commented 3 weeks ago

could show me a screenshot or better a link to official Synology docs about this? Or at the best do you mind to add a proper note to the synology_dsm documentation? 🙂