- Joined
- Feb 2, 2018
- Messages
- 1,401
Hi,
As many here, I would like to control the access to FreeNAS WebUI using Radius. For me, it is because my 2 factor authentication is based on a Radius Server. My pfSense firewalls use it, so do my RoadWarrior VPN.
From the research I did, remote access to FreeNAS WebUI is still limited to the local Root account and despite there were plans to change that as far as in FreeNAS 10, it is still work in progress and pushed to FreeNAS 12 because doing it would represent a major change in the WebUI.
So here are the few options I found / designed for my self as a work around for that reality. Maybe some of these will help the FreeNAS designer to develop a better solution for what is a really important security control.
1-Password Manager
There are password manager services designed for this situation. The password manager is a web service with all the passwords and the capability to change these passwords by itself. Whenever one needs an access, he goes to the password manager, authenticates to that password manager first and once authenticated and authorized, the password manager presents him with the password for him to copy-N-paste in the desired service like FreeNAS WebUI. After a short delay or a log out, the password manager changes the password to another random one automatically.
To include such a web password management service would allow to keep the FreeNAS WebUI for Root only, allow traceability of who logged and who did what, offer easy way to cancel someone privilege, avoid password sharing / re-using, etc.
2-SSH tunnelling
That one was talked about in the forum : SSH in the box and tunnel to the WebUI running only on 127.0.0.1 or blocked by an external packet filter. Typical Unix hack but not very comfortable for many.
3-SSL Client certificate
Here, my FreeNAS is protected by a pfSense firewall on which I enabled HAProxy and do my certificate management. I am using HAProxy to require and control SSL certificates from clients before forwarding the socket to FreeNAS. HAProxy requires a certificate from my internal CA and also controls the CN of these certificates, so only few are allowed. I also check the local CRLs so ensure the certificate was not revoked since. This can be done in an SSL-Accelerator mode, where HAProxy is doing the SSL part and send clear text to the backend, saving the CPU load on that backend. Of course, the socket can also be re-encrypted and for that, HAProxy can also control the certificate presented by the FreeNAS server.
Considering FreeNAS also offers certificate management, such a control could be done locally. The WebUI is still root only and people share the password, but by requiring an SSL Client Certificate, the security feature people are looking for is available. To inject an SSL Client certificate in a browser is also way more easy to do and use than the SSH tunneling and SSH key management.
4-VPN
When compared to the SSL Client option, this one is more complicated for not such a great plus. With the example on point No3, the server enforced certificate pinning, so can not be fooled by a rogue certificate. To fool the server requires to steal one valid client certificate and do a man-in-the-middle attack. With a VPN, it is easier to do certificate pinning on both ends, so even that would not work. Still, I consider the security offered by option 3 as enough and way easier to deploy when compared to a VPN. But still, a VPN is a solution that could be enforced on FreeNAS without touching the WebUI.
So these are a few options to offer user access to the actual FreeNAS WebUI without the need to re-invent the wheel. FreeNAS' WebUI remains for local root only, but access is managed and secured in a much better and more granular way.
EDIT: By using a solution around SSL Client certificate and HAProxy, it is also possible to filter which URLs are accessible or not to each certificate. By controlling the URLs, this approach may have the potential to create roles with specific functions, like managing shares but not disks, snapshots, users, etc.
Hope this will inspire a few for a built-in solution in FreeNAS...
Heracles
As many here, I would like to control the access to FreeNAS WebUI using Radius. For me, it is because my 2 factor authentication is based on a Radius Server. My pfSense firewalls use it, so do my RoadWarrior VPN.
From the research I did, remote access to FreeNAS WebUI is still limited to the local Root account and despite there were plans to change that as far as in FreeNAS 10, it is still work in progress and pushed to FreeNAS 12 because doing it would represent a major change in the WebUI.
So here are the few options I found / designed for my self as a work around for that reality. Maybe some of these will help the FreeNAS designer to develop a better solution for what is a really important security control.
1-Password Manager
There are password manager services designed for this situation. The password manager is a web service with all the passwords and the capability to change these passwords by itself. Whenever one needs an access, he goes to the password manager, authenticates to that password manager first and once authenticated and authorized, the password manager presents him with the password for him to copy-N-paste in the desired service like FreeNAS WebUI. After a short delay or a log out, the password manager changes the password to another random one automatically.
To include such a web password management service would allow to keep the FreeNAS WebUI for Root only, allow traceability of who logged and who did what, offer easy way to cancel someone privilege, avoid password sharing / re-using, etc.
2-SSH tunnelling
That one was talked about in the forum : SSH in the box and tunnel to the WebUI running only on 127.0.0.1 or blocked by an external packet filter. Typical Unix hack but not very comfortable for many.
3-SSL Client certificate
Here, my FreeNAS is protected by a pfSense firewall on which I enabled HAProxy and do my certificate management. I am using HAProxy to require and control SSL certificates from clients before forwarding the socket to FreeNAS. HAProxy requires a certificate from my internal CA and also controls the CN of these certificates, so only few are allowed. I also check the local CRLs so ensure the certificate was not revoked since. This can be done in an SSL-Accelerator mode, where HAProxy is doing the SSL part and send clear text to the backend, saving the CPU load on that backend. Of course, the socket can also be re-encrypted and for that, HAProxy can also control the certificate presented by the FreeNAS server.
Considering FreeNAS also offers certificate management, such a control could be done locally. The WebUI is still root only and people share the password, but by requiring an SSL Client Certificate, the security feature people are looking for is available. To inject an SSL Client certificate in a browser is also way more easy to do and use than the SSH tunneling and SSH key management.
4-VPN
When compared to the SSL Client option, this one is more complicated for not such a great plus. With the example on point No3, the server enforced certificate pinning, so can not be fooled by a rogue certificate. To fool the server requires to steal one valid client certificate and do a man-in-the-middle attack. With a VPN, it is easier to do certificate pinning on both ends, so even that would not work. Still, I consider the security offered by option 3 as enough and way easier to deploy when compared to a VPN. But still, a VPN is a solution that could be enforced on FreeNAS without touching the WebUI.
So these are a few options to offer user access to the actual FreeNAS WebUI without the need to re-invent the wheel. FreeNAS' WebUI remains for local root only, but access is managed and secured in a much better and more granular way.
EDIT: By using a solution around SSL Client certificate and HAProxy, it is also possible to filter which URLs are accessible or not to each certificate. By controlling the URLs, this approach may have the potential to create roles with specific functions, like managing shares but not disks, snapshots, users, etc.
Hope this will inspire a few for a built-in solution in FreeNAS...
Heracles
Last edited:
