| ▲ | actualwitch a day ago |
| I am surprised (hardware tokens based) luci 2fa is not on the list, I would think it is table stakes at this point. |
|
| ▲ | evoke4908 a day ago | parent | next [-] |
| Why would you want 2fa on your router? You really should never expose the management interface to WAN, it should be locked down to only your local network. If you for some reason absolutely need to manage it remotely, that's why we have VPNs and SSH keys. |
| |
| ▲ | actualwitch a day ago | parent [-] | | So that infected tv/iot device doesn't bruteforce your router's admin account. I know you could set it up so it stops listening on 0.0.0.0 and firewall exists, but having 2fa on web ui and removing ssh should bring good enough security without much hassle. | | |
| ▲ | nine_k a day ago | parent [-] | | Why remove ssh from the LAN? Brute-forcing a cert-based login is unrealistic, and passwords should of course be disabled. You can add a passphrase to your ssh key to make it useless when stolen. What am I missing? | | |
| ▲ | actualwitch 20 hours ago | parent [-] | | Yes, what you describe (or storing ssh key on yubikey) would be a more secure setup. I like the web ui though, so having that be available from any device including phone in a reasonably secure way would be great IMO. You can do pretty much anything via uci so when using web ui I see no reason to leave ssh running. |
|
|
|
|
| ▲ | throw846742 a day ago | parent | prev | next [-] |
| I just wanted to say - about the same time you commented on hacker news I commented on openwrt forum about this feature :) https://forum.openwrt.org/t/community-question-what-do-you-w... |
| |
|
| ▲ | champtar a day ago | parent | prev [-] |
| u2f and webauthn require https (https://developer.mozilla.org/en-US/docs/Web/API/Web_Authent...), don't know if it accepts self signed certs and IPs instead of fqdn. Also the auth is locked to the host, so if you use IPs, changing IP means you need to remove 2fa first and re-enroll after. IMO just using a 60+ chars password stored in your password manager + moving the admin access in a separate vlan is simpler and enough. |
| |
| ▲ | actualwitch 20 hours ago | parent [-] | | Completely forgot that localhost is a special case for secure contexts... Yeah that would either just not work at all or require some tomfoolery with dynamic subdomains which I would not be comfortable with. TOTP would be the go-to then, I think. I agree about separate vlan though, I have a dedicated port without internet that can only talk to web ui for this reason. | | |
| ▲ | champtar 18 hours ago | parent [-] | | Well TOTP need proper time sync, and most routers don't have battery in them | | |
| ▲ | actualwitch 7 hours ago | parent [-] | | I haven't commonly experienced issues that would cause my router to lose access to ntp for extended periods of time, and in such cases you can just reset using physical button. Of course, TOTP should be optional to use so I am not too worried. |
|
|
|
