If you believe that your home server’s remote website needs a whole extra layer of security, then Graham Murray’s new add-in, TwoFactor WHS, is for you!
TwoFactor WHS works with a hardware authentication dongle called a Yubikey, which slots into your USB port and provides a unique authentication code each time it is inserted in a computer.
TwoFactor WHS works by modifying the remote access logon page for the WHS site to contain an additional textbox that can take a one time password from the token. It also adds code to the page such that when the submit button is clicked, the OTP is first validated against a Yubikey validation server, and if this fails, the normal password which is en route to the WHS password handling, gets shredded and becomes unusable.
There is a risk that this ad-in may cause problems with other add-ins which require use of Windows Home Server’s remote website – Graham has specific instructions for installing and configuring the add-in to reduce the chance of these issue occurring:
Usage
Important: If you use other add-ins that modify the logon.aspx page of the remote website, then this add-in may interfere with their state and function. TwoFactor WHS is designed in such a way so as to minimize the probability of bad interactions in this regard, but caution is recommended.
- Before configuring the add-in to work on your WHS you must retrieve an api key from yubico (unless you are running your own yubikey validation server) at https://api.yubico.com/get-api-key. You will be furnished with an app ID and app Key. You will enter these when configuring TwoFactor WHS.
- Copy the downloaded msi into the add-ins folder in you whs share (usually \server_nameSoftwareAdd-Ins)
- Open the WHS console, and on the add-ins settings tab, select install for TwoFactor WHS
- The console will reset.
- Now you can open the settings tab and navigate to the Tab for TwoFactor WHS
- If you are using a non default validation server, change the url for the api.
- Enter the app id you obtained.
- Enter the app key you obtained.
- Check the redirect checkbox.
- For each WHS user that will need to use the remote access site, determine their yubikey’s public id (the first 12 characters of the password it generates, the part that doesn’t change between uses) and then enter each on a line in the users textbox like so (the username and the public id are separated by a | (pipe) character):
- bob|ksjamakslaksi
- jeff|laisnskalmei
- click OK
- now when you log onto the remote access site you should be prompted for entering a one time password.
- if you want to revert, reopen the TwoFactorWHS tab, uncheck the redirect checkbox, and then click ok.
Whilst the use of a hardware token may seem to be overkill for home usage, I can see small businesses finding this add-in really useful. Check it out at TwoFactor WHS’ project page.
More Info: TwoFactor WHS | Community Support | Rate this Add-in
26. May 2009 at 12:23 pm
For $25 per Yubico key I love the idea for my personal WHS!
26. May 2009 at 7:18 pm
Am I missing something? Wouldn't you get even tighter security by just setting up a VPN? that way you would browse if local and even the traffic would be secure, not just the log in.
28. May 2009 at 3:42 am
How cool would this be if it also could use grc.com’s Perfect Paper Passwords?
Also, cheaper.
Anyway, this looks like a great solution, gmurray.
26. May 2009 at 7:49 pm
VPN has additional infrastructure requirements, a client on the client, a server on the server. This solution allows you to access your content from a public terminal if need be, and doesnt require you to install any vpn server or client software. In fact, the reason why I put this together was so that I could feel comfortable accessing my home server from public or semi-trusted terminals.
26. May 2009 at 7:49 pm
Plus on the vpn server front, if you are installing that kind of software on your whs arent you risking running afoul of the WHS abstraction? I like everything I put on my whs to be plugin based, and specifically tested against the WHS variant of 2003, so as to not risk fouling up my WHS's state.
As far as encryption goes, you are already getting this if you are using the https website for your WHS (as you should be). WHS remote access is pretty much designed to be VPN lite, so using an actual vpn tunnel seems like the overkill to me. That being said, if I'm accessing whs from a public or semi-trusted terminal, I want a stronger authentication model than just a password (hence this add-in).
This may seem like overkill to most, but I think internet users need to get serious about strong authentication or we will never kiss attacks like phishing or key-logging good bye.
28. May 2009 at 3:45 pm
Yeah, I'm looking into integrating with a PPP solution, and maybe some phone based software tokens. I'm investigating different PPP implementations when I have time.
28. May 2009 at 3:47 pm
I really actually quite like my yubikey though, and its very inexpensive comparatively (although not compared to paper), so I would encourage people to look at them if they havent before.