Two-factor-Authentication with Fail2Ban and HubZilla behind SSO

  
!Hubzilla Support Forum
#HubZilla #fail2ban #twoFactorAuthentication #YunoHost #SSO
1. Can we implement two-factor-authentication and fail2ban  on HubZilla? Has anyone tried it?
2. YunoHost have the option to keep apps and pages behind SSO. If I keep HubZilla behind SSO , that will completely restrict the HubZilla from outer world. What domains sub-path I need to bypass SSO, so that HubZilla can talk to other hubs and federation, being behind SSO?
  
I'd second Mike's advice, even if there are paths that can be protected behind ssowat without major problems : /network , /connections , /mail etc.
It's really not worth messing with access restrictions outside of hubzilla since it does that just fine already. You can already restrict access to everything for people not authenticated, and even to people not matching your security choices.
  
I should have explained my problem first rather then taking out my own solutions. I have ldapauth for 6 to 7 web applications (including HubZilla). I have strong password, but now few other users has joined my server. And whether I like it or not,they will have access to all these apps with ldapauth. And anyone can keep a weak password. So I want every app should have either fail2ban or two-way-authentication or behind SSO (as extra layer of security,which have fail2ban already). Two-way-authentication is optional feature in the apps, so that its not a for sure solution. So I have started to apply fail2ban for apps where it can be applied and for other apps I am keeping the login page behind SSO restriction (people have to login 2 times same authentication to get to the app,but the security is better then before).

For HubZilla I can not put the login page behind SSO because it has the remote login on login page. So I am thinking of way to make security more strong for HubZilla.
  
It's more complicated than that, because one can login to any page. Several page modules (network is one) will display a login box inline if one tries to access them without being authenticated. The actual authentication is trapped at the system level before the router is invoked (which handles specific pages). And as we discovered a couple of days ago, you can apparently login to the chess page and possibly bypass any Hubzilla security mechanisms.

The best ways forward may include one or more of

1. Edit the ldapauth addon or create a new one that traps all local authentication and perhaps redirect to your SSO service.
2. Create a 2FA addon and link it to your chosen authentication addon
3. In either case a password complexity checker might be useful.
4. Figure out what it would take to bring webauthn to your software(s) and help get rid of the entire username/password infrastructure