[ZBX-24596] MFA not working Created: 2024 Jun 05 Updated: 2025 Jul 05 Resolved: 2025 Jul 05 |
|
| Status: | Closed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Frontend (F) |
| Affects Version/s: | 7.0.0 |
| Fix Version/s: | None |
| Type: | Problem report | Priority: | Critical |
| Reporter: | Francesco Lavatelli | Assignee: | Zabbix Development Team |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Description |
|
Hi, I have upgraded zabbix from 6.4 to 7. I have enable MFA with totp and sha256, assigned mfa to a test group but I'm not able to login. I receive screen with the qrcode, scan with several app to generate totp codes but I receive error that codes are not correct. Server time and client time are in sync with ntp. I have try with several client device and none are able to login |
| Comments |
| Comment by Alexey Pustovalov [ 2024 Jun 05 ] |
|
Please try to use SHA-1 with 6 digit code. |
| Comment by Francesco Lavatelli [ 2024 Jun 05 ] |
|
I have try all options: sha1, sha256 and sha512 with 6 and 8 digit. None are working |
| Comment by Alexey Pustovalov [ 2024 Jun 05 ] |
|
Try to use Google Authentificator. For example Microsoft Authenticator supports only SHA1 with 6 digits code. |
| Comment by Kris Avi [ 2024 Jun 17 ] |
|
I used SHA256, yet server generated key according to SHA1. One tool that does support only SHA1 generated correct code, while "Authy" app that supports various of configurations gave wrong code. It seems that QR-code contains correct parameters and apps that are able to use them generate code using those parameters, but server doesn't follow it's own set parameters and uses default. Just wondering why do you allow changing those parameters after creation? Do you add parameters next to keys when they are generated or does it generate on server side based on key and common set parameters? That would invalidate all old codes if parameters change. If you save then current parameters next to the key and use them to generate key server side, then it would make it possible to change parameters in safe manner, but if implementation is not that way, then better would be to stop users from changing parameters except name after TOTP MFA method is created. |
| Comment by Alex Kalimulin [ 2024 Jun 19 ] |
|
kris.avi, thanks for your suggestion. Currently, Zabbix warns about consequences of changing TOTP parameters with the following message:
Btw, Authy is known for returning wrong codes for unsupported modes. |
| Comment by Kris Avi [ 2024 Jun 20 ] |
|
From one other project I created codes Authy seemed to support various options for key length and algorithms. Tested all kind of options from 4 characters to 8 characters, 15 sec time to 1 min with 5 sec steps and SHA1, SHA256 and SHA512, all worked back then. I have not tested for more than 2 years, so things might have changed. In bitwarden I only entered key, no algorithm choice at all and it worked even though I chose SHA256 in zabbix. So it seems more like Authy used correct parameters to generate code, while bitwarden defaulted to SHA1.
Bitwarden code was correct, so it more seems like zabbix ignored it's own SHA256 and generated code using the key and SHA1 to compare with what I entered based on bitwarden generation. |
| Comment by Azn [ 2025 Jun 26 ] |
|
Please try setting a light background as default. Just yesterday I was dealing with a similar problem, only a few phones can scan on a dark background. |