Enabling 2FA on TrueNAS Scale causes 401 errors for freenas_api_connect Basic Auth

[kaypeter87]

I am on TrueNAS-SCALE-22.12.3.3 and pve-manager/7.4-16/0f39f621 (running kernel: 5.15.104-1-pve)

It's mentioned that SSH is used to run zfs commands to TrueNAS, but 2FA seems cause a 401 error to the plugin.

Sep 24 20:42:19 proxmox2 pvedaemon[488042]: [ERROR]FreeNAS::API::PVE::Storage::LunCmd::FreeNAS::freenas_api_connect : Response code: 401
Sep 24 20:42:19 proxmox2 pvedaemon[488042]: [ERROR]FreeNAS::API::PVE::Storage::LunCmd::FreeNAS::freenas_api_connect : Response content: HTTP Basic Auth is unavailable when OTP is enabled

There is an option to enable 2FA over SSH, but this is disabled by default.

I'm not entirely sure how the freenas_api_connect function handles this, but it seems API calls now require 2FA codes when its enabled? I had this working with 2FA on Core. Seems like something has changed on the TrueNAS side requiring it.

[eugenefvdm]

Hi! The screenshot helps a lot. To me it appears you're thinking it's a 2FA issue whereby the error text indicates:

...is unavailable when OTP is enabled

Above where it says, One-Time Password (OTP) Digits*, is there an option to try without OTP?

[kaypeter87]

NP! I forgot to add, I do not get the error and everything works when I disable 2FA altogether from my TrueNAS instance.

[kaypeter87]

Hi! The screenshot helps a lot. To me it appears you're thinking it's a 2FA issue whereby the error text indicates:

...is unavailable when OTP is enabled

Above where it says, One-Time Password (OTP) Digits*, is there an option to try without OTP?

For this specific question, no there is no option to try without OTP.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[kaypeter87]

I might have some time to submit a PR during the holidays.

[hunter-nl]

I've the same issue. But I need 2FA to keep enabled. So hopefully there will some quick fix coming in FreeNAS-ProxMox.

[TheGrandWazoo]

Well you would not want to enable 2fa for a API user. Possible to create a user without 2fa and then use that to connect to TrueNAS?

I will need to replicate this. Will be doing it tonight/tomorrow to see the possibilities can be. I have a patch coming for Token instead of User based auth so that might help.

[hunter-nl]

I had to disable 2FA system wide for all users to get Freenas-Proxmox working again.
Hopefully the token solution is soon available.

[kaypeter87]

Well you would not want to enable 2fa for a API user. Possible to create a user without 2fa and then use that to connect to TrueNAS?

I will need to replicate this. Will be doing it tonight/tomorrow to see the possibilities can be. I have a patch coming for Token instead of User based auth so that might help.

Agreed 👍 but I believe the 2FA is system wide which forces the API user to have 2FA. The token feature will definitely help out with this, appreciate the hard work.

I'll try to play around with the settings on the truenas side to see how the plugin reacts in different scenarios.

[hunter-nl]

I will need to replicate this. Will be doing it tonight/tomorrow to see the possibilities can be. I have a patch coming for Token instead of User based auth so that might help.

Any progress on this?

[TheGrandWazoo]

Yes. I have a version that using the Bearer Token. Will be pushing to the 'truenas-proxmox-testing' repo in a day or so.
Also just making a few changes to some variables so seeing if the code updates the underlying config correctly.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[hunter-nl]

Any progress on this issue?

[TheGrandWazoo]

The testing repo has the Bearer Token feature. Please try that and let me know. I have been running it as I do not get any 2FA.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.