starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

Ability to disable the fallback of authentication to local passwords when LDAP (and likely all external auth) is unavailable #9742

New Issue
Closed
opened 2025-12-29 21:21:57 +01:00 by adam · 1 comment
adam commented 2025-12-29 21:21:57 +01:00
Owner
Copy Link

Originally created by @quantumzedno on GitHub (May 24, 2024).

NetBox version

4.0.2

Feature type

Change to existing functionality

Proposed functionality

Currently our netbox install is setup as follows:

LDAP authentication backend to a proxy server that injects 2FA for additional security

I preformed the following test:
logged into netbox as user with permissions to modify accounts
used to built in password change function to set a given user's password to "test"
logged into the account with "test" password (was not prompted for 2FA as I was not using external auth
user then logged in with their AD password and was prompted for 2FA
attempted to relog in with "test" password and it was still viable

This tells me that even when LDAP auth is available that local password on the account is a valid login option, so in the event that a bad actor ever gets access to a logged in session of a user with permissions to edit accounts they could create a back door with no traceability

I would therefore like to propose one of the following:

  1. Logging into a netbox account via external auth automatically regenerates built in account password on successful login

  2. capability to disable this fall back behavior so that if LDAP/external auth is unavailable (or even if it is) then auth does not try and use local credentials at all (fail closed - requires additional consideration / local service account for disaster recovery)

  3. logging into a netbox account via external auth caches a hash of the password used to login as the local password to allow users to login with "last good password" in the event auth servers are down, but again would want this configurable as it still bypasses 2FA in our use case

Extra request:

improve reporting functionality on password changes - email automatically sent to user if their password is ever changed

Use case

having this be a configurable feature would be ideal to allow additional control over security while still leaving the default behavior the same incase certain netbox implementations rely on this for backup purposes (personally, i would like to leverage a specific built in service account with appropriate login reporting for this purpose but having options seems preferable for different usecases

Database changes

No response

External dependencies

No response

Originally created by @quantumzedno on GitHub (May 24, 2024). ### NetBox version 4.0.2 ### Feature type Change to existing functionality ### Proposed functionality Currently our netbox install is setup as follows: LDAP authentication backend to a proxy server that injects 2FA for additional security I preformed the following test: logged into netbox as user with permissions to modify accounts used to built in password change function to set a given user's password to "test" logged into the account with "test" password (was not prompted for 2FA as I was not using external auth user then logged in with their AD password and was prompted for 2FA attempted to relog in with "test" password and it was still viable This tells me that even when LDAP auth is available that local password on the account is a valid login option, so in the event that a bad actor ever gets access to a logged in session of a user with permissions to edit accounts they could create a back door with no traceability I would therefore like to propose one of the following: 1. Logging into a netbox account via external auth automatically regenerates built in account password on successful login 2. capability to disable this fall back behavior so that if LDAP/external auth is unavailable (or even if it is) then auth does not try and use local credentials at all (fail closed - requires additional consideration / local service account for disaster recovery) 3. logging into a netbox account via external auth caches a hash of the password used to login as the local password to allow users to login with "last good password" in the event auth servers are down, but again would want this configurable as it still bypasses 2FA in our use case Extra request: improve reporting functionality on password changes - email automatically sent to user if their password is ever changed ### Use case having this be a configurable feature would be ideal to allow additional control over security while still leaving the default behavior the same incase certain netbox implementations rely on this for backup purposes (personally, i would like to leverage a specific built in service account with appropriate login reporting for this purpose but having options seems preferable for different usecases ### Database changes _No response_ ### External dependencies _No response_
adam added the type: featurestatus: duplicate labels 2025-12-29 21:21:57 +01:00
adam closed this issue 2025-12-29 21:21:57 +01:00
adam commented 2025-12-29 21:21:58 +01:00
Author
Owner
Copy Link

@jeffgdotorg commented on GitHub (May 29, 2024):

Thanks for your interest in helping improve NetBox.

While the motivation for your feature request makes a lot of sense, the proposal you offer feels a bit too narrowly tailored to your particular use case. This is a reflection on you; we've wrestled quite a bit recently with how to address this kind of need. I personally opened #15842 to capture a similar proposal (see the edit history of the issue body).

I'm closing this issue as a duplicate of #15842, and encourage you to add your thoughts to that issue.

In the meantime, if you're handy with Python, you might consider using the local_settings.py mechanism introduced in #16127 as a hook for introducing custom code to accomplish your goal.

@jeffgdotorg commented on GitHub (May 29, 2024): Thanks for your interest in helping improve NetBox. While the motivation for your feature request makes a lot of sense, the proposal you offer feels a bit too narrowly tailored to your particular use case. This is a reflection on you; we've wrestled quite a bit recently with how to address this kind of need. I personally opened #15842 to capture a similar proposal (see the edit history of the issue body). I'm closing this issue as a duplicate of #15842, and encourage you to add your thoughts to that issue. In the meantime, if you're handy with Python, you might consider using the `local_settings.py` mechanism introduced in #16127 as a hook for introducing custom code to accomplish your goal.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label status: duplicate type: feature
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#9742
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?