Locked out of Synology (2-factor design issue)

Questions pertaining to Power settings, Auto Block, Permissions, User Quotas and Email alerts may be posted here.
Forum rules
This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu

Locked out of Synology (2-factor design issue)

Postby SecurityK » Sat Apr 20, 2013 2:32 am

When the 2-factor feature became implemented on the Synology, I was thrilled!. It was the best thing Synology could have done for the security of its users. The implementation however, seems to be have a design flaw I feel.

Here is the issue I am facing rite now. I setup 2-factor using the google authenticator app on my blackberry. When my blackberry recently recieved an over-the-air update, it reset my google authenticator app for some reason. Due to this, I was using the "lost my phone" link to recieve the code over my e-mail. Having done this only a few times to save time, I have now been greeted with the following message:

Image

The account I am trying to log into, is the admin account. There was no warning (that I recall) that warned me of running out of code requests via e-mail (google does warn you when you get close to your limit) therefore I never put the app back on my phone.

If anyone can kindly help me as to how I can get back into my box, that would be awesome. I have a feeling I can still log into it via SSH, however I still don't know exactly what to do next (create new admin account?). Thanks.
SecurityK
I'm New!
I'm New!
 
Posts: 2
Joined: Sat Apr 20, 2013 2:23 am

Re: Locked out of Synology (2-factor design issue)

Postby archalien » Tue Apr 30, 2013 4:45 pm

I am in similar situation and need help!!!

I lost power and when my synology rebooted the 2 factor auth codes from my phone no-longer worked.
I have 2 factor set up on both admin accounts, I cant log into either.
I tried the lost your phone link but the emails never show up.

So now I cant log into DSM!!!!????

I can ssh as root into box, Synology support, how do I disable 2 factor from ssh so that I can get back into dsm???
archalien
Trainee
Trainee
 
Posts: 17
Joined: Wed Feb 06, 2013 12:37 am

Re: Locked out of Synology (2-factor design issue)

Postby pjn » Tue Apr 30, 2013 6:04 pm

I haven't tried this myself but I was researching it in case it happened to me.

The help files on the NAS say you can press the reset button on the back of the NAS (note this doesn't wipe the NAS, just resets some of the configuration items including network config, admin password and disables 2-step authentication).

http://www.synology.com/support/faq_show.php?q_id=127

The above link doesn't mention that it resets 2-step, but the following is copied from the help file on my DS411+

Note: If a user belonging to the administrators group is not available, you can press the physical reset button on your DiskStation to reset DSM settings and disable 2-step verification
pjn
Trainee
Trainee
 
Posts: 14
Joined: Fri May 13, 2011 4:52 pm

Re: Locked out of Synology (2-factor design issue)

Postby archalien » Wed May 01, 2013 3:41 pm

Thanks pjn!!!,

I received a tech support reply with the same solution with instructions linked here:
http://www.synology.com/support/tutoria ... p?q_id=493

However I am out of town and wont be able to perform this operation until the weekend.

I think auth email may be failing because I set the notification to gmail on port 25 instead of 587.

If I can find the conf file containing that setting, I can ssh in, fix it, reboot, and retry the lost phone email option.

Thanks for the support again, I will try another thread for the email setting.

-Arch
archalien
Trainee
Trainee
 
Posts: 17
Joined: Wed Feb 06, 2013 12:37 am

System Email Notification Conf File Location?

Postby archalien » Wed May 01, 2013 7:34 pm

Hey all,

Due to getting locked out of 2-Step Auth and not having the recovery email set up properly-

I need help locating where the conf file that store the "System"(not MailStation) email notification settings at so I can ssh in, switch the port for smtp, reboot and get the recovery email.

The setting Im looking for can be seen on the screenshot from this link:
http://www.theosquest.com/2012/01/24/sending-synology-system-email-using-gmail-or-google-apps-mail/

Im locked out for a week until I get back to the box without this help.
Any help appreciated, effective help MUCH appreciated :D

Thx
Arch
archalien
Trainee
Trainee
 
Posts: 17
Joined: Wed Feb 06, 2013 12:37 am

Re: Locked out of Synology (2-factor design issue)

Postby SecurityK » Sat May 04, 2013 10:20 pm

Hey can any admins/mods verify if their is a solution for us to get back into our Admin account?

This is a big security risk since my our admin account is locked due to 2 the limit on the backup codes allowed to be sent. Thanks!
SecurityK
I'm New!
I'm New!
 
Posts: 2
Joined: Sat Apr 20, 2013 2:23 am

Re: Locked out of Synology (2-factor design issue)

Postby archalien » Mon May 06, 2013 11:47 pm

SecurityK wrote:Hey can any admins/mods verify if their is a solution for us to get back into our Admin account?

This is a big security risk since my our admin account is locked due to 2 the limit on the backup codes allowed to be sent. Thanks!


I can validate this works(hit reset button on back for 4 seconds and a beep).
It resets password of admin account, disables 2 factor auth for that account, and resents NIC settings but does not touch other accounts granted admin privileges. From admin account you can disable 2-factor on other accounts.

PS the resaon 2 factor went bad on mine is because syn system clock was off due to power loss and after a week of uptime, and several reboots did not resync so auth code was always computed wrong.
Opening new thread to address this issue.
archalien
Trainee
Trainee
 
Posts: 17
Joined: Wed Feb 06, 2013 12:37 am

Re: Locked out of Synology (2-factor design issue)

Postby necrosis » Sun Sep 29, 2013 2:46 pm

I agree that there is ZERO warning that there is a limit on 'emergency' codes for 2-factor and there should be. I also hate that there is no way to reset the admin account and *ONLY* the admin account either by some physical button press or through SSH access (as 2-factor settings are not applied to SSH).

Looks like I just have to hit the button and spend the next 15 min resetting all the other settings that are going to get wiped.
DS1812+ (DSM 5.0-4458) 8x Samsung HD203WI {2TB} - RAID6 {10.72TB}
    DX510 5x Seagate ST33000650NS {3TB} - SHR [1 Drive] {10.73TB}
    DX510 5x Seagate ST33000650NS {3TB} - SHR [1 Drive] {10.73TB}
APC Back-UPS Pro 1500 160w Load {20%} 36min
necrosis
Student
Student
 
Posts: 70
Joined: Sat Jun 16, 2012 6:20 am

Re: Locked out of Synology (2-factor design issue)

Postby hadesz » Wed Oct 23, 2013 11:49 am

Hello guys,

You can add new emergency codes via ssh:

/usr/syno/etc/preference/<username>/google_authenticator (you have to grant write access to root user for modification)
Now you can add as many 8digit random code as you wish, but do not touch the first 4 lines:

Code: Select all
<SOMERANDOMCODEFORAUTH>
" DISALLOW_REUSE <randomcode>
" TOTP_AUTH
<randomcode>
<youshouldaddcodeshere>
<youshouldaddcodeshere>
<youshouldaddcodeshere>
...


i'll create an ash script for automatic fillup later.

bye
hadesz
I'm New!
I'm New!
 
Posts: 2
Joined: Wed Jul 24, 2013 10:24 pm


Return to System Management

Who is online

Users browsing this forum: PhluX117, Tobaso and 7 guests