Enable two factor authentication

Search…
Add an extra layer of security to your account
Why 2FA and which to choose?
The more devices you manage with RPort the more powerful the RPort server becomes. If an unauthorized person get access to it, this person might take over partial or full control over your infrastructure. Getting access to your machines via RDP or SSH always requires login credentials of the operating system. But if you have scripts and command enabled, full control might be possible from the RPort dashboard. 
Enabling two-factor authentication is therefore recommended. It prevents unauthorized usage of the RPort server if you or your teammates use weak passwords or passwords are stolen. 
With 2FA enabled, you will receive a one-time token after the regular log in. The token is sent either by email or by a push message to your mobile. 
Using email is free of cost, but the protection is weaker compared to a push message. Think of a lost or stolen laptop. If the laptop is not fully encrypted, the wrongdoer will have access to RPort and the email account. The 2FA is useless. If you select push messages for 2FA the wrongdoer must get access to the laptop and the mobile phone. And nowadays, mobiles are protected biometrical, so accessing the token is not that easy.
Enabling 2FA and the method how token are sent, is a global setting. You can not enable or disabel  2FA per user. All users must use the same token delivery method.
👉 Use push messages on mobile phones for 2FA (recommended)
👉 Use email for 2FA
free two-factor sending service
Starting with rportd version 0.3 (late August 2021) all rport cloud installations have two-factor authentication via email enabled by default. Emails are sent via a free public service. This is good to start with a secure setup right from the beginning. The service comes without warranty or promised availability.
⚠️ If you plan to use RPort permanently and in a productive environment, stop using the free service. It's highly recommended using either your own SMTP server or switching to push messages. 
Privacy notes
The free email service triggered by the script /usr/local/bin/2fa-sender.sh on your rport server submits the email and the token of the user over encrypted https to a web service operated by cloudradar GmbH. Email addresses are not used for any other purpose than dispatching the two-factor token. Email addresses are not stored. 
Email sent by the free service for two-factor authentication
Use the free service on manual installations
If you have installed your RPort server manually, and you want to use the free token service, create the script with the following content.
/usr/local/bin/2fa-sender.sh
1
#!/bin/bash
2
# /usr/local/bin/2fa-sender.sh
3
#
4
# This is a script for sending two factor auth token via a free API provided by cloudradar GmbH
5
# Check https://kb.rport.io/install-the-rport-server/enable-two-factor-authentication
6
# and learn how to use your own SMTP server or alternative delivery methods
7
#
8
RESPONSE=$(curl -Ss https://free-2fa-sender.rport.io \
9
 -F email=${RPORT_2FA_SENDTO} \
10
 -F token=${RPORT_2FA_TOKEN} \
11
 -F ttl=${RPORT_2FA_TOKEN_TTL} \
12
 -F url=https://dnpefye735n8.users.rport.io 2>&1)
13
if echo $RESPONSE|grep -q "Message sent";then
14
    echo "Token sent via email"
15
    exit 0
16
else
17
    >&2 echo $RESPONSE
18
    exit 1
19
fi
Copied!
In your rportd.conf insert the following lines to the [api] block.
1
two_fa_token_delivery = "/usr/local/bin/2fa-sender.sh"
2
two_fa_send_to_type = "email"
Copied!
Change the FQDN of the RPort server
Use push on mobile for 2FA
Last modified 8mo ago
Export as PDF
Copy link
Contents
Why 2FA and which to choose?
free two-factor sending service