Seeking Guidance on Enabling MFA in Ziti Edge Tunnel

toadzhou · November 1, 2024, 8:29am

Hello everyone,

I am encountering some issues while using the Ziti Edge Tunnel and would appreciate any help.

I tried to enable MFA with the following command:

ziti-edge-tunnel enable_mfa -i toadzhou.json

However, I received an error, and the response was as follows:

{
  "Success": false,
  "Error": "ziti context not found",
  "Code": 500
}

Additionally, when I tried to add an identity:

ziti-edge-tunnel add --identity toadzhou.json

I got this response:

{
  "Success": false,
  "Error": "jwt content not provided",
  "Code": 500
}

I would like to understand how to properly enable MFA and resolve these errors. Thank you all for your support!

TheLumberjack · November 1, 2024, 12:12pm

let's tackle the second issue first. the add command expects jwt content to be suppled not a file. The -i represents the output file that will be produced. It requires a running ziti-edge-tunnel that was started with the -I command in order to 'add' the identity and the resultant identity is placed into that directory.

see the doc for details

sudo ziti-edge-tunnel add --jwt "$(< ./in-file.jwt)" --identity myIdentityName

as for mfa, with the linux tunneler it's a bit combersome as there is no ui actively developed in linux and much of this IPC-related functionality was intended to be used with user interactions and a UI. Although you can certainly do it with the command line, it's just "more".

I strongly recommend you use the linux package to install the ziti-edge-tunnel. That will set you up for success. When you install it you should have seen a helpful banner?

--------------------------------------------------------------------------------
Completed clean install of ziti-edge-tunnel. Get started by adding an identity:
Start ziti-edge-tunnel.service and run:
  ziti-edge-tunnel add --jwt "$(< ziti_id.jwt)" --identity "ziti_id"
--------------------------------------------------------------------------------

If you started the tunnel once as root, after you install the package make sure the /tmp/.ziti folder is chown'ed to 2172:2172. sudo chown 2172:2172 /tmp/.ziti/

After making an identity:

ziti edge create identity newid -o newid.jwt

Add'ing/importing it to the ziti-edge-tunnel:

sudo ziti-edge-tunnel add --jwt "$(< newid.jwt)" --identity newid
{
  "Success":true,
  "Code":0
}

enable mfa (make sure you save your recovery codes)

sudo ziti-edge-tunnel enable_mfa -i /opt/openziti/etc/identities/newid.json
{
  "Success":true,
  "Data":{
    "Identifier":"\/opt\/openziti\/etc\/identities\/newid.json",
    "IsVerified":false,
    "ProvisioningUrl":"otpauth:\/\/totp\/openziti.io:newid?issuer=openziti.io&secret=GTA34LCAX2TBWF2K",
    "RecoveryCodes":[
      "2RLQKX",
      "6GL5HL",
      "72HOCS",
      "ARJPQQ",
      "DDN63J",
      "F6YBKZ",
      "GLFAYF",
      "JEJTPV",
      "LBPWB7",
      "LMRND6",
      "NU5RHH",
      "POLM37",
      "QD5N5J",
      "SUWFRK",
      "TGRYOG",
      "THTV6X",
      "UIGZN7",
      "XAQH3S",
      "XHUIAW",
      "ZJMOH7"
    ]
  },
  "Code":0
}

take the secret and import it to your 2fa app, in my example that would be GTA34LCAX2TBWF2K. i use this site when testing https://totp.danhersam.com/

verify you have successfully acquired/stored/used the secret:

sudo ziti-edge-tunnel verify_mfa -i /opt/openziti/etc/identities/newid.json --authcode 749047
{
  "Success":true,
  "Code":0
}

when needed (everytime the service restarts or session times out), submit mfa:

ziti-edge-tunnel submit_mfa -i /opt/openziti/etc/identities/newid.json --authcode 316326
{
  "Success":true,
  "Code":0
}

This whole dance is done on your behalf with the other tunnelers. You can try out the "new ui" (the project has stalled, just fyi) from Releases · openziti/desktop-edge-ui · GitHub

It has a UI that used to work with the linux tunneler, I would think it still would but I've not tried it on linux recently... so ymmv

toadzhou · November 4, 2024, 3:20am

This was just an oversight on my part, as I provided an incorrect demonstration of the operation. However, it’s not important because I had already successfully registered correctly beforehand.

I think my issue is simply that I didn’t provide an absolute path. When using a relative path, it throws a 500 error.

Thanks to your guidance, I successfully enabled the MFA feature in the terminal. I appreciate your help!

TheLumberjack · November 4, 2024, 3:31am

Yes the absolute path is important. The CLI commands will be documented and testied more in the future. Right now, my expectation is that for MFA they will work but they are not always tested as much as we test the interaction between the UIs and the ziti-edge-tunnel.

If you use the absolute path, you should be good to go, as you noticed. Glad you figured that out!

Topic		Replies	Views
Setting up MFA for the zitified ssh example Ziti Overlay	4	260	November 26, 2022
Linux Ziti Tunneler Add Identity Failed Ziti Edge Tunnel	34	239	May 31, 2024
Android Tunneler - Can not enable MFA Tunneler Apps	4	77	April 12, 2024
Debugging the Ziti Mobile Edge tunneller Building/Development	14	565	April 7, 2022
Questions about Linux tunnelers	2	267	May 20, 2023

Seeking Guidance on Enabling MFA in Ziti Edge Tunnel

Related Topics