authentication – Does this official “Enforce MFA” AWS policy make any sense?

At https://aws.amazon.com/premiumsupport/knowledge-center/mfa-iam-user-aws-cli/ the AWS officially recommends to have this policy

{

            "Sid": "BlockMostAccessUnlessSignedInWithMFA",
            "Effect": "Deny",
            "NotAction": (
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:ListVirtualMFADevices",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice",
                "iam:ListAccountAliases",
                "iam:ListUsers",
                "iam:ListSSHPublicKeys",
                "iam:ListAccessKeys",
                "iam:ListServiceSpecificCredentials",
                "iam:ListMFADevices",
                "iam:GetAccountSummary",
                "sts:GetSessionToken"
            ),
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
}

which presumably is supposed to enforce MFA requirement for the account.

But to me having "iam:DeleteVirtualMFADevice" makes it not very useful.

2FA to me is a second measure to protect authentication flow: you must know not only a password, but also a 2FA device.

Now with this policy – it allows to remove a virtual mfa as long as you have a valid access token.

And "iam:DeleteVirtualMFADevice" cannot be removed from there: if one removes it – then the aws console mfa setup page is broken (it says the MFA already exists, even if it wasn’t set up yet).

Am I missing something or is it a security theatre happening here?

security – Does disabling the prompt to enable two-factor authentication on an iOS device disable future prompts from appearing?

You cannot guarantee that the user will not be prompted in the future.

There’s a continued development in security and the need for preventive measures. Today two-factor authentication is absolutely crucial and wide-spread, 25 years ago it was only used by the few.

Apple some times “moves the bar” by changing the minimum security requirements. In those cases, they could start prompting user’s again for enabling two-factor authentication – or even requiring it entirely.

For example, not so long ago the requirements for developer accounts were changed so that these users must have two-factor authentication enabled (also affects apps such as TestFlight, App Store Connect, etc.). These users were notified in advance that this requirement would be instated.

authentication – How to prepare my website to Google’s oncoming change regarding embedded browser frameworks?

I recently received an email from Google saying that:

We are writing to let you know that Google will discontinue support for sign-ins to Google accounts from embedded browser frameworks, starting January 4, 2021. We are following up with you about a recent blog post outlining our effort to block less secure browsers and applications.

I read the blog post, but could not understand how to relate it to the code in my web server, and what exactly I should make to prepare for the change. Here is the relevant PHP code (that mostly generates HTML and Javascript):

    <script type='text/javascript' src='https://apis.google.com/js/platform.js?onload=onLoad' async defer></script>
    <meta name='google-signin-client_id' content='$GLOBALS(google_signin_client_id).apps.googleusercontent.com'>
    <script type='text/javascript'>
        function onLoad() {
                if (!gapi.auth2) {
                    gapi.load('auth2', function() {
                        gapi.auth2.init();
                    });
                }
        }
        
        function onSignIn(googleUser) {
                var profile = googleUser.getBasicProfile();
                var redirectUrl = '?followup=$followup&id='+encodeURIComponent(profile.getId())+'&name='+encodeURIComponent(profile.getName())+'&email='+encodeURIComponent(profile.getEmail())+'&image='+encodeURIComponent(profile.getImageUrl());
                window.location = redirectUrl;
        }
        
        function onSignOut() {
                var auth2 = gapi.auth2.getAuthInstance();
                console.log('User signing out.');
                auth2.signOut().then(function () {
                        console.log('User signed out.');
                        var redirectUrl = '?followup=$followup';
                        window.location = redirectUrl;
                });
        }
    </script>

    ...

    <div class='g-signin2' data-onsuccess='onSignIn'></div>

    ...

    <a href="https://webmasters.stackexchange.com/#" onclick='onSignOut()'>logout</a>

What exactly should I change in this code to ensure that my website works after 4/1/2021?

authentication – bitcoin-cli failed with error: incorrect rpcuser or rpcpassword

When I run this command

bitcoind -testnet -printtoconsole -rpcuser=123456 -rpcpassword=123456

After bitcoind is up. I run this on the same Ubuntu 17.10

bitcoin-cli -testnet -rpcuser=123456 -rpcpassword=123456 getbalance

I get this result:
error: incorrect rpcuser or rpcpassword (authorization failed)
The second day I tried exactly the same way. I get the correct result. It is really weird.

I try to put these two lines in /home/user/.bitcoin/bitcoin.conf

rpcuser=123456
rpcpassword=123456

And I run this command

bitcoind -testnet -printtoconsole -conf=/home/gogogo237/.bitcoin/bitcoin.conf

And this

bitcoin-cli -testnet -rpcuser=123456 -rpcpassword=1234564 getbalance

notice that I intentionally changed -rpcpassword to a wrong password. But I still can get a correct result.
This is really unpredictable and obviously a mistake. Anyone can explain this error? Thanks!

pam – Ubuntu Vsftpd with active directory ldap but limit the authentication to the FTP service and not the system itself

I’m using SSSD and Pam along with realm to have my active directory users be able to access vsftpd server. The problem is, that the users can access the Ubuntu server itself as well, using the same credentials.
Is there any way to separate the two? Grant access to the AD users only against the FTP service and not the whole system?
I have been researching this for awhile, but coming up empty. Any help on this, would be highly appreciated guys.
Thanks

8 – How to redirect customers to my payment gateway’s authentication page on an onsite payment gateway

This is on Drupal 8 using Drupal Commerce 2

I’m implementing an onsite payment gateway that can support 3ds authentication to credit cards from MasterCard/Visa.

How can I redirect customers to the offsite form on checkout?

What I have tried is doing is after calling a payment request to the payment gateway and reads that the status of the payment is “for Authentication”, i’ll use TrustedRedirectResponse to redirect them to authenticate there payment but somehow, TrustedRedirectResponse is not functioning.

Any leads will help!

p.s. Is there a way to add a PaymentOffsiteForm to my module and call it inside my createPayment() function inside my onsite.php

json rpc – Bitcoind to use static RPC authentication cookie from file?

I’m running bitcoind 0.20.1 inside a Docker container and would like to access its RPC interface from another container. I have put an authentication cookie into a Docker secret and mapped it to /run/secrets/rpc_cookie. Now when I use -rpccookiefile=/run/secrets/rpc_cookie bitcoind tries to write to that file and fails. Of course, it’s read-only! How can I instruct bitcoind to just use the cookie from the file and be done with it?