[pve-devel] Two-Factor Authentication

Eric Blevins ericlb100 at gmail.com
Fri Jun 20 17:13:40 CEST 2014


>
> I have made some initial test and uploaded that code:
>
> https://git.proxmox.com/?p=pve-access-control.git;a=commitdiff;h=ab652a80189a1498caba8c7f3f2641affe9ec3bf

The URL should default to https but allow configuring it in
/etc/pve/datacenter.cfg

If an attacker was able to intercept the request they could utilize
the OTP to gain access or trick Proxmox into thinking an invalid OTP
is valid.
https cert validation will (theoretically) prevent such attacks.

I have not had issues with certificate validation provided the
ca-certificates package is installed.



More information about the pve-devel mailing list