[pve-devel] Two-Factor Authentication
Dietmar Maurer
dietmar at proxmox.com
Fri Jun 20 17:45:33 CEST 2014
> > https://git.proxmox.com/?p=pve-access-control.git;a=commitdiff;h=ab652
> > a80189a1498caba8c7f3f2641affe9ec3bf
>
> The URL should default to https but allow configuring it in
> /etc/pve/datacenter.cfg
https is clumsy, because of problems with cert validation and https proxy (libwww-perl problems/bugs).
> If an attacker was able to intercept the request they could utilize the OTP to gain
> access or trick Proxmox into thinking an invalid OTP is valid.
How exactly? The API uses the secret key to verify request/response. That key is unknown
to the attacker.
> https cert validation will (theoretically) prevent such attacks.
>
> I have not had issues with certificate validation provided the ca-certificates
> package is installed.
using libwww-perl using verify_hostname=1?
More information about the pve-devel
mailing list