[pve-devel] [RFC/Draft] U2F Authentication
Alexandre DERUMIER
aderumier at odiso.com
Thu May 24 16:57:56 CEST 2018
does it work with fido2/webauthn too ?
https://www.w3.org/2018/04/pressrelease-webauthn-fido2.html.en
----- Mail original -----
De: "Wolfgang Bumiller" <w.bumiller at proxmox.com>
À: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Jeudi 24 Mai 2018 15:28:45
Objet: [pve-devel] [RFC/Draft] U2F Authentication
This is an attempt at adding U2F authentication. This is a little
different than our current 2FA variant, since it requires the user to be
able to interactively add/update/delete the U2F key, and also (mostly)
requires the login to happen in two phases which required some changes
to our ticket system: In addition to regular tickets there's now a
special u2f ticket syntax which, after the initial login and before the
verification happened, contains the challenge the client has to
recognize and deal with by sending it off to the u2f device.
Notes:
* Currently this adds libu2f-server bindings to pve-access-control
(via xs), which therefore now depends on that library. We can add
this as a "suggested" or "recommended" package, and/or split the
bindings into a libpve-u2f-perl package or something...
* Since we need to store the key somewhere, this is currently working
for the PVE realm for the testing phase. We can either leave it up
to the authentication plugin to store the data (eg. ldap could maybe
store it on the ldap server?) or just decide on sticking it all
somewhere in /etc/priv and keep it plugin independent. (That's
probably a simpler approach anyway)
* UI and JS part probably need some polishing by people who're more
enthusiastic about javascript ;-)
To test:
* Setup working certificates (needs to be green in your browser)
* Configure the u2f appid and origin (we might be able to do that
automatically - especially now with the additional certificate
helpers from the let's encrypt part we should be able to figure out
a default domain/url that way...
datacenter.cfg example:
u2f: appid=https://awesomecluster.foo.bar:8006,origin=https://awesomecluster.foo.bar:8006
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list