[pve-devel] [PATCH v2 pve 0/20] U2F authentication + TFA improvements
Wolfgang Bumiller
w.bumiller at proxmox.com
Tue Apr 2 12:21:50 CEST 2019
This should bring the TFA improvements closer to a finish.
Changes to v1:
* Moved libu2f-server bindings to a separate package
* Changed .../u2f api endpoints to be named .../tfa, because:
* Added support for user-configured TOTP (also for realms with no TFA
configured).
* "Proper" UI added:
- Added a more generic tabbed TFA edit window to users:
- User configuration of TOTP shows a QR code
- u2f part is less ugly ;-)
For the usage, see the v1 mail, with 1 additional note:
- Configuration
For a cluster:
Usage (copied from v1 and updated):
- Prerequisites:
For a single node:
* A valid https certificate and domain
For a cluster:
* Valid https certificates & domains for all nodes on which users
with u2f authentication should be able to login.
* A separate https server (with a valid certificate & domain) to
host the `app-id.json` file (see `Multi-facet appes[1]`). This
should list all the domains of your cluster (iow. all
domains you will be browsing the PVE web UI with.).
- Configuration:
For a single node:
* Optionally enforce the appid via this /etc/pve/datacenter.cfg
entry:
u2f: appid=https://your-comain:8006
NOTE: Changing the app-id will lock out all u2f users!
For a cluster:
a) If all nodes are reachable via subdomains under the same
parent domain, the parent domain can be used as appid.
u2f: appid=https://example.com
allows u2f authentication on https://nodeXY.example.com
b) Configure the appid in datacenter.cfg to point to your
`app-id.json` file:
u2f: appid=https://your.high-available.web.server/pve-app-id.json
NOTE: While the "facet ids" listed in this json file may be
changed over time, changing the app id URL locks out all
u2f users!
[1] https://developers.yubico.com/U2F/App_ID.html
More information about the pve-devel
mailing list