[pve-devel] applied: [PATCH v2 pve 0/20] U2F authentication + TFA improvements

Thomas Lamprecht t.lamprecht at proxmox.com
Wed Apr 3 15:27:37 CEST 2019 

On 4/2/19 12:21 PM, Wolfgang Bumiller wrote:
> This should bring the TFA improvements closer to a finish.
> Changes to v1:
>   * Moved libu2f-server bindings to a separate package
>   * Changed .../u2f api endpoints to be named .../tfa, because:
>   * Added support for user-configured TOTP (also for realms with no TFA
>       configured).
>   * "Proper" UI added:
>     - Added a more generic tabbed TFA edit window to users:
>     - User configuration of TOTP shows a QR code
>     - u2f part is less ugly ;-)


applied series, with followups.


> 
> For the usage, see the v1 mail, with 1 additional note:
>   - Configuration
>       For a cluster:
> 
> Usage (copied from v1 and updated):
>   - Prerequisites:
>       For a single node:
>         * A valid https certificate and domain
>       For a cluster:
>         * Valid https certificates & domains for all nodes on which users
>           with u2f authentication should be able to login.
>         * A separate https server (with a valid certificate & domain) to
>           host the `app-id.json` file (see `Multi-facet appes[1]`). This
>           should list all the domains of your cluster (iow. all
>           domains you will be browsing the PVE web UI with.).
> 
>   - Configuration:
>       For a single node:
>         * Optionally enforce the appid via this /etc/pve/datacenter.cfg
>           entry:
> 
>             u2f: appid=https://your-comain:8006
> 
>           NOTE: Changing the app-id will lock out all u2f users!
> 
>       For a cluster:
>         a) If all nodes are reachable via subdomains under the same
>            parent domain, the parent domain can be used as appid.
> 
>             u2f: appid=https://example.com
> 
>            allows u2f authentication on https://nodeXY.example.com
> 
>         b) Configure the appid in datacenter.cfg to point to your
>            `app-id.json` file:
> 
>             u2f: appid=https://your.high-available.web.server/pve-app-id.json
> 
>            NOTE: While the "facet ids" listed in this json file may be
>            changed over time, changing the app id URL locks out all
>            u2f users!
> 
> [1] https://developers.yubico.com/U2F/App_ID.html
>

More information about the pve-devel mailing list