[pve-devel] [PATCH pve 0/15] U2F authentication

Wolfgang Bumiller w.bumiller at proxmox.com
Wed Mar 27 11:16:16 CET 2019

Another round of u2f patches. The u2f parts are now always stored in
/etc/pve/priv/tfa.cfg. pve-access-control now contains a bit more
generalized methods to modify a user's 2nd factor (in future patches
this will also be used to add user-opt-in TOTP for when it's not
configured in the 'realm', basically the user should be able to add a
2nd TOTP factor the same way this patch set allows the user to add a u2f

Contrary to TOTP, with u2f we have no choice but to split the login into
two phases. So the ticket's data is changed to convey whether a user is
currently running a u2f challenge. (Instead of simply being the username
it is now: `u2f!username!state`, where `state` is either `verified` (the
complete ticket) or an encoded challenge.

  * As with the previous series, this still currently this adds
    libu2f-server bindings to pve-access-control (via xs).
    I'll move this into a separate package once this series is reviewed.

  * And also: UI/JS part still needs some polishing...

  * Currently I also allow modifying the `origin` but I'm not sure
    whether this is useful. It would make more sense in the node-config
    which isn't exactly reachable from pve-access-control without
    introducing a circular dependency.

Usage (the part which ultimately ends up in pve-docs:)
  - Prerequisites:
      For a single node:
        * A valid https certificate and domain
      For a cluster:
        * Valid https certificates & domains for all nodes on which users
          with u2f authentication should be able to login.
        * A separate https server (with a valid certificate & domain) to
          host the `app-id.json` file (see `Multi-facet appes[1]`). This
          should list all the domains of your cluster (iow. all
          domains you will be browsing the PVE web UI with.).

  - Configuration:
      For a single node:
        * Optionally enforce the appid via this /etc/pve/datacenter.cfg

            u2f: appid=https://your-comain:8006

          NOTE: Changing the app-id will lock out all u2f users!

      For a cluster:
        * Configure the appid in datacenter.cfg to point to your
          `app-id.json` file:

            u2f: appid=https://your.high-available.web.server/pve-app-id.json

          NOTE: While the "facet ids" listed in this json file may be
          changed over time, changing the app id URL locks out all
          u2f users!

  - Usage:
      In the UI under `Datacenter -> Users` select your user (or if
      you're root at pam select any other user you want to modify) and
      click the `U2F` button.
      Use `Register` to associate your user with your key (Unless you're
      root you need to type in the password first).
      The next time you login you'll see a u2f query.

[1] https://developers.yubico.com/U2F/App_ID.html

More information about the pve-devel mailing list