[pve-devel] [PATCH pve 0/15] U2F authentication

Dietmar Maurer dietmar at proxmox.com
Wed Mar 27 11:33:12 CET 2019


This looks ways to complicated for me ... Do we really want to maintain
that, considering there are very few users?

> On 27 March 2019 at 11:16 Wolfgang Bumiller <w.bumiller at proxmox.com> wrote:
> 
> 
> Another round of u2f patches. The u2f parts are now always stored in
> /etc/pve/priv/tfa.cfg. pve-access-control now contains a bit more
> generalized methods to modify a user's 2nd factor (in future patches
> this will also be used to add user-opt-in TOTP for when it's not
> configured in the 'realm', basically the user should be able to add a
> 2nd TOTP factor the same way this patch set allows the user to add a u2f
> factor).
> 
> Contrary to TOTP, with u2f we have no choice but to split the login into
> two phases. So the ticket's data is changed to convey whether a user is
> currently running a u2f challenge. (Instead of simply being the username
> it is now: `u2f!username!state`, where `state` is either `verified` (the
> complete ticket) or an encoded challenge.
> 
> Notes:
>   * As with the previous series, this still currently this adds
>     libu2f-server bindings to pve-access-control (via xs).
>     I'll move this into a separate package once this series is reviewed.
> 
>   * And also: UI/JS part still needs some polishing...
> 
>   * Currently I also allow modifying the `origin` but I'm not sure
>     whether this is useful. It would make more sense in the node-config
>     which isn't exactly reachable from pve-access-control without
>     introducing a circular dependency.
> 
> Usage (the part which ultimately ends up in pve-docs:)
>   - Prerequisites:
>       For a single node:
>         * A valid https certificate and domain
>       For a cluster:
>         * Valid https certificates & domains for all nodes on which users
>           with u2f authentication should be able to login.
>         * A separate https server (with a valid certificate & domain) to
>           host the `app-id.json` file (see `Multi-facet appes[1]`). This
>           should list all the domains of your cluster (iow. all
>           domains you will be browsing the PVE web UI with.).
> 
>   - Configuration:
>       For a single node:
>         * Optionally enforce the appid via this /etc/pve/datacenter.cfg
>           entry:
> 
>             u2f: appid=https://your-comain:8006
> 
>           NOTE: Changing the app-id will lock out all u2f users!
> 
>       For a cluster:
>         * Configure the appid in datacenter.cfg to point to your
>           `app-id.json` file:
> 
>             u2f: appid=https://your.high-available.web.server/pve-app-id.json
> 
>           NOTE: While the "facet ids" listed in this json file may be
>           changed over time, changing the app id URL locks out all
>           u2f users!
> 
>   - Usage:
>       In the UI under `Datacenter -> Users` select your user (or if
>       you're root at pam select any other user you want to modify) and
>       click the `U2F` button.
>       Use `Register` to associate your user with your key (Unless you're
>       root you need to type in the password first).
>       The next time you login you'll see a u2f query.
> 
> [1] https://developers.yubico.com/U2F/App_ID.html
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel



More information about the pve-devel mailing list