[pve-devel] [PATCH pve 0/15] U2F authentication
Dietmar Maurer
dietmar at proxmox.com
Wed Mar 27 11:33:12 CET 2019
This looks ways to complicated for me ... Do we really want to maintain
that, considering there are very few users?
> On 27 March 2019 at 11:16 Wolfgang Bumiller <w.bumiller at proxmox.com> wrote:
>
>
> Another round of u2f patches. The u2f parts are now always stored in
> /etc/pve/priv/tfa.cfg. pve-access-control now contains a bit more
> generalized methods to modify a user's 2nd factor (in future patches
> this will also be used to add user-opt-in TOTP for when it's not
> configured in the 'realm', basically the user should be able to add a
> 2nd TOTP factor the same way this patch set allows the user to add a u2f
> factor).
>
> Contrary to TOTP, with u2f we have no choice but to split the login into
> two phases. So the ticket's data is changed to convey whether a user is
> currently running a u2f challenge. (Instead of simply being the username
> it is now: `u2f!username!state`, where `state` is either `verified` (the
> complete ticket) or an encoded challenge.
>
> Notes:
> * As with the previous series, this still currently this adds
> libu2f-server bindings to pve-access-control (via xs).
> I'll move this into a separate package once this series is reviewed.
>
> * And also: UI/JS part still needs some polishing...
>
> * Currently I also allow modifying the `origin` but I'm not sure
> whether this is useful. It would make more sense in the node-config
> which isn't exactly reachable from pve-access-control without
> introducing a circular dependency.
>
> Usage (the part which ultimately ends up in pve-docs:)
> - Prerequisites:
> For a single node:
> * A valid https certificate and domain
> For a cluster:
> * Valid https certificates & domains for all nodes on which users
> with u2f authentication should be able to login.
> * A separate https server (with a valid certificate & domain) to
> host the `app-id.json` file (see `Multi-facet appes[1]`). This
> should list all the domains of your cluster (iow. all
> domains you will be browsing the PVE web UI with.).
>
> - Configuration:
> For a single node:
> * Optionally enforce the appid via this /etc/pve/datacenter.cfg
> entry:
>
> u2f: appid=https://your-comain:8006
>
> NOTE: Changing the app-id will lock out all u2f users!
>
> For a cluster:
> * Configure the appid in datacenter.cfg to point to your
> `app-id.json` file:
>
> u2f: appid=https://your.high-available.web.server/pve-app-id.json
>
> NOTE: While the "facet ids" listed in this json file may be
> changed over time, changing the app id URL locks out all
> u2f users!
>
> - Usage:
> In the UI under `Datacenter -> Users` select your user (or if
> you're root at pam select any other user you want to modify) and
> click the `U2F` button.
> Use `Register` to associate your user with your key (Unless you're
> root you need to type in the password first).
> The next time you login you'll see a u2f query.
>
> [1] https://developers.yubico.com/U2F/App_ID.html
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list