Two-Factor Authentication
Introduction
Two-factor authentication adds an additional layer of security by introducing a second step to your login to the Proxmox VE web interface. Additionally to the existing username/password, a one-time password (OTP) is used.
Proxmox VE 3.3 (currently beta) offers two different methods:
- Time Based One-Time Passwords (OATH)
- YubiKey
Time Based One-Time Passwords
Initiative for Open Authentication (OATH) is an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication. It has close to thirty coordinating and contributing members and is proposing standards for a variety of authentication technologies, with the aim of lowering costs and simplifying their use. For details see the official website
Configuration
Using a time based one-time passwords requires just downloading an OATH application onto your smartphone or tablet - e.g. Google Authenticator for Android - No extra hardware and no internet connection.
Two-factor authentication can be enabled on any authentication realm. In this howto I describe the steps for the realm "Proxmox VE authentication server". As soon as you enabled OATH for a authentication realm, only users with a configured secret can login. Make sure that you are logged in as root for this configuration changes.
1. Enable TFA (OATH) on the authentication realm.
2. Add a unique secret (password) to each user - this secret has to also added to your OATH app on the smartphone of each user. To generate a secret, you can run the following command on your Proxmox VE host: 'oathkeygen' If a user have more secrets, just add all your secrets separated with spaces.
3. Install the OATH app on your smartphone, add a new account and add the secret from above.
In order to test, just open use another browser. I used Firefox doing the configuration with root@pam, so I test the TFA login with Chrome.
- Select the Authentication Realm
- Enter username and password
- Start the app on your smartphone and add the displayed code into the OTP field. Each code is valid for 30 seconds. In order to get you more time for entering and also a protection against small time differences between your Proxmox VE host and your smartphone, we added a 30 seconds grace period (before and after)
YubiKey
YubiKey creates a one time password stored within a USB drive that acts as a keyboard to your computer. These are physical devices that need to be purchased from Yubico directly, see http://www.yubico.com/
In order to login with YubiKey, you need:
- the YubiKey (USB device)
- internet connection
Configuration
As soon as you got your YubiKey, you can immediately start using it. Two-factor authentication can be enabled on any authentication realm. In this howto I describe the steps for the realm "Proxmox VE authentication server". As soon as you enabled YubiKey for a authentication realm, only users with a YubiKey can login. Make sure that you are logged in as root for this configuration changes.
1. Enable TFA (Yubico) on the authentication realm and add the Yubico API key (you can get the API key from www.yubico.com). A valid API key allows the access and use of the Yubico Servers. This has to be done only once per realm.
2. Add the Yubikey ID to each user. In order to get the key id from the USB device, just plugin the Yubikey and press the button on the key. The first 12 characters represents the key id (just delete the rest). Repeat this step for all user of this realm. Of course, each user needs a separte key. If a user have more keys, just add all your key ids separated with a space.
In order to test, just open use another browser. I used Firefox doing the configuration with root@pam, so I test the TFA login with Chrome.
- Select the Authentication Realm
- Enter username and password
- Click into the OTA field and press the button on your Yubikey