Two-Factor Authentication: Difference between revisions

From Proxmox VE
Jump to navigation Jump to search
m (fix link to TFA in pve-docs)
 
(11 intermediate revisions by 8 users not shown)
Line 1: Line 1:
= Introduction  =
For a general overview of Two Factor authentication in PVE see the [[User Management#_two factor authentication|corresponding User Management section]].
Two-factor authentication adds an additional layer of security by introducing a second step to your login to the Proxmox VE web interface. Additionally to the existing username/password, a one-time password (OTP) is used. A new OTP will be required for each new login session. Once generated it will remain valid for 30 min (default value).


Proxmox VE 3.3 (currently beta) offers two different methods:
For a complete step-by-step guide to setup OATH OTP two-factor authentication (2FA) see [https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pveum_tfa_auth Two Factor Authentication section of our Documentation].
*Time Based One-Time Passwords (TOTP)
*YubiKey


=Time Based One-Time Passwords=
For a demonstration setup for Yubico OTP see [[YubiKey|the YubiKey article]].
[[Image:Screen-Prepare-Realm-for-OATH.png|thumb]] [[Image:Screen-OATH-UserConfig.png|thumb]] [[Image:Screen-OATH-User-Login.png|thumb]]
[[Category:HOWTO]]
 
Initiative for Open Authentication (OATH) is an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication. It has close to thirty coordinating and contributing members and is proposing standards for a variety of authentication technologies, with the aim of lowering costs and simplifying their use. For details see the [http://www.openauthentication.org official website]
 
It combines a secret key with the current timestamp using a cryptographic hash function to generate a one-time password. The timestamp typically increases in 30-second intervals, so passwords generated close together in time from the same secret key will be equal.
 
In a typical two-factor authentication application, user authentication proceeds as follows: a user will enter username and password into a website or other server, generate a one-time password for the server using TOTP running locally on a smartphone or other device, and type that password into the server as well. The server will then also run TOTP to verify the entered one-time password. [http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm wikipedia]
 
==Configuration==
Using a time based one-time password requires just downloading an OATH application onto your smartphone or tablet - e.g. [https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 Google Authenticator] for Android - No extra hardware and no internet connection.
 
Two-factor authentication (TFA) can be enabled on any authentication realm. In this howto I describe the steps for the realm "Proxmox VE authentication server". As soon as you enabled OATH for a authentication realm, only users with a configured secret can login. Make sure that you are logged in as root for this configuration changes.
 
1. Enable TFA (select OATH) on the authentication realm.
 
2. Add a unique secret (password) to each user - this secret has also to be added to your OATH app on the smartphone of each user. To generate a secret, you can run the following command on your Proxmox VE host:
  oathkeygen
 
If a user has more secrets, just add all your secrets separated with spaces.
 
3. Install the OATH app on your smartphone, add a new account and add the secret from above.
 
In order to test, just use another browser. I used Firefox doing the configuration with root@pam, so I test the TFA login with Chrome.
*Select the Authentication Realm
*Enter username and password
*Start the app on your smartphone and add the displayed code into the OTP field. Each code is valid for 30 seconds. In order to get you more time for entering and also a protection against small time differences between your Proxmox VE host and your smartphone, we added a 30 seconds grace period (before and after)
 
=YubiKey=
 
[[Image:Screen-Prepare-Realm-for-Yubico.png|thumb]] [[Image:Screen-Yubico-UserConfig.png|thumb]] [[Image:Screen-Yubico-User-Login.png|thumb]]
 
YubiKey creates a one time password stored within a USB drive that acts as a keyboard to your computer. These are physical devices that need to be purchased from Yubico directly, see http://www.yubico.com/
 
In order to login with YubiKey, you need:
*the YubiKey (USB device)
*internet connection
 
==Configuration==
As soon as you got your YubiKey, you can immediately start using it. Two-factor authentication can be enabled on any authentication realm. In this howto I describe the steps for the realm "Proxmox VE authentication server". As soon as you enabled YubiKey for a authentication realm, only users with a YubiKey can login. Make sure that you are logged in as root for this configuration changes.
 
1. Enable TFA (select Yubico) on the authentication realm and add the Yubico API key (you can get the API key from www.yubico.com). A valid API key allows the access and use of the Yubico Servers. This has to be done only once per realm.
 
2. Add the Yubikey ID to each user. In order to get the key id from the USB device, just plugin the Yubikey and press the button on the key. The first 12 characters represent the key id (just delete the rest). Repeat this step for all users of this realm. Of course, each user needs a separate key. If a user has more keys, just add all your key ids separated with a space.
 
In order to test, just use another browser. I used Firefox doing the configuration with root@pam, so I test the TFA login with Chrome.
*Select the Authentication Realm
*Enter username and password
*Click into the OTA field and press the button on your Yubikey
 
= Troubleshooting  =
[[Category:HOWTO]] [[Category:Technology]]
 
If you've got TFA enabled but have no OATH secret associated to user. eg. Forgot or accidentally logged off.
ssh and manually add to the end of line
  oathkeygen
 
  nano /etc/pve/user.cfg
 
  user:root@pam:1:0::::OATH Secret:Q3Y0UROATHKEYGEN7:

Latest revision as of 07:11, 21 August 2019

For a general overview of Two Factor authentication in PVE see the corresponding User Management section.

For a complete step-by-step guide to setup OATH OTP two-factor authentication (2FA) see Two Factor Authentication section of our Documentation.

For a demonstration setup for Yubico OTP see the YubiKey article.