[pve-devel] [RFC/Draft] U2F Authentication

Thomas Lamprecht t.lamprecht at proxmox.com
Tue May 29 15:40:16 CEST 2018


On 5/24/18 3:28 PM, Wolfgang Bumiller wrote:
> This is an attempt at adding U2F authentication. This is a little
> different than our current 2FA variant, since it requires the user to be
> able to interactively add/update/delete the U2F key, and also (mostly)
> requires the login to happen in two phases which required some changes
> to our ticket system: In addition to regular tickets there's now a
> special u2f ticket syntax which, after the initial login and before the
> verification happened, contains the challenge the client has to
> recognize and deal with by sending it off to the u2f device.
> 
> Notes:
>   * Currently this adds libu2f-server bindings to pve-access-control
>     (via xs), which therefore now depends on that library. We can add
>     this as a "suggested" or "recommended" package, and/or split the
>     bindings into a libpve-u2f-perl package or something...
> 

I'd lean towards splitting out the bindings in it's own package - we could
even upstream that into Debian if not to much hassle, others could profit
from it.

>   * Since we need to store the key somewhere, this is currently working
>     for the PVE realm for the testing phase. We can either leave it up
>     to the authentication plugin to store the data (eg. ldap could maybe
>     store it on the ldap server?) or just decide on sticking it all
>     somewhere in /etc/priv and keep it plugin independent. (That's
>     probably a simpler approach anyway)
> 
>   * UI and JS part probably need some polishing by people who're more
>     enthusiastic about javascript ;-)
> 
> To test:
>   * Setup working certificates (needs to be green in your browser)
>   * Configure the u2f appid and origin (we might be able to do that
>     automatically - especially now with the additional certificate
>     helpers from the let's encrypt part we should be able to figure out
>     a default domain/url that way...
>     datacenter.cfg example:
> 
>        u2f: appid=https://awesomecluster.foo.bar:8006,origin=https://awesomecluster.foo.bar:8006

a not completed u2f registration blocks login, e.g., this does not works
with Firefox so you cannot complete the challenge, but the code does not
cope with the case where one wants to login with the still unfinished
challenge in the shadow.cfg

I still need to take a deeper look at the rest of the code though.




More information about the pve-devel mailing list