On 4/2/19 12:21 PM, Wolfgang Bumiller wrote: > This should bring the TFA improvements closer to a finish. > Changes to v1: > * Moved libu2f-server bindings to a separate package > * Changed .../u2f api endpoints to be named .../tfa, because: > * Added support for user-configured TOTP (also for realms with no TFA > configured). > * "Proper" UI added: > - Added a more generic tabbed TFA edit window to users: > - User configuration of TOTP shows a QR code > - u2f part is less ugly ;-)
applied series, with followups. > > For the usage, see the v1 mail, with 1 additional note: > - Configuration > For a cluster: > > Usage (copied from v1 and updated): > - Prerequisites: > For a single node: > * A valid https certificate and domain > For a cluster: > * Valid https certificates & domains for all nodes on which users > with u2f authentication should be able to login. > * A separate https server (with a valid certificate & domain) to > host the `app-id.json` file (see `Multi-facet appes[1]`). This > should list all the domains of your cluster (iow. all > domains you will be browsing the PVE web UI with.). > > - Configuration: > For a single node: > * Optionally enforce the appid via this /etc/pve/datacenter.cfg > entry: > > u2f: appid=https://your-comain:8006 > > NOTE: Changing the app-id will lock out all u2f users! > > For a cluster: > a) If all nodes are reachable via subdomains under the same > parent domain, the parent domain can be used as appid. > > u2f: appid=https://example.com > > allows u2f authentication on https://nodeXY.example.com > > b) Configure the appid in datacenter.cfg to point to your > `app-id.json` file: > > u2f: appid=https://your.high-available.web.server/pve-app-id.json > > NOTE: While the "facet ids" listed in this json file may be > changed over time, changing the app id URL locks out all > u2f users! > > [1] https://developers.yubico.com/U2F/App_ID.html > _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel