From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [RFC backup 0/6] Two factor authentication
Date: Thu, 19 Nov 2020 15:56:02 +0100 [thread overview]
Message-ID: <20201119145608.16866-1-w.bumiller@proxmox.com> (raw)
This series is a first RFC for two factor authentication.
Notes:
* Backend contains support for TOTP, Webauthn, Recovery keys and U2F.
* The webauthn-rs crate introduces new dependencies we need to package:
- `half`
- `serde-cbor`
For our internal rust packaging I pushed the current debcargo-conf
changes to my `staff/w.bumiller/debcargo-conf` repo, branch `webauthn-rs`.
some extra (already-packaged) deps will be pulled in along with them:
$ cargo update
Adding getrandom v0.1.14
Adding half v1.6.0
Adding nom v4.2.3
Adding ppv-lite86 v0.2.6
Adding rand v0.7.2
Adding rand_chacha v0.2.2
Adding rand_core v0.5.1
Adding rand_hc v0.2.0
Adding serde_bytes v0.11.5
Adding serde_cbor v0.11.1
Adding thiserror v1.0.15
Adding thiserror-impl v1.0.15
Adding webauthn-rs v0.2.5
* I wrote u2f before webauthn and left it in there unused because:
* we may want to move the code out to be integrated to PVE and PBS as
well for webauthn
* if we do: the webauthn-rs crate doesn't seem to provide a way
forward to using existin u2f credentials, so to not break those
we'll need the u2f backend.
* The GUI does not use U2F (see above). (I do have code for it if for
some reason we do want that).
* The GUI code is probably super weird. Some windows might look clunky,
but for me they always do currently since I'm working with
non-standard dpi monitor settings... so I can't really tell :-P
* I introduced some `async` code into the GUI because the webauthn api
uses Promises and extjs doesn't seem to have issues with that...
* The TFA configuration is currently a single json file.
* While writing this mail I realized I still want to change the way
webauthn credentials are being serialized, but that's not important
for a first draft to look through ;-)
Wolfgang Bumiller (6):
add tools::serde_filter submodule
config: add tfa configuration
api: tfa management and login
depend on libjs-qrcodejs
proxy: expose qrcodejs
gui: tfa support
Cargo.toml | 1 +
debian/control.in | 1 +
src/api2/access.rs | 171 ++++--
src/api2/access/tfa.rs | 567 +++++++++++++++++
src/bin/proxmox-backup-proxy.rs | 1 +
src/config.rs | 1 +
src/config/tfa.rs | 1017 +++++++++++++++++++++++++++++++
src/server.rs | 2 +
src/server/rest.rs | 5 +-
src/server/ticket.rs | 77 +++
src/tools.rs | 1 +
src/tools/serde_filter.rs | 97 +++
www/LoginView.js | 323 +++++++++-
www/Makefile | 6 +
www/OnlineHelpInfo.js | 36 --
www/Utils.js | 59 ++
www/config/TfaView.js | 322 ++++++++++
www/index.hbs | 1 +
www/panel/AccessControl.js | 6 +
www/window/AddTfaRecovery.js | 211 +++++++
www/window/AddTotp.js | 283 +++++++++
www/window/AddWebauthn.js | 193 ++++++
www/window/TfaEdit.js | 92 +++
23 files changed, 3357 insertions(+), 116 deletions(-)
create mode 100644 src/api2/access/tfa.rs
create mode 100644 src/config/tfa.rs
create mode 100644 src/server/ticket.rs
create mode 100644 src/tools/serde_filter.rs
create mode 100644 www/config/TfaView.js
create mode 100644 www/window/AddTfaRecovery.js
create mode 100644 www/window/AddTotp.js
create mode 100644 www/window/AddWebauthn.js
create mode 100644 www/window/TfaEdit.js
--
2.20.1
next reply other threads:[~2020-11-19 14:56 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-19 14:56 Wolfgang Bumiller [this message]
2020-11-19 14:56 ` [pbs-devel] [RFC backup 1/6] add tools::serde_filter submodule Wolfgang Bumiller
2020-11-19 14:56 ` [pbs-devel] [RFC backup 2/6] config: add tfa configuration Wolfgang Bumiller
2020-11-19 14:56 ` [pbs-devel] [RFC backup 3/6] api: tfa management and login Wolfgang Bumiller
2020-11-19 14:56 ` [pbs-devel] [RFC backup 4/6] depend on libjs-qrcodejs Wolfgang Bumiller
2020-11-19 14:56 ` [pbs-devel] [RFC backup 5/6] proxy: expose qrcodejs Wolfgang Bumiller
2020-11-19 14:56 ` [pbs-devel] [RFC backup 6/6] gui: tfa support Wolfgang Bumiller
2020-11-24 9:42 ` Wolfgang Bumiller
2020-11-24 9:51 ` Thomas Lamprecht
2020-12-02 10:56 ` [pbs-devel] [RFC backup 0/6] Two factor authentication Oguz Bektas
2020-12-02 12:27 ` Thomas Lamprecht
2020-12-02 12:34 ` Thomas Lamprecht
2020-12-02 12:48 ` Oguz Bektas
2020-12-02 12:59 ` Wolfgang Bumiller
2020-12-02 13:08 ` Oguz Bektas
2020-12-02 12:35 ` Oguz Bektas
2020-12-02 12:51 ` Wolfgang Bumiller
2020-12-02 13:15 ` Thomas Lamprecht
2020-12-02 13:07 ` Thomas Lamprecht
2020-12-02 13:35 ` Oguz Bektas
2020-12-02 14:05 ` Thomas Lamprecht
2020-12-02 14:21 ` Oguz Bektas
2020-12-02 14:29 ` Wolfgang Bumiller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201119145608.16866-1-w.bumiller@proxmox.com \
--to=w.bumiller@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.