From da535ef5697f6ce87a7f34ff185e4df239e6af63 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 14 Oct 2022 20:00:25 +0200 Subject: login: 2fa: T874: fix Google authenticator issues Move default values of TOTP configuration from a global to a per user setting. This makes the entire code easier as no global configuration must be blended into the per user config dict. Also it should be possible to set the authentication window "multiple concurrent keys" individual per user. set system login user vyos authentication otp key 'gzkmajid7na2oltajs4kbuq7lq' set system login user vyos authentication plaintext-password 'vyos' --- interface-definitions/system-login.xml.in | 108 +++++++++++++----------------- 1 file changed, 47 insertions(+), 61 deletions(-) (limited to 'interface-definitions/system-login.xml.in') diff --git a/interface-definitions/system-login.xml.in b/interface-definitions/system-login.xml.in index 7dd045e6c..def42544a 100644 --- a/interface-definitions/system-login.xml.in +++ b/interface-definitions/system-login.xml.in @@ -8,62 +8,6 @@ 400 - - - Global authentication settings - - - - - 2FA OTP authentication parameters - - - - - Number of attempts. Limit logins to N per every M seconds - - u32:1-10 - Number of attempts. Limit logins to N per every M seconds - - - - - Number of login attempts must me between 1 and 10 - - 3 - - - - Time interval. Limit logins to N per every M seconds - - u32:15-600 - Time interval. Limit logins to N per every M seconds - - - - - Rate limit time interval must be between 15 and 600 seconds - - 30 - - - - Set window of concurrently valid codes - - u32:1-21 - Set window of concurrently valid codes - - - - - Window of concurrently valid codes must be between 1 and 21 - - 3 - - - - - Local user account information @@ -75,7 +19,7 @@ - Password authentication + Authentication settings @@ -94,18 +38,60 @@ - 2FA OTP authentication parameters + One-Time-Pad (two-factor) authentication parameters + + + Limit number of logins (rate-limit) per rate-time + + u32:1-10 + Number of attempts + + + + + Number of login attempts must me between 1 and 10 + + 3 + + + + Limit number of logins (rate-limit) per rate-time + + u32:15-600 + Time interval + + + + + Rate limit time interval must be between 15 and 600 seconds + + 30 + + + + Set window of concurrently valid codes + + u32:1-21 + Window size + + + + + Window of concurrently valid codes must be between 1 and 21 + + 3 + - Token Key Secret key for the token algorithm (see RFC 4226) + Key/secret the token algorithm (see RFC4226) txt - OTP key (base32 encoded secret) + Base32 encoded key/token - [a-zA-Z2-7]{20,10000} + [a-zA-Z2-7]{26,10000} Key must only include base32 characters and be at least 26 characters long -- cgit v1.2.3