diff options
| author | Christian Poessinger <christian@poessinger.com> | 2022-10-14 20:00:25 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2022-10-14 20:00:25 +0200 |
| commit | da535ef5697f6ce87a7f34ff185e4df239e6af63 (patch) | |
| tree | 4e074588462835ee16384c75c01fbc1058e2e905 /interface-definitions | |
| parent | 427ea592ae8d92d29aca245683832b5bd75b643d (diff) | |
| download | vyos-1x-da535ef5697f6ce87a7f34ff185e4df239e6af63.tar.gz vyos-1x-da535ef5697f6ce87a7f34ff185e4df239e6af63.zip | |
login: 2fa: T874: fix Google authenticator issues
Move default values of TOTP configuration from a global to a per user setting.
This makes the entire code easier as no global configuration must be blended
into the per user config dict.
Also it should be possible to set the authentication window "multiple concurrent
keys" individual per user.
set system login user vyos authentication otp key 'gzkmajid7na2oltajs4kbuq7lq'
set system login user vyos authentication plaintext-password 'vyos'
Diffstat (limited to 'interface-definitions')
| -rw-r--r-- | interface-definitions/system-login.xml.in | 108 |
1 files changed, 47 insertions, 61 deletions
diff --git a/interface-definitions/system-login.xml.in b/interface-definitions/system-login.xml.in index 7dd045e6c..def42544a 100644 --- a/interface-definitions/system-login.xml.in +++ b/interface-definitions/system-login.xml.in @@ -8,62 +8,6 @@ <priority>400</priority> </properties> <children> - <node name="authentication"> - <properties> - <help>Global authentication settings</help> - </properties> - <children> - <node name="otp"> - <properties> - <help>2FA OTP authentication parameters</help> - </properties> - <children> - <leafNode name="rate-limit"> - <properties> - <help>Number of attempts. Limit logins to N per every M seconds</help> - <valueHelp> - <format>u32:1-10</format> - <description>Number of attempts. Limit logins to N per every M seconds</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-10"/> - </constraint> - <constraintErrorMessage>Number of login attempts must me between 1 and 10</constraintErrorMessage> - </properties> - <defaultValue>3</defaultValue> - </leafNode> - <leafNode name="rate-time"> - <properties> - <help>Time interval. Limit logins to N per every M seconds</help> - <valueHelp> - <format>u32:15-600</format> - <description>Time interval. Limit logins to N per every M seconds</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 15-600"/> - </constraint> - <constraintErrorMessage>Rate limit time interval must be between 15 and 600 seconds</constraintErrorMessage> - </properties> - <defaultValue>30</defaultValue> - </leafNode> - <leafNode name="window-size"> - <properties> - <help>Set window of concurrently valid codes</help> - <valueHelp> - <format>u32:1-21</format> - <description>Set window of concurrently valid codes</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-21"/> - </constraint> - <constraintErrorMessage>Window of concurrently valid codes must be between 1 and 21</constraintErrorMessage> - </properties> - <defaultValue>3</defaultValue> - </leafNode> - </children> - </node> - </children> - </node> <tagNode name="user"> <properties> <help>Local user account information</help> @@ -75,7 +19,7 @@ <children> <node name="authentication"> <properties> - <help>Password authentication</help> + <help>Authentication settings</help> </properties> <children> <leafNode name="encrypted-password"> @@ -94,18 +38,60 @@ </leafNode> <node name="otp"> <properties> - <help>2FA OTP authentication parameters</help> + <help>One-Time-Pad (two-factor) authentication parameters</help> </properties> <children> + <leafNode name="rate-limit"> + <properties> + <help>Limit number of logins (rate-limit) per rate-time</help> + <valueHelp> + <format>u32:1-10</format> + <description>Number of attempts</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-10"/> + </constraint> + <constraintErrorMessage>Number of login attempts must me between 1 and 10</constraintErrorMessage> + </properties> + <defaultValue>3</defaultValue> + </leafNode> + <leafNode name="rate-time"> + <properties> + <help>Limit number of logins (rate-limit) per rate-time</help> + <valueHelp> + <format>u32:15-600</format> + <description>Time interval</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 15-600"/> + </constraint> + <constraintErrorMessage>Rate limit time interval must be between 15 and 600 seconds</constraintErrorMessage> + </properties> + <defaultValue>30</defaultValue> + </leafNode> + <leafNode name="window-size"> + <properties> + <help>Set window of concurrently valid codes</help> + <valueHelp> + <format>u32:1-21</format> + <description>Window size</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21"/> + </constraint> + <constraintErrorMessage>Window of concurrently valid codes must be between 1 and 21</constraintErrorMessage> + </properties> + <defaultValue>3</defaultValue> + </leafNode> <leafNode name="key"> <properties> - <help>Token Key Secret key for the token algorithm (see RFC 4226)</help> + <help>Key/secret the token algorithm (see RFC4226)</help> <valueHelp> <format>txt</format> - <description>OTP key (base32 encoded secret)</description> + <description>Base32 encoded key/token</description> </valueHelp> <constraint> - <regex>[a-zA-Z2-7]{20,10000}</regex> + <regex>[a-zA-Z2-7]{26,10000}</regex> </constraint> <constraintErrorMessage>Key must only include base32 characters and be at least 26 characters long</constraintErrorMessage> </properties> |