1 files changed, 83 insertions, 9 deletions

diff --git a/interface-definitions/system-login.xml.in b/interface-definitions/system-login.xml.in
index d189be3f8..e71a647ef 100644
--- a/interface-definitions/system-login.xml.in
+++ b/interface-definitions/system-login.xml.in
@@ -19,7 +19,7 @@
             <children>
               <node name="authentication">
                 <properties>
-                  <help>Password authentication</help>
+                  <help>Authentication settings</help>
                 </properties>
                 <children>
                   <leafNode name="encrypted-password">
@@ -36,6 +36,68 @@
                     </properties>
                     <defaultValue>!</defaultValue>
                   </leafNode>
+                  <node name="otp">
+                    <properties>
+                      <help>One-Time-Pad (two-factor) authentication parameters</help>
+                    </properties>
+                    <children>
+                      <leafNode name="rate-limit">
+                        <properties>
+                          <help>Limit number of logins (rate-limit) per rate-time</help>
+                          <valueHelp>
+                            <format>u32:1-10</format>
+                            <description>Number of attempts</description>
+                          </valueHelp>
+                          <constraint>
+                            <validator name="numeric" argument="--range 1-10"/>
+                          </constraint>
+                          <constraintErrorMessage>Number of login attempts must me between 1 and 10</constraintErrorMessage>
+                        </properties>
+                        <defaultValue>3</defaultValue>
+                      </leafNode>
+                      <leafNode name="rate-time">
+                        <properties>
+                          <help>Limit number of logins (rate-limit) per rate-time</help>
+                          <valueHelp>
+                            <format>u32:15-600</format>
+                            <description>Time interval</description>
+                          </valueHelp>
+                          <constraint>
+                            <validator name="numeric" argument="--range 15-600"/>
+                          </constraint>
+                          <constraintErrorMessage>Rate limit time interval must be between 15 and 600 seconds</constraintErrorMessage>
+                        </properties>
+                        <defaultValue>30</defaultValue>
+                      </leafNode>
+                      <leafNode name="window-size">
+                        <properties>
+                          <help>Set window of concurrently valid codes</help>
+                          <valueHelp>
+                            <format>u32:1-21</format>
+                            <description>Window size</description>
+                          </valueHelp>
+                          <constraint>
+                            <validator name="numeric" argument="--range 1-21"/>
+                          </constraint>
+                          <constraintErrorMessage>Window of concurrently valid codes must be between 1 and 21</constraintErrorMessage>
+                        </properties>
+                        <defaultValue>3</defaultValue>
+                      </leafNode>
+                      <leafNode name="key">
+                        <properties>
+                          <help>Key/secret the token algorithm (see RFC4226)</help>
+                          <valueHelp>
+                            <format>txt</format>
+                            <description>Base32 encoded key/token</description>
+                          </valueHelp>
+                          <constraint>
+                            <regex>[a-zA-Z2-7]{26,10000}</regex>
+                          </constraint>
+                          <constraintErrorMessage>Key must only include base32 characters and be at least 26 characters long</constraintErrorMessage>
+                        </properties>
+                      </leafNode>
+                    </children>
+                  </node>
                   <leafNode name="plaintext-password">
                     <properties>
                       <help>Plaintext password used for encryption</help>
@@ -65,32 +127,44 @@
                       </leafNode>
                       <leafNode name="type">
                         <properties>
-                          <help>Public key type</help>
+                          <help>SSH public key type</help>
                           <completionHelp>
-                            <list>ssh-dss ssh-rsa ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519</list>
+                            <list>ssh-dss ssh-rsa ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519 sk-ecdsa-sha2-nistp256@openssh.com sk-ssh-ed25519@openssh.com</list>
                           </completionHelp>
                           <valueHelp>
                             <format>ssh-dss</format>
-                            <description/>
+                            <description>Digital Signature Algorithm (DSA) key support</description>
                           </valueHelp>
                           <valueHelp>
                             <format>ssh-rsa</format>
-                            <description/>
+                            <description>Key pair based on RSA algorithm</description>
                           </valueHelp>
                           <valueHelp>
                             <format>ecdsa-sha2-nistp256</format>
-                            <description/>
+                            <description>Elliptic Curve DSA with NIST P-256 curve</description>
                           </valueHelp>
                           <valueHelp>
                             <format>ecdsa-sha2-nistp384</format>
-                            <description/>
+                            <description>Elliptic Curve DSA with NIST P-384 curve</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>ecdsa-sha2-nistp521</format>
+                            <description>Elliptic Curve DSA with NIST P-521 curve</description>
                           </valueHelp>
                           <valueHelp>
                             <format>ssh-ed25519</format>
-                            <description/>
+                            <description>Edwards-curve DSA with elliptic curve 25519</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>sk-ecdsa-sha2-nistp256@openssh.com</format>
+                            <description>Elliptic Curve DSA security key</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>sk-ssh-ed25519@openssh.com</format>
+                            <description>Elliptic curve 25519 security key</description>
                           </valueHelp>
                           <constraint>
-                            <regex>(ssh-dss|ssh-rsa|ecdsa-sha2-nistp256|ecdsa-sha2-nistp384|ecdsa-sha2-nistp521|ssh-ed25519)</regex>
+                            <regex>(ssh-dss|ssh-rsa|ecdsa-sha2-nistp256|ecdsa-sha2-nistp384|ecdsa-sha2-nistp521|ssh-ed25519|sk-ecdsa-sha2-nistp256@openssh.com|sk-ssh-ed25519@openssh.com)</regex>
                           </constraint>
                         </properties>
                       </leafNode>