diff options
Diffstat (limited to 'docs/configuration/system')
| -rw-r--r-- | docs/configuration/system/login.rst | 87 |
1 files changed, 72 insertions, 15 deletions
diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst index 08746201..3a37342d 100644 --- a/docs/configuration/system/login.rst +++ b/docs/configuration/system/login.rst @@ -1,8 +1,10 @@ +:lastproofread: 2022-10-15 + .. _user_management: -############### -User Management -############### +##################### +Login/User Management +##################### The default VyOS user account (`vyos`), as well as newly created user accounts, have all capabilities to configure the system. All accounts have sudo @@ -100,21 +102,55 @@ The third part is simply an identifier, and is for your own reference. * ``http://<host>/<file>`` - Load via HTTP from remote machine * ``tftp://<host>/<file>`` - Load via TFTP from remote machine -Example -------- +MFA/2FA authentication using One-Time-Pad +----------------------------------------- -In the following example, both `User1` and `User2` will be able to SSH into -VyOS as user ``vyos`` using their very own keys. `User1` is restricted to only -be able to connect from a single IP address. +It is possible to enhance authentication security by using the :abbr:`2FA +(Two-factor authentication)`/:abbr:`MFA (Multi-factor authentication)` feature +together with :abbr:`OTP (One-Time-Pad)` on VyOS. :abbr:`2FA (Two-factor +authentication)`/:abbr:`MFA (Multi-factor authentication)` is configured +independently per each user. If an OTP key is configured for a user, 2FA/MFA +is automatically enabled for that particular user. If a user does not have an +OTP key configured, there is no 2FA/MFA check for that user. -.. code-block:: none +.. cfgcmd:: set system login user <username> authentication otp key <key> - set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW" - set system login user vyos authentication public-keys 'User1' type ssh-rsa - set system login user vyos authentication public-keys 'User1' options "from="192.168.0.100"" - set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3" - set system login user vyos authentication public-keys 'User2' type ssh-rsa + Enable OTP 2FA for user `username` with default settings, using the BASE32 + encoded 2FA/MFA key specified by `<key>`. + +Optional/default settings +^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. cfgcmd:: set system login user <username> authentication otp rate-limit <limit> + :defaultvalue: + + Limit logins to `<limit>` per every ``rate-time`` seconds. Rate limit must be + between 1 and 10 attempts. + +.. cfgcmd:: set system login user <username> authentication otp rate-time <seconds> + :defaultvalue: + + Limit logins to ``rate-limit`` attemps per every `<seconds>`. Rate time must + be between 15 and 600 seconds. + +.. cfgcmd:: set system login user <username> authentication otp window-size <size> + :defaultvalue: + + Set window of concurrently valid codes. + + By default, a new token is generated every 30 seconds by the mobile + application. In order to compensate for possible time-skew between + the client and the server, an extra token before and after the current + time is allowed. This allows for a time skew of up to 30 seconds + between authentication server and client. + For example, if problems with poor time synchronization are experienced, + the window can be increased from its default size of 3 permitted codes + (one previous code, the current code, the next code) to 17 permitted codes + (the 8 previous codes, the current code, and the 8 next codes). This will + permit for a time skew of up to 4 minutes between client and server. + + The window size must be between 1 and 21. RADIUS ====== @@ -158,7 +194,6 @@ Configuration the attribute you will only get regular, non privilegued, system users. - Login Banner ============ @@ -176,3 +211,25 @@ information for this system. .. note:: To create a new line in your login message you need to escape the new line character by using ``\\n``. + + +Example +======= + +In the following example, both `User1` and `User2` will be able to SSH into +VyOS as user ``vyos`` using their very own keys. `User1` is restricted to only +be able to connect from a single IP address. In addition if password base login +is wanted for the ``vyos`` user a 2FA/MFA keycode is required in addition to +the password. + +.. code-block:: none + + set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW" + set system login user vyos authentication public-keys 'User1' type ssh-rsa + set system login user vyos authentication public-keys 'User1' options "from="192.168.0.100"" + + set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3" + set system login user vyos authentication public-keys 'User2' type ssh-rsa + + set system login user vyos authentication otp key OHZ3OJ7U2N25BK4G7SOFFJTZDTCFUUE2 + set system login user vyos authentication plaintext-password vyos |