From 3d1ff53b82ba100a45b13dea72e219e4da573615 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 15 Oct 2022 08:45:29 +0200 Subject: login: 2fa: adjust to latest CLI commands --- docs/configuration/system/login.rst | 98 ++++++++++++++++++------------------- 1 file changed, 48 insertions(+), 50 deletions(-) (limited to 'docs/configuration/system/login.rst') diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst index 4e753aad..a21c36d7 100644 --- a/docs/configuration/system/login.rst +++ b/docs/configuration/system/login.rst @@ -1,8 +1,10 @@ +:lastproofread: 2022-10-15 + .. _user_management: -############### -User Management -############### +##################### +Login/User Management +##################### The default VyOS user account (`vyos`), as well as newly created user accounts, have all capabilities to configure the system. All accounts have sudo @@ -100,57 +102,39 @@ The third part is simply an identifier, and is for your own reference. * ``http:///`` - Load via HTTP from remote machine * ``tftp:///`` - Load via TFTP from remote machine -Example -------- - -In the following example, both `User1` and `User2` will be able to SSH into -VyOS as user ``vyos`` using their very own keys. `User1` is restricted to only -be able to connect from a single IP address. +MFA/2FA authentication using One-Time-Pad +----------------------------------------- -.. code-block:: none - - set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW" - set system login user vyos authentication public-keys 'User1' type ssh-rsa - set system login user vyos authentication public-keys 'User1' options "from="192.168.0.100"" - set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3" - set system login user vyos authentication public-keys 'User2' type ssh-rsa - -2FA with OTP -============ - -It is possible to enhance authentication security by using OTP 2FA. -2FA is configured separately for each user. If an OTP key is configured -for a user, 2FA automatically starts for that user. If a user does -not have an OTP key configured, there is no 2FA check for that user. - -To enable OTP 2FA for a user with default settings, -a single command is sufficient: +It is possible to enhance authentication security by using the :abbr:`2FA +(Two-factor authentication)`/:abbr:`MFA (Multi-factor authentication)` feature +together with :abbr:`OTP (One-Time-Pad)` on VyOS. :abbr:`2FA (Two-factor +authentication)`/:abbr:`MFA (Multi-factor authentication)` is configured +independently per each user. If an OTP key is configured for a user, 2FA/MFA +is automatically enabled for that particular user. If a user does not have an +OTP key configured, there is no 2FA/MFA check for that user. .. cfgcmd:: set system login user authentication otp key - Assign the OTP 2FA key (base32 encoded secret) `` - to the local user ``. + Enable OTP 2FA for user `username` with default settings, using the BASE32 + encoded 2FA/MFA key specified by ``. -If necessary, a 2FA verification parameters can be changed globally -(for all users): +Optional/default settings +^^^^^^^^^^^^^^^^^^^^^^^^^ -.. cfgcmd:: set system login authentication - otp rate-limit +.. cfgcmd:: set system login user authentication otp rate-limit - Limit logins to `` per every `` - The rate limit must be between 1 and 10 attempts. + Limit logins to `` per every ``rate-time`` seconds. Rate limit must be + between 1 and 10 attempts. -.. cfgcmd:: set system login authentication otp rate-time - +.. cfgcmd:: set system login user authentication otp rate-time - Limit logins to `` per every `` - The rate time must be between 15 and 600 seconds. + Limit logins to ``rate-limit`` attemps per every ``. Rate time must + be between 15 and 600 seconds. -.. cfgcmd:: set system login authentication otp - window-size +.. cfgcmd:: set system login user authentication otp window-size Set window of concurrently valid codes. - + By default, a new token is generated every 30 seconds by the mobile application. In order to compensate for possible time-skew between the client and the server, an extra token before and after the current @@ -165,13 +149,6 @@ If necessary, a 2FA verification parameters can be changed globally The window size must be between 1 and 21. -Example of enabling 2FA OTP authentication with default parameters: - -.. code-block:: none - - set system login user testuser authentication otp key OHZ3OJ7U2N25BK4G7SOFFJTZDTCFUUE2 - set system login user testuser authentication plaintext-password My_NotSo_secret_password - RADIUS ====== @@ -214,7 +191,6 @@ Configuration the attribute you will only get regular, non privilegued, system users. - Login Banner ============ @@ -232,3 +208,25 @@ information for this system. .. note:: To create a new line in your login message you need to escape the new line character by using ``\\n``. + + +Example +======= + +In the following example, both `User1` and `User2` will be able to SSH into +VyOS as user ``vyos`` using their very own keys. `User1` is restricted to only +be able to connect from a single IP address. In addition if password base login +is wanted for the ``vyos`` user a 2FA/MFA keycode is required in addition to +the password. + +.. code-block:: none + + set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW" + set system login user vyos authentication public-keys 'User1' type ssh-rsa + set system login user vyos authentication public-keys 'User1' options "from="192.168.0.100"" + + set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3" + set system login user vyos authentication public-keys 'User2' type ssh-rsa + + set system login user vyos authentication otp key OHZ3OJ7U2N25BK4G7SOFFJTZDTCFUUE2 + set system login user vyos authentication plaintext-password vyos -- cgit v1.2.3