PDM and TFA

[bob_v2]

Hi,
Thanks a lot for this amazing new feature!
It's working great on one of the two nodes i have.
The other one is accessible with double authentification (TFA). When i tried to had it on my pdm it said that this is not supported.
Do you have any idea when ( or if) it will be ok? I don't inted to remove my double identification.

Thanks again for the great work.

 

[t.lamprecht]

Hello,

This is currently not supported, and for certain TFA methods like WebAuthn we cannot really add support, as those are bound to the domain, so the browser would reject doing the additional challenge for security reason when proxying the login, well for all cases but the special case where the PDM and the remote are on the exact same domain (albeit not sure if port would need to be the same there too).

We could implement it for the TOTP and recovery key method, albeit it could be better to add a "PDM join info" endpoint/dialogue to the PVE side where one can optionally pre-create the API token and then copy that info encoded into the PDM remote add dialogue, providing all, or at least most, necessary basic data like TLS fingerprints.