Two Factor Authentication using U2F

Have not looked into the auth provider landscape much, just happy to see U2F going gold and the widespread support amongst providers and vendors.

We are working to deploy some secure encrypted services for users that would really work well as Proxmox CT's and would like to base that around U2F. Having a dependency on an external service is a challenge in our remote location.
 
By 'normal Yubico auth' I presume you mean OATH and not OpenPGP card (Yubico supports both.) OATH is a One Time Password scheme based on HOTP. OATH automates and hides the interchange of a typical 6-8 digit OTP from something like a SecurID.

U2F is an encryption-based scheme which ensures that the endpoint you are connecting to is actually one which you have authorized. It uses cheaper, simpler hardware keys.

Edit: Looks like there is some work beginning to integrate U2F into SSH (very cool!)
 
Last edited:
U2F is an encryption-based scheme which ensures that the endpoint you are connecting to is actually one which you have authorized. It uses cheaper, simpler hardware keys.

Ah, thanks to that info - very interesting.
 
Though the Proxmox VE has an appid in /etc/pve/datacenter.cfg like this link, TFA window's U2F tab is not activated in WebUI.
 
Last edited:
@janssensm Ok, my result is

Bash:
$ pveversion -v
proxmox-ve: 6.0-2 (running kernel: 5.0.21-5-pve)
pve-manager: 6.0-15 (running version: 6.0-15/52b91481)
pve-kernel-helper: 6.0-12
pve-kernel-5.0: 6.0-11
pve-kernel-5.0.21-5-pve: 5.0.21-10
pve-kernel-5.0.21-4-pve: 5.0.21-9
pve-kernel-5.0.21-3-pve: 5.0.21-7
ceph-fuse: 12.2.11+dfsg1-2.1+b1
corosync: 3.0.2-pve4
criu: 3.11-3
glusterfs-client: 5.5-3
ksm-control-daemon: 1.3-1
libjs-extjs: 6.0.1-10
libknet1: 1.13-pve1
libpve-access-control: 6.0-5
libpve-apiclient-perl: 3.0-2
libpve-common-perl: 6.0-9
libpve-guest-common-perl: 3.0-3
libpve-http-server-perl: 3.0-3
libpve-storage-perl: 6.0-12
libqb0: 1.0.5-1
libspice-server1: 0.14.2-4~pve6+1
lvm2: 2.03.02-pve3
lxc-pve: 3.2.1-1
lxcfs: 3.0.3-pve60
novnc-pve: 1.1.0-1
proxmox-mini-journalreader: 1.1-1
proxmox-widget-toolkit: 2.1-1
pve-cluster: 6.0-9
pve-container: 3.0-14
pve-docs: 6.0-9
pve-edk2-firmware: 2.20190614-1
pve-firewall: 4.0-8
pve-firmware: 3.0-4
pve-ha-manager: 3.0-5
pve-i18n: 2.0-3
pve-qemu-kvm: 4.1.1-1
pve-xtermjs: 3.13.2-1
qemu-server: 6.1-1
smartmontools: 7.0-pve2
spiceterm: 3.1-1
vncterm: 1.6-1
zfsutils-linux: 0.8.2-pve2
 
@kakao73 Thanks, the package versions seem ok.
You probably have one of the other TFA methods configured on the user's realm in Datacenter > Permissions > Authentication.
If so, you could try and set it to "none".
From the admin doc:
As another option, if the server has an AppId configured, a user can opt into U2F authentication, provided the realm does not enforce any other second factor.
 
@janssensm Thanks to reply. I've configured Datacenter > Permissions > Authentication's TFAs to none but U2F still be disabled to root user. Interestingly it is ok for newly created user to select U2F. Do I need to disable TOTP for root user if I want to enable U2F for root user?
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!