[SOLVED] Unable to login with WebAuthn

[Sped]

I encountered an issue with using WebAuthn as a second factor. Previously, only TOTP was set up for my user account in the pve realm, and even now have never encountered an issue with this second factor. Having recently acquired an SSL certificate for my PVE node, I set up WebAuthn as an alternate factor. I was able to register a WebAuthn token, but I was always hit with the error "Login failed. Please try again" when trying to use the same token; TOTP codes would present no issue.

Checking /var/log/syslog presented the following during the failed WebAuthn sign-in attempts:

Apr  9 18:20:01 pvenode1 pvedaemon[76126]: <root@pam> successful auth for user 'user@pve'
Apr  9 18:20:09 pvenode1 pvedaemon[76126]: authentication failure; rhost=::ffff:192.168.1.117 user=user@pve msg=realm requires totp authentication

Under Datacenter > Permissions > Realms, I had the "Require TFA" option set to "OATH/TOTP". Once I set it to "none", my WebAuthn token started to work. To rule out other factors, I tried an alternate browser (Edge instead of Chrome), as well as the WebAuthn configuration under Datacenter > Options (using Auto-fill vs configurations). I also tested my security key being used as the token on webauthn.io, but there was no issue there.

I have no problem with leaving the required TFA option set to none, as I am the only user and this is just a homelab setup, but is what is described above the expected behavior?

 

[t.lamprecht]

Hi,

have no problem with leaving the required TFA option set to none, as I am the only user and this is just a homelab setup, but is what is described above the expected behavior?

Somewhat. The thing to know is that this setting is there for legacy reasons, it was added when the first, very basic and a bit unwieldy, TOTP second factor feature got implemented in Proxmox VE quite a few years back. Once the second, more flexible, implementation (that allowed for u2f and nicely integrated TOTP) was added the old setting became obsolete; but we couldn't remove it to avoid breaking old systems that upgrade; so it was renamed to the thing it did earlier as an extra feature; not only check the TFA but also enforce the existence of one for every realm account; but it was limited to TOTP, as that's the only thing that existed previously.
So, if one needs to interpret the value of the setting "require oath/totp" very strictly it does indeed mean that the exact type of TOTP (oath was just the older name) is required on login.

That's the explanation of why it came to this behavior, not arguing that it's ideal for users on newer systems stumbling upon this legacy setting in any way.

For new installations we may want to transform this into either a simple "Require any TFA" checkbox, or a multi-select combo-box to allow a subset of the available methods (mostly useful if some (company) policy just plainly requires that).
The obvious alternative would be to just remove it completely (with the next 8.0 major release), but I don't think that's the best way, as such enforcement can have a value to ensure accounts with far-reaching privileges are guaranteed to have used TFA on login and has no high maintenance cost.

 

[Sped]

So, if one needs to interpret the value of the setting "require oath/totp" very strictly it does indeed mean that the exact type of TOTP (oath was just the older name) is required on login.

This paired with the legacy explanation clears things up, thanks!

For new installations we may want to transform this into either a simple "Require any TFA" checkbox, or a multi-select combo-box to allow a subset of the available methods (mostly useful if some (company) policy just plainly requires that).

Selection of a subset would be a great option. Some organizations may not treat all methods equally.

 

[hregis]

Hi,
So clearly webauthn is not working?

 

[t.lamprecht]

Hi,
So clearly webauthn is not working?

As I and quite some other setups use webauthn on login daily since it got added it's clearly working for a lot of users ;-)

Do you have a trusted certificate for the domain you connect to the Proxmox VE node(s), and what WebAuthn provider (hw key or android phone or the like) do you use?

 

[hregis]

hi @t.lamprecht

I had to set the "Require TFA" parameter in "Realms" to "none" and there I can choose between "totp" and "webauthn" when connecting.

it works well !

With the "OATH/TOTP" parameter it does not work...

On the other hand, on a cluster, the "Webauthn Settings" parameter limits the use of "webauthn" to a single server!

Thanks

 

[t.lamprecht]

On the other hand, on a cluster, the "Webauthn Settings" parameter limits the use of "webauthn" to a single server!

No, they all just need to be on the same base domain, for example, if your cluster nodes would be accessible as:

• https://alpha.example.com:8006
• https://beta.example.com:8006
• https://gamma.example.com:8006

You would configure the base https://example.com:8006 as origin. The documentation should be adapted to better explain this though.

 

[hregis]

i try but i have this error message when i want to add my key

The clients relying party origin does not match our servers information

Thanks

 

[wbumiller]

Sorry, there are a few sources of confusion around this, including different behavior between browsers between eg. firefox and chrome in the past.
The 'origin' is meant only to "pin" the URL from which authentication should succeeds to a specific address. For a cluster, this doesn't make much sense and you'll want to leave the origin blank and only set id & rp.
Unfortunately the UI doesn't like this so until this is fixed you'll need to edit `/etc/pve/datacenter.cfg` manually and use:

webauthn: id=example.com,rp=example.com

'id' is the main one that matters for authentication
'rp' can also be a name and is only used when registering tokens (though changing this could still break login on some weird browsers)

 

[hregis]

great !!!
it's ok
thank you so much @wbumiller
have a good day

 

[ekrekeler]

For new installations we may want to transform this into either a simple "Require any TFA" checkbox, or a multi-select combo-box to allow a subset of the available methods (mostly useful if some (company) policy just plainly requires that).

+1 It would be nice to enforce 2FA but allow administrators and users decide whether to use TOTP or WebAuthn.

 

[cult_hero13]

I thought I had read somewhere in these forums that WebAuthn was not yet an option to enforce in Realms. Like ekrekeler posted, I would like to be able to enforce 2FA, but give users a choice of methods. Minus giving users a choice, since WebAuthn is supposedly the "better" option, I would at least like to see this enforceable from Realms. Is there any word on if/when this might be implemented?