WebAuthn registration failed

Okay so it seems that the package fixed the issues.
BUT I am still unable to have a Webauthn registration which works for the whole PVE cluster.

Can you please update your manual to that?
I think many other customers which run > 1 PVE as a cluster would benefit from that.
 
I tinkered a bit around with RP & ID.

On my 2nd server I see following "error": authentication failure; rhost=::ffff:192.168.10.2 user=mmuehlbacher@hks msg=The clients relying party origin does not match our servers information
 
AFAIK, you must remove the origin from the datacenter.cfg ( since each host hast its own origin) and the rp must be a suffix domain e.g. for 'pve1.x.y' and 'pve2.x.y' the rp should be 'x.y'
 
  • Like
Reactions: Lawrey and showiproute
dcsapak said:
AFAIK, you must remove the origin from the datacenter.cfg ( since each host hast its own origin) and the rp must be a suffix domain e.g. for 'pve1.x.y' and 'pve2.x.y' the rp should be 'x.y'
Click to expand...
It worked - thanks!

But you used rp twice in your previous message.
The right way is to delete the origin, id = domain, rp = pve.domain

So in my case the config looks like webauthn: id=hks.lan,rp=proxmox1.hks.lan
 
Would like to put in a notice that the documentation has not changed as of yet.
The chapter Server Side Webauthn Configuration, still has the following configuration example present:
webauthn: rp=mypve.example.com,origin=https://mypve.example.com:8006,id=mypve.example.com.
While the example from this thread would be:
webauthn: rp=mypve.example.com,origin=https://mypve.example.com:8006,id=example.com.

Another suggestion would be to include a line mentioning that the origin may/must be removed, also stated above, I don't understand why and how but it was the only way webauthn worked for me.
 
You must log in or register to reply here.
Top Bottom