-
-
Notifications
You must be signed in to change notification settings - Fork 115
OTP (2 factor authentication)
Eugene edited this page Jul 4, 2022
·
5 revisions
This feature is available in v0.2+
Run warpgate generate-otp
to generate a fresh TOTP secret key:
$ warpgate generate-otp
<qr code>
20:30:04 INFO Setup URL: otpauth://totp/test?secret=D6T5ZGHZERBVO63D7JBZM4NPOSLB5SOPWF4SNQ4LTWFYEOK72WYA&issuer=Warpgate&digits=6&algorithm=SHA1
20:30:04 INFO Config file snippet:
- type: otp
key: H6fcmPkkQ1d7Y/pDlnGvdJYeyc+xeSbDi52Lgjlf1bA=
The QR code shown and the URL can both be used to directly set up a mobile TOTP authenticator app.
You can now add the generated config snippet to the user's configuration and set require
to enable 2-factor authentication:
[...]
users:
- username: admin
credentials:
- type: publickey
key: ssh-ed25519 AAAAC3Nz[...]bD4I
+ - type: otp
+ key: H6fcmPkkQ1d7Y/pDlnGvdJYeyc+xeSbDi52Lgjlf1bA=
+ require: [publickey, otp]
roles:
- "warpgate:admin"
[...]
Validate the file with warpgate check
. Warpgate will automatically reload the config file and start requiring the OTP through a keyboard-interactive authentication prompt on SSH.
This feature is available in v0.3+
To specify different 2FA policies for SSH and HTTP, expand the required
field as follows:
[...]
users:
- username: admin
credentials:
- type: publickey
key: ssh-ed25519 AAAAC3Nz[...]bD4I
- type: otp
key: H6fcmPkkQ1d7Y/pDlnGvdJYeyc+xeSbDi52Lgjlf1bA=
- require: [publickey, otp]
+ require:
+ ssh: [publickey, otp]
+ http: [password, otp]
roles:
- "warpgate:admin"
[...]