Feature #20037
open
Add two factor authentication
Description
To increase security, it would be great to allow two factor authentication via TOTP (RFC 6238). A user with 2FA enable needs to provide a one time token as a second login step.
In the profile, a user should be able to enable 2FA. For every user a secret key should be generated and provided via QR code. The user can then scan the QR code via his mobile phone (e.g. Google Authenticator app). The app then generates one time tokens. At every login, the user is prompted for such a token.
This technique is known from Google, AWS or Github.
For API request, personal access tokens can be used.
Alternatively a 401 response with a header like "X-Foreman-OTP: required; app" could indicate, that 2FA is required for the user.
A client can send the token via a custom header: "Authorization: token TOKEN"
curl -v -u user:password -H "Authorization: token TOKEN" https://localhost:3000/api/subnets
Updated by Kodiak Firesmith over 6 years ago
Hello,
I wanted to pile onto this upstream request as a Satellite 6 customer. Anyone working with the US Government has a hard requirement for 2FA for services like the Satellite 6 UI starting at the end of 2018, due to something called "DFARS".
At my facility, we must use existing 2FA providers and enterprise authentication mechanisms - these are Active Directory (FreeIPA not allowed), and RADIUS.
Ansible Tower already does this quite nicely so perhaps there are some re-usable parts that can be shimmed in?
Thanks!
Updated by Marek Hulán over 6 years ago
- Triaged set to No
Foreman can be configured with external auth service, such as FreeIPA. Then 2FA can be configured there. This should work for UI, API doesn't work this way AFAIK.
Updated by Ewoud Kohl van Wijngaarden almost 2 years ago
- Has duplicate Feature #18147: As a User Concearned about Security, I would like two factor authentication added