Add 2FA/OTP authentication to menu template

This commit is contained in:
Bryan Ashby 2019-06-15 00:07:09 -06:00
parent 0f68f20656
commit f02434bc23
No known key found for this signature in database
GPG Key ID: B49EB437951D2542
1 changed files with 75 additions and 8 deletions

View File

@ -60,11 +60,20 @@
// //
// SSH connections are pre-authenticated via the SSH server itself. // SSH connections are pre-authenticated via the SSH server itself.
// Jump directly to the login sequence // Jump directly to either the 2FA/OTP auth or the login sequence
// depending on user ACS.
// //
sshConnected: { sshConnected: {
art: CONNECT art: CONNECT
next: fullLoginSequenceLoginArt next: [
{
acs: AR2
next: loginTwoFactorAuthOTPLoop
}
{
next: mainMenu
}
]
config: { nextTimeout: 1500 } config: { nextTimeout: 1500 }
} }
@ -90,11 +99,6 @@
submit: true submit: true
focus: true focus: true
argName: navSelect argName: navSelect
//
// To enable forgot password, you will need to have the web server
// enabled and mail/SMTP configured. Once that is in place, swap out
// the commented lines below as well as in the submit block
//
items: [ items: [
{ {
text: login text: login
@ -104,10 +108,20 @@
text: apply text: apply
data: apply data: apply
} }
//
// To enable the forgot password option, you'll need to have
// the web server & email configured. Once that is in place,
// uncomment the section below.
//
// See docs for more information
//
/*
{ {
text: forgot pass text: forgot pass
data: forgot data: forgot
} }
*/
{ {
text: log off text: log off
data: logoff data: logoff
@ -142,7 +156,20 @@
login: { login: {
art: USERLOG art: USERLOG
next: fullLoginSequenceLoginArt next: [
{
//
// Users with 2FA/OTP enabled *must* go through
// an additional OTP authentication step
//
acs: AR2
next: loginTwoFactorAuthOTPLoop
}
{
// ...everyone else can carry on as per usual
next: fullLoginSequenceLoginArt
}
]
config: { config: {
tooNodeMenu: loginAttemptTooNode tooNodeMenu: loginAttemptTooNode
inactive: loginAttemptAccountInactive inactive: loginAttemptAccountInactive
@ -218,6 +245,46 @@
next: logoff next: logoff
} }
//
// Empty menu to catch us in a 2FA/OTP auth loop
// until the user either authenticates successfully
// or the system boots them.
//
loginTwoFactorAuthOTPLoop: {
next: loginTwoFactorAuthOTP
}
loginTwoFactorAuthOTP: {
art: 2FAOTP
next: fullLoginSequenceLoginArt
form: {
0: {
mci: {
ET1: {
argName: token
focus: true
submit: true
}
}
submit: {
*: [
{
value: { token: null }
action: @systemMethod:login2FA_OTP
}
]
}
actionKeys: [
{
// no turning back at this point...
keys: [ "escape" ]
action: @systemMethod:logoff
}
]
}
}
}
forgotPassword: { forgotPassword: {
desc: Forgot password desc: Forgot password
prompt: forgotPasswordPrompt prompt: forgotPasswordPrompt