TOTP based 2-factor authentication to OpenBMC
raviteja bailapudi
raviteja28031990 at gmail.com
Wed Jun 26 17:42:25 AEST 2024
Hi All,
This proposal is to add 2-factor authentication to OpenBMC via
time-based-one-time-password (TOTP) mechanism
Here is proposed model:
1. There will be a user level setting disabled by default for all users.
Redfish interfaces will be implemented to enable/disable the 2nd factor for
each user on BMC.
2. Secret key will be generated at BMC per user, and is shared to only that
user
3. Each user whose TOTP authentication enabled, should register the TOTP
generator app using the secret key shared by BMC.
4. Once TOTP authentication enabled, the user can create sessions by
passing both password and the TOTP together
Here is open source google-authenticator pam library which supports TOTP
based authentication
https://github.com/google/google-authenticator-libpam
Here is recipe for google-authenticator
https://github.com/openbmc/openbmc/blob/master/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb
Here is redfish schemas for "GoogleAuthenticator" or
"MicrosoftAuthenticator"
https://redfish.dmtf.org/schemas/v1/AccountService.v1_15_1.json
Here is redfish forum discussions, working with DMTF community for
user-level TOTP based authenticator configuration
https://redfishforum.com/thread/1061/multi-factor-authentication-on-accountservice
Please share your views
Thanks & Regards
Raviteja
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20240626/9e167d21/attachment.htm>
More information about the openbmc
mailing list