2-factor auth options

Jason A. Donenfeld Jason at zx2c4.com
Fri Sep 22 00:52:43 CEST 2017

Hi Konstantin,

The easiest way would be to add OTP to the part of your infra that
does the key exchange. That is, if you have some kind of HTTPS
REST-based API or an SSH-based API, you can have the server not accept
a new public key until the OTP challenge is satisfied.

Alternatively, you could do OTP in-band, in order to authorize that
public key for a certain window of time before inactivity. In this
scheme, you'd disallow access to the network segment based on firewall
rules until a certain in-band challenge is made -- perhaps by
contacting a certain sandboxed server and answering an OTP challenge

(At some point it is planned for WireGuard to have an API for sending
control messages directly to a public key, not via an IP address,
which will provide another option for in-band challenges (in addition
to dynamic configuration of IPs), but it's not immediately obvious
that this actually simplifies things, which is why I haven't yet
implemented the plan.)

What kind of infrastructure are you imagining? Is this for kernel.org?


More information about the WireGuard mailing list