Adding 2FA to WireGuard
Nico Schottelius
nico.schottelius at ungleich.ch
Fri Sep 13 15:22:55 CEST 2019
Hey Rémi,
Rémi Lapeyre <remi.lapeyre at lenstra.fr> writes:
> Hi Nico, yes pyotp is the implementation I use on the server, but anything
> Compatible withrfc6238 should work.
That sounds about right!
>> We have written ungleich-otp [0] that extends the otp approach with
>> realms similar to kerberos.
>
> This looks interesting, I will move the code that validate the OTP in a
> separate class so that another validation backend like one based on this
> project can be used instead of reading the seeds from a SQLite file like
> I’m doing now.
>
> I did not see any kind of cool down in
> https://code.ungleich.ch/ungleich-public/ungleich-otp/blob/master/otpauth/serializer.py.
> Are you not worried that someone
> could try to brute-force the OTP validation?
That is a good point! We will certainly want to fix that, as the seed
entropy is not *that* big.
Best regards,
Nico
--
Your Swiss, Open Source and IPv6 Virtual Machine. Now on www.datacenterlight.ch.
More information about the WireGuard
mailing list