open-vault/website/source/docs/auth/mfa.html.md

108 lines
3.2 KiB
Markdown
Raw Normal View History

2015-07-28 18:00:57 +00:00
---
layout: "docs"
page_title: "Multi-Factor Authentication (MFA) - Auth Methods"
2015-07-28 18:00:57 +00:00
sidebar_current: "docs-auth-mfa"
description: |-
Multi-factor authentication (MFA) is supported for several authentication
methods.
2015-07-28 18:00:57 +00:00
---
# Multi-Factor Authentication
~> **NOTE**: This page describes the legacy MFA system available in the OSS
edition of Vault. This system is not supported by HashiCorp. Vault Enterprise
contains fully-supported MFA system that is significantly more complete and
flexible, and that can be used throughout Vault's API. See the [Vault
Enterprise MFA](/docs/enterprise/mfa/index.html) page for more information.
Several auth methods support multi-factor authentication (MFA). Once
enabled for a method, users are required to provide additional verification,
like a one-time passcode, before being authenticated.
2015-07-28 18:00:57 +00:00
Currently, the "ldap", "okta", "radius", and "userpass" backends support MFA.
2015-07-28 18:00:57 +00:00
## Authentication
When authenticating, users still provide the same information as before, in
addition to MFA verification. Usually this is a passcode, but in other cases,
like a Duo Push notification, no additional information is needed.
2015-07-28 18:00:57 +00:00
### Via the CLI
```tedt
$ vault login -method=userpass \
username=my-username \
2015-07-28 19:21:43 +00:00
password=test \
passcode=111111
```
```text
$ vault login -method=userpass \
username=my-username \
2015-07-28 19:21:43 +00:00
password=test \
method=push
2015-07-28 18:00:57 +00:00
```
### Via the API
The endpoint for the login is the same as for the original method. Additional
2015-07-28 18:00:57 +00:00
MFA information should be sent in the POST body encoded as JSON.
```shell
$ curl \
--request POST \
--data '{"password": "test", "passcode": "111111"}' \
https://vault.rocks/v1/auth/userpass/login/my-username
2015-07-28 18:00:57 +00:00
```
The response is the same as for the original method.
2015-07-28 18:00:57 +00:00
## Configuration
To enable MFA for a supported method, the MFA type must be set in `mfa_config`.
For example:
2015-07-28 18:00:57 +00:00
```text
2015-07-28 18:00:57 +00:00
$ vault write auth/userpass/mfa_config type=duo
```
This enables the Duo MFA type, which is currently the only MFA type supported.
The username used for MFA is the same as the login username, unless the method
or MFA type provide options to behave differently (see Duo configuration below).
2015-07-28 18:00:57 +00:00
### Duo
The Duo MFA type is configured through two paths: `duo/config` and `duo/access`.
2015-07-28 18:00:57 +00:00
2015-07-28 19:21:43 +00:00
`duo/access` contains connection information for the Duo Auth API. To configure:
2015-07-28 18:00:57 +00:00
```text
2015-07-28 19:21:43 +00:00
$ vault write auth/[mount]/duo/access \
2015-07-28 18:00:57 +00:00
host=[host] \
ikey=[integration key] \
skey=[secret key]
```
`duo/config` is an optional path that contains general configuration information
2015-07-28 19:21:43 +00:00
for Duo authentication. To configure:
2015-07-28 18:00:57 +00:00
```text
2015-07-28 19:21:43 +00:00
$ vault write auth/[mount]/duo/config \
2015-07-28 18:00:57 +00:00
user_agent="" \
username_format="%s"
```
- `user_agent` is the user agent to use when connecting to Duo.
2015-07-31 00:16:53 +00:00
- `username_format` controls how the username used to login is transformed
before authenticating with Duo. This field is a format string that is passed
the original username as its first argument and outputs the new username. For
example "%s@example.com" would append "@example.com" to the provided username
before connecting to Duo.
2015-07-31 00:16:53 +00:00
- `push_info` is a string of URL-encoded key/value pairs that provides
additional context about the authentication attempt in the Duo Mobile
application.
2016-12-19 20:37:44 +00:00
2015-07-28 19:21:43 +00:00
More information can be found through the CLI `path-help` command.