login: 2fa: adjust to latest CLI commands

docs/configuration/system/login.rst

@@ -1,8 +1,10 @@
+:lastproofread: 2022-10-15
+
 .. _user_management:
 
-###############
+#####################
-User Management
+Login/User Management
-###############
+#####################
 
 The default VyOS user account (`vyos`), as well as newly created user accounts,
 have all capabilities to configure the system. All accounts have sudo
@@ -100,54 +102,36 @@ The third part is simply an identifier, and is for your own reference.
    * ``http://<host>/<file>`` - Load via HTTP from remote machine
    * ``tftp://<host>/<file>`` - Load via TFTP from remote machine
 
-Example
+MFA/2FA authentication using One-Time-Pad
--------
+-----------------------------------------
 
-In the following example, both `User1` and `User2` will be able to SSH into
+It is possible to enhance authentication security by using the :abbr:`2FA
-VyOS as user ``vyos`` using their very own keys. `User1` is restricted to only
+(Two-factor authentication)`/:abbr:`MFA (Multi-factor authentication)` feature
-be able to connect from a single IP address.
+together with :abbr:`OTP (One-Time-Pad)` on VyOS. :abbr:`2FA (Two-factor
-
+authentication)`/:abbr:`MFA (Multi-factor authentication)` is configured
-.. code-block:: none
+independently per each user. If an OTP key is configured for a user, 2FA/MFA
-
+is automatically enabled for that particular user. If a user does not have an
-  set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW"
+OTP key configured, there is no 2FA/MFA check for that user.
-  set system login user vyos authentication public-keys 'User1' type ssh-rsa
-  set system login user vyos authentication public-keys 'User1' options "from=&quot;192.168.0.100&quot;"
-  set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3"
-  set system login user vyos authentication public-keys 'User2' type ssh-rsa
-
-2FA with OTP
-============
-
-It is possible to enhance authentication security by using OTP 2FA.
-2FA is configured separately for each user. If an OTP key is configured
-for a user, 2FA automatically starts for that user. If a user does
-not have an OTP key configured, there is no 2FA check for that user.
-
-To enable OTP 2FA for a user with default settings,
-a single command is sufficient:
 
 .. cfgcmd:: set system login user <username> authentication otp key <key>
 
-   Assign the OTP 2FA key (base32 encoded secret) `<key>`
+   Enable OTP 2FA for user `username` with default settings, using the BASE32
-   to the local user `<username>`.
+   encoded 2FA/MFA key specified by `<key>`.
 
-If necessary, a 2FA verification parameters can be changed globally
+Optional/default settings
-(for all users):
+^^^^^^^^^^^^^^^^^^^^^^^^^
 
-.. cfgcmd:: set system login authentication 
+.. cfgcmd:: set system login user <username> authentication otp rate-limit <limit>
-   otp rate-limit <number_of_attempts>
 
-   Limit logins to `<number_of_attempts>` per every `<number_of_seconds>`
+   Limit logins to `<limit>` per every ``rate-time`` seconds. Rate limit must be
-   The rate limit must be between 1 and 10 attempts.
+   between 1 and 10 attempts.
 
-.. cfgcmd:: set system login authentication otp rate-time
+.. cfgcmd:: set system login user <username> authentication otp rate-time <seconds>
-   <number_of_seconds>
 
-   Limit logins to `<number_of_attempts>` per every `<number_of_seconds>`
+   Limit logins to ``rate-limit`` attemps per every `<seconds>`. Rate time must
-   The rate time must be between 15 and 600 seconds.
+   be between 15 and 600 seconds.
 
-.. cfgcmd:: set system login authentication otp
+.. cfgcmd:: set system login user <username> authentication otp window-size <size>
-   window-size <size>
 
    Set window of concurrently valid codes.
 
@@ -165,13 +149,6 @@ If necessary, a 2FA verification parameters can be changed globally
 
    The window size must be between 1 and 21.
 
-Example of enabling 2FA OTP authentication with default parameters:
-
-.. code-block:: none
-   
-   set system login user testuser authentication otp key OHZ3OJ7U2N25BK4G7SOFFJTZDTCFUUE2
-   set system login user testuser authentication plaintext-password My_NotSo_secret_password
-
 RADIUS
 ======
 
@@ -214,7 +191,6 @@ Configuration
    the attribute you will only get regular, non privilegued, system users.
 
 
-
 Login Banner
 ============
 
@@ -232,3 +208,25 @@ information for this system.
 
 .. note:: To create a new line in your login message you need to escape the new
    line character by using ``\\n``.
+
+
+Example
+=======
+
+In the following example, both `User1` and `User2` will be able to SSH into
+VyOS as user ``vyos`` using their very own keys. `User1` is restricted to only
+be able to connect from a single IP address. In addition if password base login
+is wanted for the ``vyos`` user a 2FA/MFA keycode is required in addition to
+the password.
+
+.. code-block:: none
+
+  set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW"
+  set system login user vyos authentication public-keys 'User1' type ssh-rsa
+  set system login user vyos authentication public-keys 'User1' options "from=&quot;192.168.0.100&quot;"
+
+  set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3"
+  set system login user vyos authentication public-keys 'User2' type ssh-rsa
+
+  set system login user vyos authentication otp key OHZ3OJ7U2N25BK4G7SOFFJTZDTCFUUE2
+  set system login user vyos authentication plaintext-password vyos