diff --git a/docs/api.md b/docs/api.md index d2e41b11..4883f64a 100644 --- a/docs/api.md +++ b/docs/api.md @@ -32,6 +32,19 @@ print(requests.get( ).text) ``` +Since in the borderline case of the 2FA code lifetime, the code may be invalid, +it makes sense to either handle error 403 by repeating the request in seconds. + +A more correct way is to combine this method and check the remaining lifetime +and postpone the request if there is a second or so left. You can find out how much +time is left in this way: + +```python +totp = pyotp.TOTP(secret) +now = int(time.time()) +remaining = now - (now % totp.interval) +``` + ### Single request auth diff --git a/docs/auth.md b/docs/auth.md index efe9e3c0..42771ec1 100644 --- a/docs/auth.md +++ b/docs/auth.md @@ -3,9 +3,11 @@ PiKVM comes with the following default passwords: * **Linux admin** (SSH, console, etc.): user `root`, password `root`. -* **PiKVM Web Interface, API, VNC...**: user `admin`, password `admin`. +* **PiKVM Web Interface, API, VNC...**: user `admin`, password `admin`, no 2FA code. -**These are two separate entities with independent accounts.** To change passwords, you will need to use the terminal access via SSH or Web Terminal. If you are using the Web Terminal, use the `su -` command to get root access (enter the root user password). +**These are two separate entities with independent accounts.** +To change passwords, you will need to use the terminal access via SSH or Web Terminal. +If you are using the Web Terminal, use the `su -` command to get root access (enter the root user password). ## Linux authentication @@ -61,8 +63,11 @@ Steb-by step to enable 2FA: 6. Now, on the PiKVM login page, you will need to add 6 digits to the **2FA code** field. +Now all Web UI users will be required to enter a one-time password. In other words, the secret is the same for all users. + !!! note - With 2FA for API or VNC authentication, you will need to add the one-time code to the password without spaces. That is, if the password is `foobar` and the code is `123456`, then you need to use `foobar123456` as the password. + With 2FA for API or VNC authentication, you will need to add the one-time code to the password without spaces. + That is, if the password is `foobar` and the code is `123456`, then you need to use `foobar123456` as the password. To view the current QR code of the secret use `kvmd-totp show`. diff --git a/docs/faq.md b/docs/faq.md index 715cc5b7..7dd468c7 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -197,7 +197,7 @@ As a first step, we recommend carefully reading our documentation on [GitHub](ht ??? question "What is the default password? How do I change it?" - There are two types of accounts: OS and PiKVM (web interface) accounts. The system account `root` can be used for SSH/UART access and has the password `root`. The web interface account is called `admin` and has the password `admin`. The PiKVM account cannot be used for SSH access and vice versa. + There are two types of accounts: OS and PiKVM (web interface) accounts. The system account `root` can be used for SSH/UART access and has the password `root`. The web interface account is called `admin` and has the password `admin`, no 2FA code. The PiKVM account cannot be used for SSH access and vice versa. To change passwords, use the following commands (under root): @@ -209,6 +209,8 @@ As a first step, we recommend carefully reading our documentation on [GitHub](ht ro # Back to read-only ``` + Optionally you can enable the [two-factor authentication](auth.md#two-factor-authentication). + ??? question "How do I add another user?" As stated above you need to make 2 accounts, 1 for the shell, the other for the PiKVM Web UI. diff --git a/docs/first_steps.md b/docs/first_steps.md index ec4b5b82..65901825 100644 --- a/docs/first_steps.md +++ b/docs/first_steps.md @@ -57,7 +57,7 @@ For future examples, let's assume that your PiKVM has received the address **192 ??? example "Access to PiKVM Web Interface" In MOST networks you should be able to reach PiKVM via any browser with the URL `https://192.168.0.100/` OR `https://pikvm/`. Google Chrome (Chromium), Firefox and Safari work best with 0 extensions enabled, if one works but the others do not, this is a browser/extension issue. Its advised you use Private window or Incog mode. Microsoft Edge and Internet Explorer are not supported. - **The default user is `admin` and the password is also `admin`.** After logging in, you will get access to the menu with the main functions. Using the Web terminal, you can change system settings and passwords. + **The default user is `admin`, the password is also `admin`, and no 2FA code.** After logging in, you will get access to the menu with the main functions. Using the Web terminal, you can change system settings and passwords. *The latest versions of Chrome on Mac OS do not allow access to the page with a self signed certificate, which is used in PiKVM by default. You can proceed by typing `thisisunsafe` and Chrome will then load the page.* @@ -82,7 +82,7 @@ For future examples, let's assume that your PiKVM has received the address **192 PiKVM comes with the following default passwords: * **Linux admin** (SSH, etc.): user `root`, password `root`. - * **PiKVM Web Interface**: user `admin`, password `admin`. + * **PiKVM Web Interface**: user `admin`, password `admin`, no 2FA code. **These are two separate entities with independent accounts.** To change passwords, you will need to use the terminal (read below) access via SSH or Web Terminal. If you are using the Web Terminal, use the `su -` command to get root access (enter the root user password).