Perforce Public Knowledge Base - Second Factor Authentication Support
× PRODUCTS SOLUTIONS CUSTOMERS LEARN SUPPORT
Downloads Blog Company Integrations Careers Contact Try Free
Menu Search
Perforce
Reset Search
 

 

Article

Second Factor Authentication Support

« Go Back

Information

 
Problem
How can I enable Helix users to require second factor authentication?
 
Solution

Helix Versioning Engine 2017.2 includes a Technology Preview feature that allows Helix users to be configured to require second factor authentication on a per host basis. Here is a note from the  2017.2 release notes describing what a Technology Preview feature is:

Technology Preview features are currently unsupported, might not be functionally complete, and are not suitable for deployment in production. These features are provided to the customer to solicit interest and feedback, with the goal of full support in future releases. Customers are encouraged to provide feedback and functionality suggestions for Technology Preview features before they become fully supported.

See p4 help 2fa for further details. 


Enabling Second Factor Authentication (Triggers)

To enable second factor authentication, all 3 of the following triggers must be defined:
 
auth-pre-2fa
auth-init-2fa
auth-check-2fa
 
These triggers are a bit more complex than other triggers in that their output will be parsed to inform the server of the next action to take. Example trigger scripts can be found at:
 

All three triggers can expect to receive the username of the user being authenticated and the host they are being authenticated for. Example trigger table entries:

   2fa auth-pre-2fa   auth "ruby okta2fa.rb list  %user% %host%"
   2fa auth-init-2fa  auth "ruby okta2fa.rb init  %user% %host% %method%"
   2fa auth-check-2fa auth "ruby okta2fa.rb check %user% %host% %scheme% %token%"

Enabling Second Factor Authentication (Users)

The user spec's AuthMethod now supports adding an optional 2fa modifier. This must be used with an existing AuthMethod:
 
ldap+2fa
perforce+2fa

Once the 2fa modifier has been added to the user's AuthMethod they will be required to perform secondary authentication controlled by the triggers. Users run the p4 login2 command to perform second factor authentication. 
 

Usage

Standard Users

On the command-line, if a user requires second factor authentication, they will either automatically be prompted or get a message informing them that they must run p4 login2. The p4 login2 command performs and interactive second factor authentication for the current user on the current host, unless they have already validated. This validated state is reset when the user's ticket expires or when the user runs p4 logout. If the user runs p4 logout -a the second factor authentication status for all hosts for that user are invalidated. There is no p4 login2 -a as the user must be validated for each host separately. 

To see the current second factor authentication status for the current host, the user may run p4 login2 -s:
 
$ p4 login2 -s
User bruno on host 10.23.8.143: required

To see the current second factor authentication status for all hosts, the user may run p4 login2 -s -a:
 
$ p4 login2 -a -s  
User bruno on host 10.23.8.143: required
User bruno on host 10.5.10.110: required
User bruno on host 10.5.10.211: required

To avoid needing to perform second factor authentication each morning for the same machine, a user can make authentication persistent by running p4 login2 -p:
 
$ p4 login2 -p
Available second factor authentication methods:
1: GOOGLE-token:software:totp
2: OKTA-sms
Enter the number for the chosen method: 1
Use your time based code!
Enter OTP:
Second factor authentication approved.

$ p4 login2 -s
User bruno on host 10.23.8.143: validated persistent

Server administrators can use the auth.2fa.persist server configurable to set the desired persistence configuration:

auth.2fa.persist=0 (disabled - persistent second factor authentication disabled)
auth.2fa.persist=1 (enabled - persistent second factor authentication enabled when users run p4 login2 -p)
auth.2fa.persist=2 (always   - persistent second factor authentication enabled when users run p4 login2)

When second factor authentication status is persistent, the persistence will not be invalidated when the login ticket expires but will be invalidated if the user runs p4 logout.

Super users

Super users with second factor authentication enabled must pass second factor authentication before they can act with their heightened abilities. They may view the second factor authentication status for a given user for the current host by running p4 login2 -s USERNAME:
 
$ p4 login2 -s raj
User raj on host 10.23.8.143: required

Using the -a or -h flag, they can view the second factor authentication status for all hosts or a specific host.

$ p4 login2 -a -s raj
User raj on host 10.23.8.143: required
User raj on host 10.5.10.110: required
User raj on host 10.5.10.211: required

$ p4 login2 -s -h 10.5.10.110 raj
User raj on host 10.5.10.110: required

They can force the validation for a specific host by running p4 login2 -h or on the current host:


$ p4 login2 -h 10.5.10.211 raj
Second factor authentication approved for user raj.
$ p4 login2 -s -h 10.5.10.211 raj
User raj on host 10.5.10.211: validated forced

$ p4 login2 raj
Second factor authentication approved for user raj.
Related Links

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255