Add WebAuthn config; Docker single-mount
- Add [webauthn] section to all config examples - Add active WebAuthn config to run/mcias.conf - Update Dockerfile to use /srv/mcias single mount - Add WebAuthn and TOTP sections to RUNBOOK.md - Fix TOTP QR display (template.URL type) - Add --force-rm to docker build in Makefile Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
77
RUNBOOK.md
77
RUNBOOK.md
@@ -322,6 +322,83 @@ mciasdb $CONF audit query --json
|
||||
|
||||
---
|
||||
|
||||
## WebAuthn / Passkey Configuration
|
||||
|
||||
WebAuthn enables passwordless passkey login and hardware security key 2FA.
|
||||
It is **disabled by default** — to enable it, add a `[webauthn]` section to
|
||||
`mcias.toml` with the relying party ID and origin.
|
||||
|
||||
### Enable WebAuthn
|
||||
|
||||
Add to `/srv/mcias/mcias.toml`:
|
||||
|
||||
```toml
|
||||
[webauthn]
|
||||
rp_id = "auth.example.com"
|
||||
rp_origin = "https://auth.example.com"
|
||||
display_name = "MCIAS"
|
||||
```
|
||||
|
||||
- **`rp_id`** — The domain name (no scheme or port). Must match the domain
|
||||
users see in their browser address bar.
|
||||
- **`rp_origin`** — The full HTTPS origin. Include the port if non-standard
|
||||
(e.g., `https://localhost:8443` for development).
|
||||
- **`display_name`** — Shown to users during browser passkey prompts. Defaults
|
||||
to "MCIAS" if omitted.
|
||||
|
||||
Restart the server after changing the config:
|
||||
|
||||
```sh
|
||||
systemctl restart mcias
|
||||
```
|
||||
|
||||
Once enabled, the **Passkeys** section appears on the user's Profile page
|
||||
(self-service enrollment) and on the admin Account Detail page (credential
|
||||
management).
|
||||
|
||||
### Passkey enrollment
|
||||
|
||||
Passkey enrollment is self-service only. Users add passkeys from their
|
||||
**Profile → Passkeys** section. Admins can view and remove passkeys from
|
||||
the Account Detail page but cannot enroll on behalf of users (passkey
|
||||
registration requires the authenticator device to be present).
|
||||
|
||||
### Disable WebAuthn
|
||||
|
||||
Remove or comment out the `[webauthn]` section and restart. Existing
|
||||
credentials remain in the database but are unused. Passkey UI sections
|
||||
will be hidden.
|
||||
|
||||
### Remove all passkeys for an account (break-glass)
|
||||
|
||||
```sh
|
||||
mciasdb --config /srv/mcias/mcias.toml account reset-webauthn --id <UUID>
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## TOTP Two-Factor Authentication
|
||||
|
||||
TOTP enrollment is self-service via the **Profile → Two-Factor Authentication**
|
||||
section. Users enter their current password to begin enrollment, scan the QR
|
||||
code with an authenticator app, and confirm with a 6-digit code.
|
||||
|
||||
### Admin: Remove TOTP for an account
|
||||
|
||||
From the web UI: navigate to the account's detail page and click **Remove**
|
||||
next to the TOTP status.
|
||||
|
||||
From the CLI:
|
||||
|
||||
```sh
|
||||
mciasdb --config /srv/mcias/mcias.toml account reset-totp --id <UUID>
|
||||
```
|
||||
|
||||
This clears the TOTP secret and disables the 2FA requirement. The user can
|
||||
re-enroll from their Profile page.
|
||||
|
||||
---
|
||||
|
||||
## Master Key Rotation
|
||||
|
||||
> This operation is not yet automated. Until a rotation command is
|
||||
|
||||
Reference in New Issue
Block a user