MFA With the Agent
The command-line interface of the Pro Custodibus agent can be use to check the multi-factor authentication state of each of the WireGuard connections managed by the agent, as well as to perform the interactive portion of multi-factor authentication itself.
List Connections
To list the WireGuard connections managed by Pro Custodibus on the host, and view the state of multi-factor authentication for each, run the following command:
$ sudo /opt/venvs/procustodibus-agent/bin/procustodibus-mfa Interface Endpoint ID State ----------- ------------- ----------- ------------------------------ wg-prod Prod Server 1 ZSp2TSWJ6Ge EXPIRED wg-prod Prod Server 2 63Wa7kQ68oH OK until 01/01/20 01:00:00 PST wg-dev Test Server USBiuu8PBZw -
-
The Interface column shows the name of the connection’s WireGuard interface on this host.
-
The Endpoint column shows the name of the connection’s remote endpoint.
-
The ID column shows the ID of the connection’s remote endpoint.
-
The State column shows the MFA state of the connection.
-
The EXPIRED state means the connection requires multi-factor authentication to use.
-
The OK state means the previous multi-factor authentication for the connection is still valid.
-
The - (blank) state means the connection does not require multi-factor authentication.
-
This command usually requires admin privileges on the host to run (eg via sudo
), as it uses the agent’s own credentials to query the Pro Custodibus servers.
Check a Connection
To check the MFA state for an individual WireGuard connection, run the following command, with the remote endpoint’s ID as the argument to the --endpoint
flag:
$ sudo /opt/venvs/procustodibus-agent/bin/procustodibus-mfa --check --endpoint=ZSp2TSWJ6Ge EXPIRED
This command outputs one of the following:
- EXPIRED
-
The connection requires multi-factor authentication to use.
- OK
-
The connection does not require multi-factor authentication, or the previous multi-factor authentication for the connection is still valid.
- UPDATING
-
The connection is in the process of being updated.
- UNKNOWN
-
The connection state is unknown.
This command does not require admin privileges on the host to run, as it does not require authentication.
Authenticate for a Connection
To perform the interactive portion of multi-factor authentication for a WireGuard connection, run the following command, using your Pro Custodibus user ID as the argument to the --auth
flag, and the remote endpoint’s ID as the argument to the --endpoint
flag:
$ sudo /opt/venvs/procustodibus-agent/bin/procustodibus-mfa --auth=Ahg1opVcGX --endpoint=ZSp2TSWJ6Ge Password:
Enter your Pro Custodibus password at the prompt. If authentication succeeds, the command will output the duration for which the authentication will remain valid:
OK until 01/01/20 08:00:00 PST
This command usually requires admin privileges on the host to run (eg via sudo
), as after it performs the multi-factor authentication, it then uses the agent’s own credentials to immediately update the connection’s preshared key.