[pve-devel] [PATCH access-control] api: Prevent TFA from being set up for openid users
Markus Frank
m.frank at proxmox.com
Wed Mar 13 14:18:17 CET 2024
Currently it is possible to set up TFA for an OpenID user (as root user),
but it is never requested during the login process for that user.
This patch prevents this and displays an error message with the instruction
to set up TFA using the OpenId server.
Signed-off-by: Markus Frank <m.frank at proxmox.com>
---
src/PVE/API2/TFA.pm | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
index 13ffc59..5e7e9eb 100644
--- a/src/PVE/API2/TFA.pm
+++ b/src/PVE/API2/TFA.pm
@@ -381,6 +381,13 @@ __PACKAGE__->register_method ({
my ($userid, $realm) =
root_permission_check($rpcenv, $authuser, $param->{userid}, $param->{password});
+ my $domain_cfg = cfs_read_file('domains.cfg');
+ my $realm_cfg = $domain_cfg->{ids}->{$realm};
+ if ($realm_cfg->{type} eq "openid") {
+ die "Users of the realm '$realm' with type 'openid' cannot use TFA."
+ ." Using the OpenID server to set up TFA is recommended.\n";
+ }
+
my $type = delete $param->{type};
my $value = delete $param->{value};
if ($type eq 'yubico') {
--
2.39.2
More information about the pve-devel
mailing list