[pbs-devel] [RFC backup 0/6] Two factor authentication

Oguz Bektas o.bektas at proxmox.com
Wed Dec 2 13:48:12 CET 2020

On Wed, Dec 02, 2020 at 01:34:25PM +0100, Thomas Lamprecht wrote:
> On 02.12.20 13:27, Thomas Lamprecht wrote:
> > - file could get leaked in a backup etc., giving everyone's tfa secrets
> > and/or recovery keys to attackers (bypass everything)
> for the record, that does *not* "bypass everything", it's a *second* factor
> after all. 

yes "bypass everything" was a bit of overstatement on my end.. :)
> Further, if recovery keys are hashed they do not leak information.
the totp secrets are stored without hashing or encryption so it'd bypass
that one if file is leaked etc.
> For others it varies, but I do not like that sort of blanket statement without
> implying any reasonable vector at all, we and most unix system have such
> information in one place /etc/shadow, our shadow in /etc/pve/ and consorts,
> it needs clear documentation about what files are sensible (you should send a
> patch for that) but that's it.
> (and as said, splitting it up will not avoid leaking all of them in a backup vs. just
> one of it).
i was also thinking if it's a good idea to use a symmetric algorithm to
encrypt the json file with that user's password. it would help in
backup leak or similar cases, but could also be overhead (need to
decrypt/encrypt the file everytime it's changed, need to re-encrypt if
user changes password etc.)

More information about the pbs-devel mailing list