[pve-devel] [PATCHSET] less restrictive TFA keys
Wolfgang Bumiller
w.bumiller at proxmox.com
Mon Oct 28 12:20:38 CET 2019
This series adds a new format of how we store TFA keys. The reason is
documented in the new format verifier:
# The old format used 16 base32 chars or 40 hex digits. Since they have a common subset it's
# hard to distinguish them without the our previous length constraints, so add a 'v2' of the
# format to support arbitrary lengths properly:
New secrets are now prefixed with 'v2-', hexadecimals are still
supported by prefixing the secret itself with '0x' (since '0x' is not
actually valid in base32), eg. 'v2-0xbeef00d', otherwise it's base32:
'v2-ASDF2345'
Both old and new formats work, so existing configurations stay intact,
also still-cached js guis will keep working fine.
Tested with AndOTP, FreeOTP & Google Authenticator.
More information about the pve-devel
mailing list