[pve-devel] [PATCH multiple 0/9] PBS-like TFA support in PVE

Wolfgang Bumiller w.bumiller at proxmox.com
Tue Nov 9 12:26:49 CET 2021

This is a bigger TFA upgrade for PVE.

This also contains the code for a new rust repository which will merge
pve-rs and pmg-rs into 1 git repository.
(git clone currently only available internally as my
`proxmox-perl-rs.git` repository)

Most of the heavy lifting is now performed by the rust library.
Note that the idea is that PVE and PBS can share this code directly, but
for now the to-be-shared part is directly included here and will become
its own crate after the initial PVE integration, as PBS will require a
few changes (since the code originally hardcoded pbs types/paths/files...)

On the perl side this contains:

  * A small change to the ticket code to url-escape colons in
    the ticket data.
    We also do this in pbs and since we only had usernames or base64
    encoded tfa data in there this should be fine, and we want to store
    JSON data directly there to be compatible with PBS.
  * Webauthn configuration in datacenter.cfg.
    While PBS keeps this in the tfa json file, we already have the U2F
    config in datacenter.cfg in PVE, so putting it into datacenter.cfg
    seemed more consistent.
  * This series basically copies PBS' TFA code
  * Update the login code to use the new workflow.
  * Add the new TFA panel.
  * Change the user TFA button to simply navigate to the new TFA panel
    instead of popping up the old window.
  * Switch to the rust-parse for the tfa config.
  * Update the login code to be more in line with PBS.
  * Add the TFA API we have in PBS via the rust module.

  @Thomas: This still contains a fixme about verifying the
  pve-access-control versions within the cluster...

More information about the pve-devel mailing list