[pve-devel] [PATCH access-control + manager] tfa followup
Wolfgang Bumiller
w.bumiller at proxmox.com
Wed Nov 10 13:48:59 CET 2021
This is a follow up to the previous series doing the following:
Convert the *ancient* user keys (from user.cfg) to new TFA keys
when updating a user's tfa settings.
And support the ancient keys in the authentication code
Currently this causes a tfa & user config to be locked together
(so the lock fns are enforcing an order to avoid deadlocks).
We could *not* do that, but it *may* end up adding the old-old keys
twice... not really something that I'd expect to happen, but whatever,
support for these is most likely going to be dropped in PVE-8 anyway,
then the code handling this can also get dropped.
NOTE:
Since this is about backward support for old code from back when admins
needed to configure the user 2nd factors, the user facing side here is a
bit minimalistic: The old keys will not be visible in the TFA panel
until the user actually makes a change, since they come from different
sources...
BUT, since we're now adding recovery key support, the best option here
is for users to simply add a set of those, which will automatically pull
in the old keys into the new config.
On the pve-manager side: use the existing libjs-qrcode package
More information about the pve-devel
mailing list