[pve-devel] applied-series: [PATCH access-control + manager] tfa followup

Thomas Lamprecht t.lamprecht at proxmox.com
Thu Nov 11 17:06:22 CET 2021

On 10.11.21 13:48, Wolfgang Bumiller wrote:
> This is a follow up to the previous series doing the following:
> Convert the *ancient* user keys (from user.cfg) to new TFA keys
>   when updating a user's tfa settings.
> And support the ancient keys in the authentication code
> Currently this causes a tfa & user config to be locked together
> (so the lock fns are enforcing an order to avoid deadlocks).
> We could *not* do that, but it *may* end up adding the old-old keys
> twice... not really something that I'd expect to happen, but whatever,
> support for these is most likely going to be dropped in PVE-8 anyway,
> then the code handling this can also get dropped.
> Since this is about backward support for old code from back when admins
> needed to configure the user 2nd factors, the user facing side here is a
> bit minimalistic: The old keys will not be visible in the TFA panel
> until the user actually makes a change, since they come from different
> sources...
> BUT, since we're now adding recovery key support, the best option here
> is for users to simply add a set of those, which will automatically pull
> in the old keys into the new config.

ACK, please ensure this info is conveyed clearly in our release notes.

applied series, thanks!

More information about the pve-devel mailing list