[pve-devel] [PATCH access-control v2 0/3] improve tfa config locking

Dominik Csapak d.csapak at proxmox.com
Fri Oct 21 10:31:14 CEST 2022

while we may not want users to login into a non-quorate cluster,
preventing it as a side-effect of locking the tfa config is wrong.

currently there is only one situation where we actually need to lock
the tfa config, namely when using recovery keys, since they have to be
removed from it. so this series changes the tfa code in pve so that
we only lock when the tfa response is a recovery key

changes from v1:
* fix wrong regex
* pass undef explicitely instead of omitting the parameter
* this time tested in both directions:
  user without tfa can login in quorate & non-quorate cluster
  user with non-recovery tfa can login in quorate & non-quorate cluster
  user with recovery tfa can only login in quorate cluser

Dominik Csapak (3):
  authenticate_2nd_new: only lock tfa config for recovery keys
  authenticate_2nd_new: rename $otp to $tfa_response
  authenticate_user: pass undef instead of empty $tfa_challenge to

 src/PVE/AccessControl.pm | 131 +++++++++++++++++++++------------------
 1 file changed, 71 insertions(+), 60 deletions(-)


More information about the pve-devel mailing list