[pve-devel] applied-series: [PATCH access-control v2 0/3] improve tfa config locking
Wolfgang Bumiller
w.bumiller at proxmox.com
Fri Oct 21 10:47:08 CEST 2022
applied series, thanks
On Fri, Oct 21, 2022 at 10:31:14AM +0200, Dominik Csapak wrote:
> while we may not want users to login into a non-quorate cluster,
> preventing it as a side-effect of locking the tfa config is wrong.
>
> currently there is only one situation where we actually need to lock
> the tfa config, namely when using recovery keys, since they have to be
> removed from it. so this series changes the tfa code in pve so that
> we only lock when the tfa response is a recovery key
>
> changes from v1:
> * fix wrong regex
> * pass undef explicitely instead of omitting the parameter
> * this time tested in both directions:
> user without tfa can login in quorate & non-quorate cluster
> user with non-recovery tfa can login in quorate & non-quorate cluster
> user with recovery tfa can only login in quorate cluser
>
> Dominik Csapak (3):
> authenticate_2nd_new: only lock tfa config for recovery keys
> authenticate_2nd_new: rename $otp to $tfa_response
> authenticate_user: pass undef instead of empty $tfa_challenge to
> authenticate_2nd_new
>
> src/PVE/AccessControl.pm | 131 +++++++++++++++++++++------------------
> 1 file changed, 71 insertions(+), 60 deletions(-)
>
> --
> 2.30.2
More information about the pve-devel
mailing list