[pve-devel] [PATCH access-control] api: Prevent TFA from being set up for openid users
Fabian Grünbichler
f.gruenbichler at proxmox.com
Mon Jul 1 13:27:57 CEST 2024
doesn't apply anymore!
On March 13, 2024 2:18 pm, Markus Frank wrote:
> Currently it is possible to set up TFA for an OpenID user (as root user),
> but it is never requested during the login process for that user.
> This patch prevents this and displays an error message with the instruction
> to set up TFA using the OpenId server.
>
> Signed-off-by: Markus Frank <m.frank at proxmox.com>
> ---
> src/PVE/API2/TFA.pm | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
> index 13ffc59..5e7e9eb 100644
> --- a/src/PVE/API2/TFA.pm
> +++ b/src/PVE/API2/TFA.pm
> @@ -381,6 +381,13 @@ __PACKAGE__->register_method ({
> my ($userid, $realm) =
> root_permission_check($rpcenv, $authuser, $param->{userid}, $param->{password});
>
> + my $domain_cfg = cfs_read_file('domains.cfg');
> + my $realm_cfg = $domain_cfg->{ids}->{$realm};
> + if ($realm_cfg->{type} eq "openid") {
> + die "Users of the realm '$realm' with type 'openid' cannot use TFA."
> + ." Using the OpenID server to set up TFA is recommended.\n";
> + }
> +
> my $type = delete $param->{type};
> my $value = delete $param->{value};
> if ($type eq 'yubico') {
> --
> 2.39.2
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
More information about the pve-devel
mailing list