[pve-devel] [PATCH access-control] api: Prevent TFA from being set up for openid users

Fabian Grünbichler f.gruenbichler at proxmox.com
Mon Jul 1 13:27:57 CEST 2024


doesn't apply anymore!

On March 13, 2024 2:18 pm, Markus Frank wrote:
> Currently it is possible to set up TFA for an OpenID user (as root user),
> but it is never requested during the login process for that user.
> This patch prevents this and displays an error message with the instruction
> to set up TFA using the OpenId server.
> 
> Signed-off-by: Markus Frank <m.frank at proxmox.com>
> ---
>  src/PVE/API2/TFA.pm | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
> index 13ffc59..5e7e9eb 100644
> --- a/src/PVE/API2/TFA.pm
> +++ b/src/PVE/API2/TFA.pm
> @@ -381,6 +381,13 @@ __PACKAGE__->register_method ({
>  	my ($userid, $realm) =
>  	    root_permission_check($rpcenv, $authuser, $param->{userid}, $param->{password});
>  
> +	my $domain_cfg = cfs_read_file('domains.cfg');
> +	my $realm_cfg = $domain_cfg->{ids}->{$realm};
> +	if ($realm_cfg->{type} eq "openid") {
> +	    die "Users of the realm '$realm' with type 'openid' cannot use TFA."
> +		." Using the OpenID server to set up TFA is recommended.\n";
> +	}
> +
>  	my $type = delete $param->{type};
>  	my $value = delete $param->{value};
>  	if ($type eq 'yubico') {
> -- 
> 2.39.2
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 




More information about the pve-devel mailing list