From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH access-control + manager] tfa followup
Date: Wed, 10 Nov 2021 13:48:59 +0100 [thread overview]
Message-ID: <20211110124904.164053-1-w.bumiller@proxmox.com> (raw)
This is a follow up to the previous series doing the following:
Convert the *ancient* user keys (from user.cfg) to new TFA keys
when updating a user's tfa settings.
And support the ancient keys in the authentication code
Currently this causes a tfa & user config to be locked together
(so the lock fns are enforcing an order to avoid deadlocks).
We could *not* do that, but it *may* end up adding the old-old keys
twice... not really something that I'd expect to happen, but whatever,
support for these is most likely going to be dropped in PVE-8 anyway,
then the code handling this can also get dropped.
NOTE:
Since this is about backward support for old code from back when admins
needed to configure the user 2nd factors, the user facing side here is a
bit minimalistic: The old keys will not be visible in the TFA panel
until the user actually makes a change, since they come from different
sources...
BUT, since we're now adding recovery key support, the best option here
is for users to simply add a set of those, which will automatically pull
in the old keys into the new config.
On the pve-manager side: use the existing libjs-qrcode package
next reply other threads:[~2021-11-10 12:49 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-10 12:48 Wolfgang Bumiller [this message]
2021-11-10 12:49 ` [pve-devel] [PATCH access-control 1/4] assert tfa/user config lock order Wolfgang Bumiller
2021-11-10 12:49 ` [pve-devel] [PATCH access-control 2/4] check enforced realm tfa type in new auth Wolfgang Bumiller
2021-11-10 12:49 ` [pve-devel] [PATCH access-control 3/4] d/control: add liburi-perl dependency Wolfgang Bumiller
2021-11-10 12:49 ` [pve-devel] [PATCH access-control 4/4] merge old user.cfg keys to tfa config when adding entries Wolfgang Bumiller
2021-11-10 12:49 ` [pve-devel] [PATCH manager] depend on and use libjs-qrcodejs Wolfgang Bumiller
2021-11-11 7:38 ` [pve-devel] applied: " Thomas Lamprecht
2021-11-11 16:06 ` [pve-devel] applied-series: [PATCH access-control + manager] tfa followup Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211110124904.164053-1-w.bumiller@proxmox.com \
--to=w.bumiller@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal