[pve-devel] [PATCH pve-access-control] api2: ticket: don't require TFA if the only one is disabled

all lists on lists.proxmox.com
 help / color / mirror / Atom feed

* [pve-devel] [PATCH pve-access-control] api2: ticket: don't require TFA if the only one is disabled
@ 2022-04-11  7:09 Hannes Laimer
  2022-04-13  9:01 ` Wolfgang Bumiller
  0 siblings, 1 reply; 2+ messages in thread
From: Hannes Laimer @ 2022-04-11  7:09 UTC (permalink / raw)
  To: pve-devel

If TFA was added and disabled afterwards it was not possible to login
again.

Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
This was reported on the forum.

 src/PVE/API2/AccessControl.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index 5d78c6f..8a272b4 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -172,12 +172,12 @@ my sub create_ticket_do : prototype($$$$$$) {
     my $ticket_data = $username;
     my $aad;
     if ($new_format) {
-	if (defined($tfa_info)) {
+	if (defined($tfa_info) && $tfa_info ne '{}') {
 	    $extra{NeedTFA} = 1;
 	    $ticket_data = "!tfa!$tfa_info";
 	    $aad = $username;
 	}
-    } elsif (defined($tfa_info)) {
+    } elsif (defined($tfa_info) && $tfa_info ne '{}') {
 	$extra{NeedTFA} = 1;
 	if ($tfa_info->{type} eq 'u2f') {
 	    my $u2finfo = $tfa_info->{data};
-- 
2.30.2





^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [pve-devel] [PATCH pve-access-control] api2: ticket: don't require TFA if the only one is disabled
  2022-04-11  7:09 [pve-devel] [PATCH pve-access-control] api2: ticket: don't require TFA if the only one is disabled Hannes Laimer
@ 2022-04-13  9:01 ` Wolfgang Bumiller
  0 siblings, 0 replies; 2+ messages in thread
From: Wolfgang Bumiller @ 2022-04-13  9:01 UTC (permalink / raw)
  To: Hannes Laimer; +Cc: pve-devel

On Mon, Apr 11, 2022 at 07:09:09AM +0000, Hannes Laimer wrote:
> If TFA was added and disabled afterwards it was not possible to login
> again.
> 
> Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
> ---
> This was reported on the forum.
> 
>  src/PVE/API2/AccessControl.pm | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
> index 5d78c6f..8a272b4 100644
> --- a/src/PVE/API2/AccessControl.pm
> +++ b/src/PVE/API2/AccessControl.pm
> @@ -172,12 +172,12 @@ my sub create_ticket_do : prototype($$$$$$) {
>      my $ticket_data = $username;
>      my $aad;
>      if ($new_format) {
> -	if (defined($tfa_info)) {
> +	if (defined($tfa_info) && $tfa_info ne '{}') {

While this does will work for PVE, this challenge object originates from
the proxmox-tfa crate's `api` submodule and if we update it there it'll
work for all products.

Basically all the `is_empty()` checks in there should be audited and,
where it makes sense, updated to include the 'enabled' states, so that
TfaUserData::challenge returns `Ok(None)` if no *enabled* 2nd factor
exists.




^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2022-04-13  9:01 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-11  7:09 [pve-devel] [PATCH pve-access-control] api2: ticket: don't require TFA if the only one is disabled Hannes Laimer
2022-04-13  9:01 ` Wolfgang Bumiller

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal