From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: Dominik Csapak <d.csapak@proxmox.com>
Cc: pve-devel@lists.proxmox.com
Subject: [pve-devel] applied-series: [PATCH access-control v2 0/3] improve tfa config locking
Date: Fri, 21 Oct 2022 10:47:08 +0200 [thread overview]
Message-ID: <20221021084708.gofpdrpph2xjeoso@wobu-vie.proxmox.com> (raw)
In-Reply-To: <20221021083117.1239396-1-d.csapak@proxmox.com>
applied series, thanks
On Fri, Oct 21, 2022 at 10:31:14AM +0200, Dominik Csapak wrote:
> while we may not want users to login into a non-quorate cluster,
> preventing it as a side-effect of locking the tfa config is wrong.
>
> currently there is only one situation where we actually need to lock
> the tfa config, namely when using recovery keys, since they have to be
> removed from it. so this series changes the tfa code in pve so that
> we only lock when the tfa response is a recovery key
>
> changes from v1:
> * fix wrong regex
> * pass undef explicitely instead of omitting the parameter
> * this time tested in both directions:
> user without tfa can login in quorate & non-quorate cluster
> user with non-recovery tfa can login in quorate & non-quorate cluster
> user with recovery tfa can only login in quorate cluser
>
> Dominik Csapak (3):
> authenticate_2nd_new: only lock tfa config for recovery keys
> authenticate_2nd_new: rename $otp to $tfa_response
> authenticate_user: pass undef instead of empty $tfa_challenge to
> authenticate_2nd_new
>
> src/PVE/AccessControl.pm | 131 +++++++++++++++++++++------------------
> 1 file changed, 71 insertions(+), 60 deletions(-)
>
> --
> 2.30.2
prev parent reply other threads:[~2022-10-21 8:47 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-21 8:31 [pve-devel] " Dominik Csapak
2022-10-21 8:31 ` [pve-devel] [PATCH access-control v2 1/3] authenticate_2nd_new: only lock tfa config for recovery keys Dominik Csapak
2022-10-21 11:29 ` Thomas Lamprecht
2022-10-21 11:38 ` Dominik Csapak
2022-10-21 8:31 ` [pve-devel] [PATCH access-control v2 2/3] authenticate_2nd_new: rename $otp to $tfa_response Dominik Csapak
2022-10-21 8:31 ` [pve-devel] [PATCH access-control v2 3/3] authenticate_user: pass undef instead of empty $tfa_challenge to authenticate_2nd_new Dominik Csapak
2022-10-21 8:47 ` Wolfgang Bumiller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221021084708.gofpdrpph2xjeoso@wobu-vie.proxmox.com \
--to=w.bumiller@proxmox.com \
--cc=d.csapak@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.