From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Wolfgang Bumiller <w.bumiller@proxmox.com>
Subject: [pve-devel] applied-series: [PATCH access-control + manager] tfa followup
Date: Thu, 11 Nov 2021 17:06:22 +0100 [thread overview]
Message-ID: <626676e8-de70-e1af-8c83-e4ac556443f3@proxmox.com> (raw)
In-Reply-To: <20211110124904.164053-1-w.bumiller@proxmox.com>
On 10.11.21 13:48, Wolfgang Bumiller wrote:
> This is a follow up to the previous series doing the following:
> Convert the *ancient* user keys (from user.cfg) to new TFA keys
> when updating a user's tfa settings.
> And support the ancient keys in the authentication code
>
> Currently this causes a tfa & user config to be locked together
> (so the lock fns are enforcing an order to avoid deadlocks).
> We could *not* do that, but it *may* end up adding the old-old keys
> twice... not really something that I'd expect to happen, but whatever,
> support for these is most likely going to be dropped in PVE-8 anyway,
> then the code handling this can also get dropped.
>
> NOTE:
> Since this is about backward support for old code from back when admins
> needed to configure the user 2nd factors, the user facing side here is a
> bit minimalistic: The old keys will not be visible in the TFA panel
> until the user actually makes a change, since they come from different
> sources...
>
> BUT, since we're now adding recovery key support, the best option here
> is for users to simply add a set of those, which will automatically pull
> in the old keys into the new config.
ACK, please ensure this info is conveyed clearly in our release notes.
applied series, thanks!
prev parent reply other threads:[~2021-11-11 16:06 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-10 12:48 [pve-devel] " Wolfgang Bumiller
2021-11-10 12:49 ` [pve-devel] [PATCH access-control 1/4] assert tfa/user config lock order Wolfgang Bumiller
2021-11-10 12:49 ` [pve-devel] [PATCH access-control 2/4] check enforced realm tfa type in new auth Wolfgang Bumiller
2021-11-10 12:49 ` [pve-devel] [PATCH access-control 3/4] d/control: add liburi-perl dependency Wolfgang Bumiller
2021-11-10 12:49 ` [pve-devel] [PATCH access-control 4/4] merge old user.cfg keys to tfa config when adding entries Wolfgang Bumiller
2021-11-10 12:49 ` [pve-devel] [PATCH manager] depend on and use libjs-qrcodejs Wolfgang Bumiller
2021-11-11 7:38 ` [pve-devel] applied: " Thomas Lamprecht
2021-11-11 16:06 ` Thomas Lamprecht [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=626676e8-de70-e1af-8c83-e4ac556443f3@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=w.bumiller@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.