From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <t.lamprecht@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 8ED8861128
 for <pbs-devel@lists.proxmox.com>; Wed,  2 Dec 2020 14:15:58 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 824BB1C1BA
 for <pbs-devel@lists.proxmox.com>; Wed,  2 Dec 2020 14:15:58 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [212.186.127.180])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 093C81C1B0
 for <pbs-devel@lists.proxmox.com>; Wed,  2 Dec 2020 14:15:58 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id B77A044812
 for <pbs-devel@lists.proxmox.com>; Wed,  2 Dec 2020 14:15:57 +0100 (CET)
To: Proxmox Backup Server development discussion
 <pbs-devel@lists.proxmox.com>, Wolfgang Bumiller <w.bumiller@proxmox.com>
References: <20201119145608.16866-1-w.bumiller@proxmox.com>
 <20201202105650.GA7591@gaia.proxmox.com>
 <4c361a22-5caa-db5e-66b9-046638048fd5@proxmox.com>
 <20201202123556.GE7591@gaia.proxmox.com>
 <1961513443.536.1606913516008@webmail.proxmox.com>
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Message-ID: <b97fdbd4-13d7-4fa6-e327-2369e58e7ef4@proxmox.com>
Date: Wed, 2 Dec 2020 14:15:56 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:84.0) Gecko/20100101
 Thunderbird/84.0
MIME-Version: 1.0
In-Reply-To: <1961513443.536.1606913516008@webmail.proxmox.com>
Content-Type: text/plain; charset=UTF-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.075 Adjusted score from AWL reputation of From: address
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 NICE_REPLY_A           -0.001 Looks like a legit reply (A)
 RCVD_IN_DNSWL_MED        -2.3 Sender listed at https://www.dnswl.org/,
 medium trust
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pbs-devel] [RFC backup 0/6] Two factor authentication
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2020 13:15:58 -0000

On 02.12.20 13:51, Wolfgang Bumiller wrote:
>> On 12/02/2020 1:35 PM Oguz Bektas <o.bektas@proxmox.com> wrote:
>>
>> =20
>> On Wed, Dec 02, 2020 at 01:27:47PM +0100, Thomas Lamprecht wrote:
>>>> 2. do not store recovery codes in cleartext (hash them instead, we t=
hought
>>>> hmac-sha256 is fine). the reason being that recovery codes can bypas=
s
>>>> other tfa methods so they shouldn't be visible
>>>
>>> make sense, would expect them to be hashed
>=20
> FWIW TOTP secrets can't be hashes since they're supposed to be,
> well, a shared secret

yeah sure, above talks about recovery keys though.

>=20
>>>>
>>>> 3. don't store all the tfa information in a single json file.
>>>>
>>>
>>> makes no sense to me, any reason you mention below can happen to arbi=
trary
>>> files, so just adds complexity while not gaining anything.
>=20
> Complexity is the wrong argument. The question is mainly whether we pre=
fer
> lots of small or one big file. For PBS it's not even that important. It=
'll
> be more important when we add bindings for this to PVE where the file s=
izes
> are limited.

No complexity is seldom the wrong argument, it may not be enough on its o=
wn though.

>=20
> With a file per user it's also easier for an admin to work on the files=

> directly. And if we want to add counters, limitations or eg. store date=
 & ip
> of the last time an entry was used, we won't be locking one big file at=
 login
> time. Not that I expect millions of concurrent logins to be happening ;=
-)

We create a confusing split view, all user info are concentrated into sin=
gle files
per type, user.cfg, acl.cfg, shadow.json, etc. just TFA wants to be a uni=
corn and
split it up in files per user - seems rather inconsistent.

And, admins should resort to working on files directly as a last measurem=
ent, CLI
tools and the GUI should be preferred, *always*, so that's a moot point.