From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <w.bumiller@proxmox.com> Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 179937E475 for <pve-devel@lists.proxmox.com>; Wed, 10 Nov 2021 13:49:36 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 090481BFCF for <pve-devel@lists.proxmox.com>; Wed, 10 Nov 2021 13:49:06 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id F246B1BF5F for <pve-devel@lists.proxmox.com>; Wed, 10 Nov 2021 13:49:04 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id C0C6D44BBE for <pve-devel@lists.proxmox.com>; Wed, 10 Nov 2021 13:49:04 +0100 (CET) From: Wolfgang Bumiller <w.bumiller@proxmox.com> To: pve-devel@lists.proxmox.com Date: Wed, 10 Nov 2021 13:48:59 +0100 Message-Id: <20211110124904.164053-1-w.bumiller@proxmox.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.491 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH access-control + manager] tfa followup X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com> List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe> List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/> List-Post: <mailto:pve-devel@lists.proxmox.com> List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help> List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe> X-List-Received-Date: Wed, 10 Nov 2021 12:49:36 -0000 This is a follow up to the previous series doing the following: Convert the *ancient* user keys (from user.cfg) to new TFA keys when updating a user's tfa settings. And support the ancient keys in the authentication code Currently this causes a tfa & user config to be locked together (so the lock fns are enforcing an order to avoid deadlocks). We could *not* do that, but it *may* end up adding the old-old keys twice... not really something that I'd expect to happen, but whatever, support for these is most likely going to be dropped in PVE-8 anyway, then the code handling this can also get dropped. NOTE: Since this is about backward support for old code from back when admins needed to configure the user 2nd factors, the user facing side here is a bit minimalistic: The old keys will not be visible in the TFA panel until the user actually makes a change, since they come from different sources... BUT, since we're now adding recovery key support, the best option here is for users to simply add a set of those, which will automatically pull in the old keys into the new config. On the pve-manager side: use the existing libjs-qrcode package