public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH access-control + manager] tfa followup
@ 2021-11-10 12:48 Wolfgang Bumiller
  2021-11-10 12:49 ` [pve-devel] [PATCH access-control 1/4] assert tfa/user config lock order Wolfgang Bumiller
                   ` (5 more replies)
  0 siblings, 6 replies; 8+ messages in thread
From: Wolfgang Bumiller @ 2021-11-10 12:48 UTC (permalink / raw)
  To: pve-devel

This is a follow up to the previous series doing the following:
Convert the *ancient* user keys (from user.cfg) to new TFA keys
  when updating a user's tfa settings.
And support the ancient keys in the authentication code

Currently this causes a tfa & user config to be locked together
(so the lock fns are enforcing an order to avoid deadlocks).
We could *not* do that, but it *may* end up adding the old-old keys
twice... not really something that I'd expect to happen, but whatever,
support for these is most likely going to be dropped in PVE-8 anyway,
then the code handling this can also get dropped.

NOTE:
Since this is about backward support for old code from back when admins
needed to configure the user 2nd factors, the user facing side here is a
bit minimalistic: The old keys will not be visible in the TFA panel
until the user actually makes a change, since they come from different
sources...

BUT, since we're now adding recovery key support, the best option here
is for users to simply add a set of those, which will automatically pull
in the old keys into the new config.

On the pve-manager side: use the existing libjs-qrcode package




^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2021-11-11 16:06 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-10 12:48 [pve-devel] [PATCH access-control + manager] tfa followup Wolfgang Bumiller
2021-11-10 12:49 ` [pve-devel] [PATCH access-control 1/4] assert tfa/user config lock order Wolfgang Bumiller
2021-11-10 12:49 ` [pve-devel] [PATCH access-control 2/4] check enforced realm tfa type in new auth Wolfgang Bumiller
2021-11-10 12:49 ` [pve-devel] [PATCH access-control 3/4] d/control: add liburi-perl dependency Wolfgang Bumiller
2021-11-10 12:49 ` [pve-devel] [PATCH access-control 4/4] merge old user.cfg keys to tfa config when adding entries Wolfgang Bumiller
2021-11-10 12:49 ` [pve-devel] [PATCH manager] depend on and use libjs-qrcodejs Wolfgang Bumiller
2021-11-11  7:38   ` [pve-devel] applied: " Thomas Lamprecht
2021-11-11 16:06 ` [pve-devel] applied-series: [PATCH access-control + manager] tfa followup Thomas Lamprecht

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal