public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH access-control 0/3] improve tfa config locking
@ 2022-10-20 13:14 Dominik Csapak
  2022-10-20 13:14 ` [pve-devel] [PATCH access-control 1/3] authenticate_2nd_new: only lock tfa config for recovery keys Dominik Csapak
                   ` (3 more replies)
  0 siblings, 4 replies; 8+ messages in thread
From: Dominik Csapak @ 2022-10-20 13:14 UTC (permalink / raw)
  To: pve-devel

intended as a replacement for my previous patch: [0]

while we may not want users to login into a non-quorate cluster,
preventing it as a side-effect of locking the tfa config is wrong.

currently there is only one situation where we actually need to lock
the tfa config, namely when using recovery keys, since they have to be
removed from it. so this series changes the tfa code in pve so that
we only lock when the tfa response is a recovery key

an alternative approach to this would be to implement a 'needs save'
check in rust and call that with the tfa-response, but we can still do
that later

patches 2 and 3 are debatable, but i found it makes the code a bit clearer

my suggestion for the 'let users not login in non-quorate cluster' would
be to maybe add a flag to the users that must be explicitely enabled
for them to login, so that e.g. some admin users can always login, but
normal users cannot (i got no real feedback on that idea in the
conversation of the last version of this sadly..)

0: https://lists.proxmox.com/pipermail/pve-devel/2022-September/053939.html

Dominik Csapak (3):
  authenticate_2nd_new: only lock tfa config for recovery keys
  authenticate_2nd_new: rename $otp to $tfa_response
  authenticate_user: don't give empty $tfa_challenge to
    authenticate_2nd_new

 src/PVE/AccessControl.pm | 131 +++++++++++++++++++++------------------
 1 file changed, 71 insertions(+), 60 deletions(-)

-- 
2.30.2





^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2022-10-21 11:32 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-20 13:14 [pve-devel] [PATCH access-control 0/3] improve tfa config locking Dominik Csapak
2022-10-20 13:14 ` [pve-devel] [PATCH access-control 1/3] authenticate_2nd_new: only lock tfa config for recovery keys Dominik Csapak
2022-10-21  8:03   ` Wolfgang Bumiller
2022-10-20 13:14 ` [pve-devel] [PATCH access-control 2/3] authenticate_2nd_new: rename $otp to $tfa_response Dominik Csapak
2022-10-20 13:14 ` [pve-devel] [PATCH access-control 3/3] authenticate_user: don't give empty $tfa_challenge to authenticate_2nd_new Dominik Csapak
2022-10-21  8:04   ` Wolfgang Bumiller
2022-10-21  8:06 ` [pve-devel] [PATCH access-control 0/3] improve tfa config locking Wolfgang Bumiller
2022-10-21 11:32   ` Thomas Lamprecht

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal