From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: Dominik Csapak <d.csapak@proxmox.com>
Cc: pve-devel@lists.proxmox.com
Subject: Re: [pve-devel] [PATCH access-control 0/3] improve tfa config locking
Date: Fri, 21 Oct 2022 10:06:56 +0200 [thread overview]
Message-ID: <20221021080656.5ermtpjivpe7izjd@wobu-vie.proxmox.com> (raw)
In-Reply-To: <20221020131412.3493343-1-d.csapak@proxmox.com>
On Thu, Oct 20, 2022 at 03:14:09PM +0200, Dominik Csapak wrote:
> intended as a replacement for my previous patch: [0]
>
> while we may not want users to login into a non-quorate cluster,
> preventing it as a side-effect of locking the tfa config is wrong.
>
> currently there is only one situation where we actually need to lock
> the tfa config, namely when using recovery keys, since they have to be
> removed from it. so this series changes the tfa code in pve so that
> we only lock when the tfa response is a recovery key
>
> an alternative approach to this would be to implement a 'needs save'
> check in rust and call that with the tfa-response, but we can still do
> that later
>
> patches 2 and 3 are debatable, but i found it makes the code a bit clearer
>
> my suggestion for the 'let users not login in non-quorate cluster' would
> be to maybe add a flag to the users that must be explicitely enabled
> for them to login, so that e.g. some admin users can always login, but
> normal users cannot (i got no real feedback on that idea in the
> conversation of the last version of this sadly..)
I think it makes sense. Eg. you may not want to expose ssh access
publicly but need the UI - then at least root could access the shell
over the UI to fix stuff, while for other users we can never be sure
they're actually still valid. Although we could argue @pam users should
be allowed to login as well, since those are machine-local after all?
But as far as I'm concerned, even root@pam-only for non-quorate nodes
would make enough sense.
next prev parent reply other threads:[~2022-10-21 8:07 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-20 13:14 Dominik Csapak
2022-10-20 13:14 ` [pve-devel] [PATCH access-control 1/3] authenticate_2nd_new: only lock tfa config for recovery keys Dominik Csapak
2022-10-21 8:03 ` Wolfgang Bumiller
2022-10-20 13:14 ` [pve-devel] [PATCH access-control 2/3] authenticate_2nd_new: rename $otp to $tfa_response Dominik Csapak
2022-10-20 13:14 ` [pve-devel] [PATCH access-control 3/3] authenticate_user: don't give empty $tfa_challenge to authenticate_2nd_new Dominik Csapak
2022-10-21 8:04 ` Wolfgang Bumiller
2022-10-21 8:06 ` Wolfgang Bumiller [this message]
2022-10-21 11:32 ` [pve-devel] [PATCH access-control 0/3] improve tfa config locking Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221021080656.5ermtpjivpe7izjd@wobu-vie.proxmox.com \
--to=w.bumiller@proxmox.com \
--cc=d.csapak@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox