From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: Dominik Csapak <d.csapak@proxmox.com>
Cc: pve-devel@lists.proxmox.com
Subject: [pve-devel] applied-series: [PATCH access-control v2 0/3] improve tfa config locking
Date: Fri, 21 Oct 2022 10:47:08 +0200 [thread overview]
Message-ID: <20221021084708.gofpdrpph2xjeoso@wobu-vie.proxmox.com> (raw)
In-Reply-To: <20221021083117.1239396-1-d.csapak@proxmox.com>
applied series, thanks
On Fri, Oct 21, 2022 at 10:31:14AM +0200, Dominik Csapak wrote:
> while we may not want users to login into a non-quorate cluster,
> preventing it as a side-effect of locking the tfa config is wrong.
>
> currently there is only one situation where we actually need to lock
> the tfa config, namely when using recovery keys, since they have to be
> removed from it. so this series changes the tfa code in pve so that
> we only lock when the tfa response is a recovery key
>
> changes from v1:
> * fix wrong regex
> * pass undef explicitely instead of omitting the parameter
> * this time tested in both directions:
> user without tfa can login in quorate & non-quorate cluster
> user with non-recovery tfa can login in quorate & non-quorate cluster
> user with recovery tfa can only login in quorate cluser
>
> Dominik Csapak (3):
> authenticate_2nd_new: only lock tfa config for recovery keys
> authenticate_2nd_new: rename $otp to $tfa_response
> authenticate_user: pass undef instead of empty $tfa_challenge to
> authenticate_2nd_new
>
> src/PVE/AccessControl.pm | 131 +++++++++++++++++++++------------------
> 1 file changed, 71 insertions(+), 60 deletions(-)
>
> --
> 2.30.2
prev parent reply other threads:[~2022-10-21 8:47 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-21 8:31 [pve-devel] " Dominik Csapak
2022-10-21 8:31 ` [pve-devel] [PATCH access-control v2 1/3] authenticate_2nd_new: only lock tfa config for recovery keys Dominik Csapak
2022-10-21 11:29 ` Thomas Lamprecht
2022-10-21 11:38 ` Dominik Csapak
2022-10-21 8:31 ` [pve-devel] [PATCH access-control v2 2/3] authenticate_2nd_new: rename $otp to $tfa_response Dominik Csapak
2022-10-21 8:31 ` [pve-devel] [PATCH access-control v2 3/3] authenticate_user: pass undef instead of empty $tfa_challenge to authenticate_2nd_new Dominik Csapak
2022-10-21 8:47 ` Wolfgang Bumiller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221021084708.gofpdrpph2xjeoso@wobu-vie.proxmox.com \
--to=w.bumiller@proxmox.com \
--cc=d.csapak@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox