From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 4672BB93BF for ; Wed, 13 Mar 2024 14:18:26 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 2687F36060 for ; Wed, 13 Mar 2024 14:18:26 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Wed, 13 Mar 2024 14:18:25 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id D93A145435 for ; Wed, 13 Mar 2024 14:18:24 +0100 (CET) From: Markus Frank To: pve-devel@lists.proxmox.com Date: Wed, 13 Mar 2024 14:18:17 +0100 Message-Id: <20240313131817.1476164-1-m.frank@proxmox.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.029 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [tfa.pm] Subject: [pve-devel] [PATCH access-control] api: Prevent TFA from being set up for openid users X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Mar 2024 13:18:26 -0000 Currently it is possible to set up TFA for an OpenID user (as root user), but it is never requested during the login process for that user. This patch prevents this and displays an error message with the instruction to set up TFA using the OpenId server. Signed-off-by: Markus Frank --- src/PVE/API2/TFA.pm | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm index 13ffc59..5e7e9eb 100644 --- a/src/PVE/API2/TFA.pm +++ b/src/PVE/API2/TFA.pm @@ -381,6 +381,13 @@ __PACKAGE__->register_method ({ my ($userid, $realm) = root_permission_check($rpcenv, $authuser, $param->{userid}, $param->{password}); + my $domain_cfg = cfs_read_file('domains.cfg'); + my $realm_cfg = $domain_cfg->{ids}->{$realm}; + if ($realm_cfg->{type} eq "openid") { + die "Users of the realm '$realm' with type 'openid' cannot use TFA." + ." Using the OpenID server to set up TFA is recommended.\n"; + } + my $type = delete $param->{type}; my $value = delete $param->{value}; if ($type eq 'yubico') { -- 2.39.2