From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id AD9198AC2B for ; Fri, 21 Oct 2022 13:32:45 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 9169421848 for ; Fri, 21 Oct 2022 13:32:15 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Fri, 21 Oct 2022 13:32:15 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id CB5E544B0E for ; Fri, 21 Oct 2022 13:32:14 +0200 (CEST) Message-ID: <347b1c97-95e4-5248-13a3-8a39ae389cf9@proxmox.com> Date: Fri, 21 Oct 2022 13:32:14 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:106.0) Gecko/20100101 Thunderbird/106.0 Content-Language: en-GB To: Proxmox VE development discussion , Wolfgang Bumiller , Dominik Csapak References: <20221020131412.3493343-1-d.csapak@proxmox.com> <20221021080656.5ermtpjivpe7izjd@wobu-vie.proxmox.com> From: Thomas Lamprecht In-Reply-To: <20221021080656.5ermtpjivpe7izjd@wobu-vie.proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.034 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -0.001 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH access-control 0/3] improve tfa config locking X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Oct 2022 11:32:45 -0000 Am 21/10/2022 um 10:06 schrieb Wolfgang Bumiller: >> my suggestion for the 'let users not login in non-quorate cluster' would >> be to maybe add a flag to the users that must be explicitely enabled >> for them to login, so that e.g. some admin users can always login, but >> normal users cannot (i got no real feedback on that idea in the >> conversation of the last version of this sadly..) > > I think it makes sense. Eg. you may not want to expose ssh access > publicly but need the UI - then at least root could access the shell > over the UI to fix stuff, while for other users we can never be sure > they're actually still valid. Although we could argue @pam users should > be allowed to login as well, since those are machine-local after all? > But as far as I'm concerned, even root@pam-only for non-quorate nodes > would make enough sense. That's something else than the flag Dominik proposed though, would special case @pam yet another time, but at least it has some arguments and make more sense than we do for the host shell... Biggest benefit, no config required at all. So yeah that in form of an implementation and docs patch would be nice.