From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 85E7C92FD3 for ; Thu, 15 Sep 2022 14:41:14 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 755B51881B for ; Thu, 15 Sep 2022 14:40:44 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Thu, 15 Sep 2022 14:40:43 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 11E7744421; Thu, 15 Sep 2022 14:40:43 +0200 (CEST) Message-ID: <5fb8bc75-3517-086f-5389-983e1d80e890@proxmox.com> Date: Thu, 15 Sep 2022 14:40:42 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:105.0) Gecko/20100101 Thunderbird/105.0 Content-Language: en-US To: Thomas Lamprecht , Proxmox VE development discussion References: <20220914134235.3707811-1-d.csapak@proxmox.com> <28056eb0-7712-00a6-b342-b2bbb4fa2279@proxmox.com> From: Dominik Csapak In-Reply-To: <28056eb0-7712-00a6-b342-b2bbb4fa2279@proxmox.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.878 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -1.583 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: Re: [pve-devel] [RFC PATCH access-control] loosen locking restriction for users without tfa configured X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2022 12:41:14 -0000 On 9/15/22 12:43, Thomas Lamprecht wrote: > Am 14/09/2022 um 15:42 schrieb Dominik Csapak: >> The downside is that we cannot authenticate users anymore without quorum >> (since locking requires write access to pmxcfs), even for users without >> tfa configured (and also for clusters without any tfa configured at all) > > question is more if we should disallow login on unquorate clusters for all > but root@pam, as for all others you cannot be sure if they still got the > permissions and for the pve realm the credentials are still correct, or > if the non-existing TFA entry is still up-to-date (the quorate partition > could have TFA configured for that user since cluster split). fair point, but then we'd also have to deny api requests in general for non root@pam users when the cluster is not quorate, otherwise they can continue making requests with existing tickets (aside creating a new one) > > root@pam is a hard-coded super admin and verified via PAM, which normally > should be pmxcfs, and thus quorum, independent, at least if nobody was crazy > enough to link /etc/shadow to a file in pmxcfs or wrote a PAM that works > on pmxcfs info in other ways. AFAICS a user can't do anything on a non quorate cluster that wouldn't be possible over ssh for example ? since most operations already need the cluster to be quorate (aside from things such as network configuration, which might be the exact reason why the cluster is not quorate, so the admin/user wants to fix it) so imho @pam could be allowed in general, but for the other realms it's very much a design decision. just to note: before accidentally breaking such logins by locking the tfa config, we always let users login, regardless of cluster quorum state