From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <t.lamprecht@proxmox.com> Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 970CF7EF18 for <pve-devel@lists.proxmox.com>; Thu, 11 Nov 2021 17:06:53 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 8DC06F0C1 for <pve-devel@lists.proxmox.com>; Thu, 11 Nov 2021 17:06:23 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 1C441F0B3 for <pve-devel@lists.proxmox.com>; Thu, 11 Nov 2021 17:06:23 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id EA03142E6D for <pve-devel@lists.proxmox.com>; Thu, 11 Nov 2021 17:06:22 +0100 (CET) Message-ID: <626676e8-de70-e1af-8c83-e4ac556443f3@proxmox.com> Date: Thu, 11 Nov 2021 17:06:22 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Thunderbird/95.0 Content-Language: en-US To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>, Wolfgang Bumiller <w.bumiller@proxmox.com> References: <20211110124904.164053-1-w.bumiller@proxmox.com> From: Thomas Lamprecht <t.lamprecht@proxmox.com> In-Reply-To: <20211110124904.164053-1-w.bumiller@proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.128 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] applied-series: [PATCH access-control + manager] tfa followup X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com> List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe> List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/> List-Post: <mailto:pve-devel@lists.proxmox.com> List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help> List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe> X-List-Received-Date: Thu, 11 Nov 2021 16:06:53 -0000 On 10.11.21 13:48, Wolfgang Bumiller wrote: > This is a follow up to the previous series doing the following: > Convert the *ancient* user keys (from user.cfg) to new TFA keys > when updating a user's tfa settings. > And support the ancient keys in the authentication code > > Currently this causes a tfa & user config to be locked together > (so the lock fns are enforcing an order to avoid deadlocks). > We could *not* do that, but it *may* end up adding the old-old keys > twice... not really something that I'd expect to happen, but whatever, > support for these is most likely going to be dropped in PVE-8 anyway, > then the code handling this can also get dropped. > > NOTE: > Since this is about backward support for old code from back when admins > needed to configure the user 2nd factors, the user facing side here is a > bit minimalistic: The old keys will not be visible in the TFA panel > until the user actually makes a change, since they come from different > sources... > > BUT, since we're now adding recovery key support, the best option here > is for users to simply add a set of those, which will automatically pull > in the old keys into the new config. ACK, please ensure this info is conveyed clearly in our release notes. applied series, thanks!