while we may not want users to login into a non-quorate cluster,
preventing it as a side-effect of locking the tfa config is wrong.
currently there is only one situation where we actually need to lock
the tfa config, namely when using recovery keys, since they have to be
removed from it. so this series changes the tfa code in pve so that
we only lock when the tfa response is a recovery key
changes from v1:
* fix wrong regex
* pass undef explicitely instead of omitting the parameter
* this time tested in both directions:
user without tfa can login in quorate & non-quorate cluster
user with non-recovery tfa can login in quorate & non-quorate cluster
user with recovery tfa can only login in quorate cluser
Dominik Csapak (3):
authenticate_2nd_new: only lock tfa config for recovery keys
authenticate_2nd_new: rename $otp to $tfa_response
authenticate_user: pass undef instead of empty $tfa_challenge to
authenticate_2nd_new
src/PVE/AccessControl.pm | 131 +++++++++++++++++++++------------------
1 file changed, 71 insertions(+), 60 deletions(-)
--
2.30.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
