Currently it is possible to set up TFA for an OpenID user (as root user),
but it is never requested during the login process for that user.
This patch prevents this and displays an error message with the instruction
to set up TFA using the OpenId server.
Signed-off-by: Markus Frank <m.fr...@proxmox.com>
---
src/PVE/API2/TFA.pm | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
index 13ffc59..5e7e9eb 100644
--- a/src/PVE/API2/TFA.pm
+++ b/src/PVE/API2/TFA.pm
@@ -381,6 +381,13 @@ __PACKAGE__->register_method ({
my ($userid, $realm) =
root_permission_check($rpcenv, $authuser, $param->{userid},
$param->{password});
+ my $domain_cfg = cfs_read_file('domains.cfg');
+ my $realm_cfg = $domain_cfg->{ids}->{$realm};
+ if ($realm_cfg->{type} eq "openid") {
+ die "Users of the realm '$realm' with type 'openid' cannot use TFA."
+ ." Using the OpenID server to set up TFA is recommended.\n";
+ }
+
my $type = delete $param->{type};
my $value = delete $param->{value};
if ($type eq 'yubico') {
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
