intended as a replacement for my previous patch: [0] while we may not want users to login into a non-quorate cluster, preventing it as a side-effect of locking the tfa config is wrong.
currently there is only one situation where we actually need to lock the tfa config, namely when using recovery keys, since they have to be removed from it. so this series changes the tfa code in pve so that we only lock when the tfa response is a recovery key an alternative approach to this would be to implement a 'needs save' check in rust and call that with the tfa-response, but we can still do that later patches 2 and 3 are debatable, but i found it makes the code a bit clearer my suggestion for the 'let users not login in non-quorate cluster' would be to maybe add a flag to the users that must be explicitely enabled for them to login, so that e.g. some admin users can always login, but normal users cannot (i got no real feedback on that idea in the conversation of the last version of this sadly..) 0: https://lists.proxmox.com/pipermail/pve-devel/2022-September/053939.html Dominik Csapak (3): authenticate_2nd_new: only lock tfa config for recovery keys authenticate_2nd_new: rename $otp to $tfa_response authenticate_user: don't give empty $tfa_challenge to authenticate_2nd_new src/PVE/AccessControl.pm | 131 +++++++++++++++++++++------------------ 1 file changed, 71 insertions(+), 60 deletions(-) -- 2.30.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
