proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-10-04 14:18:28 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

catch incompatible tfa entries with a nice error

Browse Source 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller 2021-11-17 12:34:40 +01:00
parent 92bca71e86
commit 93c1d74a62
2 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/PVE/API2/TFA.pm
View File

@ -185,6 +185,9 @@ __PACKAGE__->register_method({
if (!defined($tfa_type)) { if (!defined($tfa_type)) {
raise('no u2f data available'); raise('no u2f data available');
} }
if ($tfa_type eq 'incompatible') {
raise('tfa entries incompatible with old login api');
}
eval { eval {
if ($tfa_type eq 'u2f') { if ($tfa_type eq 'u2f') {

4
src/PVE/AccessControl.pm
View File

@ -741,7 +741,9 @@ sub authenticate_2nd_old : prototype($$$) {
my ($type, $tfa_data) = user_get_tfa($username, $realm, 0); my ($type, $tfa_data) = user_get_tfa($username, $realm, 0);
if ($type) { if ($type) {
if ($type eq 'u2f') { if ($type eq 'incompatible') {
die "old login api disabled, user has incompatible TFA entries\n";
} elsif ($type eq 'u2f') {
# Note that if the user did not manage to complete the initial u2f registration # Note that if the user did not manage to complete the initial u2f registration
# challenge we have a hash containing a 'challenge' entry in the user's tfa.cfg entry: # challenge we have a hash containing a 'challenge' entry in the user's tfa.cfg entry:
$tfa_data = undef if exists $tfa_data->{challenge}; $tfa_data = undef if exists $tfa_data->{challenge};